January 10, 2022•332 words
These insightful Moxie Marlinspike comments on quote-unquote web3 are helpful to gather product requirements for a next-generation vision of NFTs:
Instead of storing the data on-chain, NFTs instead contain a URL that points to the data. What surprised me about the standards was that there’s no hash commitment for the data located at the URL. Looking at many of the NFTs on popular marketplaces being sold for tens, hundreds, or millions of dollars, that URL often just points to some VPS running Apache somewhere. Anyone with access to that machine, anyone who buys that domain name in the future, or anyone who compromises that machine can change the image, title, description, etc for the NFT to whatever they’d like at any time (regardless of whether or not they “own” the token). There’s nothing in the NFT spec that tells you what the image “should” be, or even allows you to confirm whether something is the “correct” image.
All this means that if your NFT is removed from OpenSea, it also disappears from your wallet. It doesn’t functionally matter that my NFT is indelibly on the blockchain somewhere, because the wallet (and increasingly everything else in the ecosystem) is just using the OpenSea API to display NFTs, which began returning 304 No Content for the query of NFTs owned by my address!
royalties aren’t specified in ERC-721, and it’s too late to change it, so OpenSea has its own way of configuring royalties that exists in web2 space.
Turning these into requirements:
- There should be non-transient addressing for the asset. The next-generation vision of NFTs principle addresses this as a goal, but needs tuning to actually carry it off.
- The blockchain community must not accept OpenSea's version of your wallet as your wallet. Truly decentralized approaches are absolutely possible, using shared code and standardized protocols rather than centralized monolith APIs.
- Open source libraries and protocols must be extended to cover OpenSea's proprietary features, include royalties.