No, your NFT is not on the blockchain

Feb 7, 2022  ·  21 min read

No, your NFT is not on the blockchain.

Or at least, probably not how you think it is.

There’s a fundamental problem with NFTs that can make some of them potentially worthless. And it’s a big problem. Something that make many NFTs likely to change their appearance, add ads or just stop existing at any moment, without prior notice and certainly without your permission, no matter if you own them and no matter how much you paid for them.

Do you work on a Mac?

Hustl is a macOS app I made that helps you record awesome time-lapse videos of your Mac screen.

Check it out

By the end of this post you will be able to spot which NFTs have this problem and which don’t. You’ll know how to test them, and what are the real consequences of this issue. You’ll have a better understanding of how NFTs really work, and you’ll hopefully be knowledgeable enough to form your own opinion on whether they’re really a legit technology with chances of making it big in the future or not.

Before you go into NFTs, read this.

How people think NFTs work

If I asked you to define what an NFT is, you’ll probably go along the lines of:

  • It’s something that allows you to own digital assets, like digital art
  • It’s on the blockchain: this means it’s stored securely and permanently, and no one can ever change it

What you’ve probably been told is that NFTs are the digital version of owning a physical painting.

NFTs represent ownership over a unique piece of digital asset. This means you do own the original itself, a piece verifiably signed by the author, and not just a random copy. A true technical revolution that allows people to truly own digital art for the first time, empowering digital artists of all sorts.

And if you’ve scratched a the surface a little bit, you’ll know this is nothing like “purchasing a JPG” or just “right clicking and saving the image”, because with NFTs you actually own the very original JPG itself. There can be copies, but no one will be like the authentic, signed original.

Whoever told you about NFTs likely also made the analogy that it’s one thing to own a replica or print of the Mona Lisa, but it’s a completely different thing to own the original Mona Lisa signed by da Vinci himself.

With all this information, you’re probably assuming that when you buy an NFT of an image, what you actually own is the piece of art itself, the image – and since it’s on the blockchain it’s permanently locked, so no one can take it away from you and it’s essentially yours forever (or until you decide to sell it).

All of this is technically true.

Except it’s not.

How NFTs actually work

Before we get into the meat of this: I’ve made LooksMutable.com, a site that allows you to analyze any NFT or any wallet for free. Everything is explained visually and in easy terms, go check it out. What follows are my key takeaways and more in-depth explanations I learned while building it.

I’ve been tinkering a lot with NFTs lately, and I discovered something shocking. Something most people in the NFT space don’t seem to be widely aware of yet.

Many NFTs store their data (image, title, etc.) on regular, traditional servers rather than on the blockchain, making these NFTs fully editable at any point, which pretty much defeats the whole purpose of NFTs.

This means NFTs often don’t have their images tied to them. The NFT is one thing, and the image is often stored elsewhere. When you own an NFT, more often than not you don’t have any ownership over the image.

NFTs are just links to somewhere

Let’s make this pristinely clear: you may own the NFT, but the NFT is not the image. The image is often not contained in the NFT. Do you own the NFT? Yes. Do you own the associated image? Probably not.

The image, in fact, is often just a link to a random website, think something like a Google Drive folder. This is crazy, because that link is something that’s out of your control and that’s not going to last forever. Imagine the URL expires, or imagine Google decides to take it down – the NFT would in essence be gone, forever.

How is this possible? Wasn’t everything stored and locked permanently on the blockchain?

No.

Let’s break this down into the two different pieces they are: the NFT and the image.

The NFT is just a “container”. It’s a “certificate of ownership” that, in the most literal sense, only says this:

Person X owns the item number 123.

The item number 123 can be found here: __________

And that blank is just a link to where the image is actually stored.

The image itself is almost never stored on the blockchain. It would simply be too expensive to do so.

At the current ETH price of ~$3k, storing a 1Mb image would cost north of $100k. It’s simply not feasible.

All NFTs live on the blockchain, that’s true. But the content does not, in the majority of cases at least. Most NFTs rely on a link that points somewhere else.

When you’re purchasing NFTs, what you’re purchasing is actually very expensive links.

An NFT, in the most literal sense, is just this: a certificate that links to a URL. You own the certificate itself, but you may not own the URL.

Now, there’s a caveat.

As I said, this is not what happens 100% of the times.

