NFT Weekly Recap - Two Caveats with the Design of ERC-721
ERC-721 is a standard. It defines a set of coding rules for recording information about non-fungible tokens on the Ethereum blockchain. Although ERC-721 is not mandatory, it is widely accepted as the default for NFT projects.
ERC-721's full name is Ethereum Request for Comment-721. ERC-721 was the 721st Ethereum Improvement Proposal (EIP-721). After an EIP is reviewed and finalized, it becomes an ERC.
EIP-721 was first introduced in September 2017 by Dieter Shirley. Later Shirley co-developed CryptoKitties, which took the Ethereum community by storm, based on a draft version of EIP-721. EIP-721 was formally submmited on January 24, 2018 by William Entriken, Dieter Shirley, Jacob Evans, and Nastassia Sachs. On June 21, 2018, EIP-721 was accepted as final and became ERC-721.
ERC-721 specifies two identifiers for any NFT, contract address and token ID. Together, they make NFTs unique. For example, there is only one Bored Ape Yacht Club (contract) #3749 (ID).
While ERC-721 standarizes many things, it spawns two issues as a result of its design, regarding ownership and metadata, respectively.
ERC-721 registers ownership within the NFT smart contract. The NFTs you buy do not appear under your name. Instead, your name appears under them. In other words, the NFTs do not belong to you. On the contrary, you belong to the NFTs.
When an NFT is minted (created), a series of information is registered on the Ethereum blockchain under the name of the ERC-721 contract, including contract address, token ID, owner address, etc. If an NFT is transferred from one address to another, the NFT does not move from one wallet to another. Only the owner address is updated in the ERC-721 contract.
This means that the non-fungible token balance of a particular address is stored inside various ERC-721 contracts. If I want to find out how many Bored Apes you own, I need to go through the 10,000 Bored Apes and verify if the owner address matches yours for each ape. If I want to check your Azukis as well, I need to repeat the same process for the Azuki contract. ERC-20 contracts use the same mechanism. This is why you have to manually add the contract address of the shitcoin you buy in your wallet, so that Metamask can go to that contract and obtain your balance for that particular token.
If the above is too abstract for you, let's consider a simple example. Suppose you are buying groceries in a supermarket. You put your apples, eggs, and steaks in your shopping cart. Then you proceed to check out and leave with a bag of all the stuff you buy. If your friends waiting outside the supermarket want to know what you bought, they simply go through the shopping bag. That's the normal way.
In the blockchain world, you go around and buy stuff by putting your name on them. If you buy an apple, you write your name on it and move on. You do not take the apple with you as you leave. If your friends want to find out what you bought, they need to go inside, browse through each and every item on the shelves, and check if your name is on it. The apple does not belong to you, rather, you belong to your apple, remember?
If we want to find out the NFT balance of a particular address, we need to go through every ERC-721 contract that ever exists and record whenever that address shows up in the owner address column. This is not realistic for a wallet application like MetaMask. Therefore, MetaMask relies on centralized data providers for such information.
Right now, MetaMask shows your NFTs by making an API call to OpenSea (in the same vein, MetaMask shows your ERC-20 balance by making an API call to Infura). If OpenSea removes a certain NFT from its site, it also deletes it from its API. As a result, that NFT would disappear from your MetaMask wallet, even though the NFT's contract would still show that your address is the owner. To some extent, OpenSea dictates who owns what through the API they provide. Although the information stored on the blockchain cannot be altered, it may be twisted when they are retrieved and presented. Ironically, blockchain is built to eliminate third-party risks. But, for purposes of speed and user-friendliness, centralized third-parties still play an instrumental role in the ways people interact with the blockchain. This is unlikely to change in the foreseeable future.
ERC-721's design prevents non-custodial wallets from properly displaying all the NFTs that a person owns. But it is what it is. It is why it takes hours for some NFTs to show up in your wallet. Next time when an NFT disappears from your wallet, don't panic. You probably haven't lost it. It is OpenSea which decides you should not own it.
ERC-721 allows NFT metadata to be stored off-chain and to be mutable. The risk is two-fold. First, off-chain storage facilities could become inaccessible. Second, the metadata can be changed without owner's permission.
ERC-721 does not mandate the exact ways JSON files should look like. Most NFT projects use the format recommended by OpenSea. Below is a sample of what the JSON file looks like for the sample NFT above.
Even the JSON file is too big to be stored on the blockchain. In practice, NFTs store only a link that points to the JSON file.
Therefore, to upload an image of an NFT, one needs to go through four steps:
- Upload the image online and generate a link.
- Create a JSON file containing that link as well as other relevant information.
- Upload the JSON file and generate another link.
- Point the NFT to the second link through URIs.
ERC-721 allows a mechanism to associate NFTs with URIs, and the URI is mutable. That is, it can be changed when necessary. Therefore, your laser-eyed golden ape could turn into a random picture or nothing at any time, because Yuga Labs' storage servers are broken, or because Yuga Labs intentionally change it. There’s nothing in the ERC-721 standard that specifies what the image should look like or allows the owner to confirm whether something is the correct image.
IPFS, where most NFT projects store their images, uses content based addressing. The address of a file is directly related to the content of the file. If the content is changed, the address of the file will also change. OpenSea offers a feature to freeze NFT metadata, so that the address link for a particular NFT will always be the same. But the combination of the two hardly provides any relief. If an NFT project alters the jpegs uploaded to IPFS, the NFT would simply display a not-found error instead of the altered image. What's the purpose of holding that NFT if it shows up as nothing?
If the metadata is not frozen, as in the case for most NFT projects, the ERC-721 smart contract owner could potentially modify the metadata section of the contract, and there's nothing the owner could do about it.
When the market is more active again, we will return to covering trading data and current events. In the meantime, I hope this article helps you understand the nuances behind ERC-721 better.
When you buy an NFT, you are only inserting your name into a particular row on the Ethereum ledger. It is very difficult to access that row without relying on centralized service providers. Moreover, other information stored on that row may be changed without your consent. Your NFT is not as eternal as it seems.