There are two options:

  1. The NFT link points to a random website (bad).
  2. The NFT link actually points to the “blockchain” itself, making the NFT immutable (good).

Option 1 – The NFT link points to a random website (bad)

Say you purchase a cool NFT for a big amount like $100k. A ton of money. You’re really proud of it and you make it your profile picture. But the NFT itself has the artwork stored on a random website: let’s suppose that website is called something like mysupercoolnft.com

You don’t own mysupercoolnft.com. You don’t own anything contained in mysupercoolnft.com. You don’t know who owns mysupercoolnft.com. This website is, for all intents and purposes, alien to you.

Their owners can edit it at any moment, just as I can edit this website. And you can’t do anything to control it, because it just doesn’t belong to you. Not even if you own an NFT linked to it. It’s simply out of your reach.

Or what’s even more likely: the website can crash, someone might censor it or take it down, or the owners might stop paying for the server costs, and then the NFT will be gone forever, without your permission and no matter what you paid for it.

We call these types of websites centralized, because one single individual or group of individuals own it, and thus the individual(s) that own it can change them or take them down, either entirely or partially.

This is something we’re seeing right now with Opensea: they’re taking down entire NFT collections. This is just not what decentralized means. web3 is about decentralization, and centralized censorship does not fit in that ideal.

If your NFT link points to a random website… that’s pretty much the worst case scenario.

Examples of notable NFT collections that store their data on third party websites:

Option 2 – The NFT link points to “the blockchain” (good)

Some NFTs do the right thing and store the image on the blockchain. The NFT link points to somewhere on the blockchain, so no one can edit it, and the image is guaranteed to exist forever on-chain.

Now, this is an inaccurate and overly simplified version of what happens behind the scenes. It’s not technically correct. Let me explain.

As discussed, storing data on the blockchain is prohibitely expensive, even for the most wealthy. How do “good” NFTs do it then?

The answer is known as decentralized storage.

Decentralized storage is not technically “the blockchain”. It’s its own separate network of computers. But very much like the blockchain, it provides a similar set of features:

  • Decentralized, so no single person owns everything. Thousands of computers make up the network.
  • Failure resistant: There’s no single point of failure. One or two computers might go down, but it’s extremely unlikely thousands of computers will go down at the same time.
  • Replication: The exact same piece of content can exist (in theory at least) on many different places at the same time, so that it won’t stop existing.
  • Immutable (uneditable): once a content has been added to the network, one can’t edit that content without altering its content identifier, and thus breaking the link.
  • Censorship and time resistant: a consequence of the above. No one can theorically control or delete any content, and everything exists forever, in theory

Now, granted, no system is perfect. There are plenty of problems with decentralized storage. Unpopular content might not get replicated, garbage collection might delete it altogether and thus decentralized storage can sometimes become undistinguishable from centralized storage. Taking down huge nodes might delete huge amounts of content forever. It has its flaws. But the point is it’s *better* than the alternative, at least for the use case we’re discussing here. If you’re interested in a more technical explanation, I also wrote a technical post.

The best known decentralized storage system is called IPFS (Inter Planetary File System).

In IPFS, links to images do not look not like https://mysupercoolnft.com/image.jpg

Links in IPFS are just long strings of text, something like f0d73e853816f32f69582dc85aee4451.

These strings are actually a hash of the image itself, and represent a concrete place within the IPFS network, in the same way Ethereum addresses are hashes of users’ public keys and represent a concrete place within the Ethereum network.

IPFS is not a blockchain. But it’s the closest we got for content storage, and provides immutable, decentralized content storage at a fraction of the cost (much like normal, traditional storage).

If your NFT image and data is stored on decentralized storage systems like IPFS, congratulations. Your NFT is way better off than having its content stored on centralized servers, and the NFT data is probably not going to go away easily.

Examples of notable NFT collections that store their data on decentralized storage:

Option 3 – The NFT doesn’t have any link at all (best)

I know I said there’s only two options, but there’s actually three, and I wanted to cover all cases to make this guide as comprehensive and complete as possible. Now, this case is uncommon. I’ve only seen it a few times.

The third option is when the NFT doesn’t point anywhere but to itself. This means the data is actually stored inside the NFT, on the actual blockchain.

Storing data on the blockchain is absurdly expensive, but some projects do it. Now, there are tricks to achieve it. Images and videos are too heavy to get stored on-chain, but text isn’t. And one can sometimes represent certain kinds of images as text, like in vector graphics using SVG.

The resulting images are often simplistic and not really visually appealing, but there are some interesting use cases like Corruption(s*)

Some of the kind of images you can generate with text

This is the best-case scenario, honestly. On-chain data is way superior to other decentralized storage solutions, and the only reason projects don’t do is because of its limitations and cost. But the only NFTs you truly own have their data on the blockchain itself. That data isn’t going anywhere. If your NFT really stores its data on-chain, your NFT is uneditable, you own it completely, image included – and is guaranteed to last for a long time. It’s as good as it can get.

Examples of notable NFT collections that actually store their art on-chain:

This is what most people think NFTs to be, but the reality is these on-chain NFTs make up only a tiny fraction of all NFTs.

So, how bad is it?

Most of the friends in tech I’ve talked to seem to be unaware of all this.

Understandably so: it is pretty counterintuitive given the main angle in which NFTs are being portrayed by media and influencers alike. We keep being told NFTs live entirely on the blockchain and are permanent. The reality, as we’ve seen, is way way more nuanced than that.

I know many are excited about how NFTs are a revolutionary technology and enable you to own art for the first time, but this is just not the way it works most of the time. Believe me, I’m really bullish on crypto and I’d really love NFTs to succeed as a technology, but most NFT projects are just not what you think they are. I’d really want this to work, but let’s be real here: we still have a long way to go.

70%+ of all NFTs are mutable (“bad”)

From what I’ve found in my own research analyzing NFTs, the vast majority of NFT projects are mutable (“bad”), they store their data in centralized servers.

We’re easily talking 70%+ of all analyzed NFTs (source).

LooksMutable.com has analyzed over 11k+ NFTs so far, and more than 70% of them are mutable

It’s certainly concerning if we analyze the wallets of well-known NFT influencers:

Analysis of two wallets with many NFTs

I’ve chosen these two wallets for no particular reason other than they’ve been some of the loudest accounts in the NFT space I’ve been tracking lately, they own a respectable amount of NFTs and prove the point.

Think about that for a second: if some of the most influential people in the space own not even 30% of “good” NFTs themselves, what kind of projects are they likely promoting to their audiences?

Caveat: NFT spamming in big wallets

There’s this shady technique I’ve been seeing in really big accounts, where NFT creators send big wallets “free” NFTs as essentially spam.

Big wallets attract so much attention that shady makers send them their low-quality NFTs for free, so they show up in their OpenSea profiles.

What they’re trying to achieve is that other buyers go to that big wallet profile, see the NFT, think the wallet actually thought the token was a good investment and bought it, so as to trick people into buying their NFT. Makes sense?

It’s essentially the same as sending spam email, but with NFTs.

You just gift NFTs to randoms in hopes that others will look at their profile and take the bait.

That’s why in really big accounts with hundreds or even thousands of NFTs it’s a good idea to be skeptical of what they really own. Most of those spam NFTs are obviously low quality and potentially mutable.

Unfortunately, I have no way of distinguishing real NFTs from spammed NFTs, other than by looking at the total number of NFTs in a wallet and being suspicious of big numbers.

Verified doesn’t mean immutable

Another problem has to do with Opensea and similar services. Many people associate NFTs with Opensea, and all these services have this thing where they verify certain collections and add a nice blue “verified” badge next to their name. This verified badge makes people think NFTs in the collection are good to go. But verified doesn’t mean immutable.

Opensea verifies collections no matter how the data of the NFT is stored.

Which means collections like “Cool Cats NFT”, which store their data in centralized servers, get verified making people think there’s nothing wrong with them.

For Opensea and the like, “verified” pretty much just means “these guys own the Twitter account with the same name”.

Rare doesn’t necessarily mean valuable

The NFT space is excessively focused on rarity and floor prices, but often neglects to think about whether the NFTs are even reliable in the first place.

Your NFT could be the most rare of the collection and floor price could be increasing dozens of ETH every day, but that’s absolutely worthless if your NFT is mutable and can just simply stop existing or change their attributes drastically at any moment without prior notice.

Rarity analyses are essentially worthless on mutable NFTs, because that rarity can be manually changed at any point in time, since the data that gives the NFT its rarity is stored on a centralized website.

Plus, if your NFT is mutable, there’s a high chance it will not be around in a 10 years.

Will my NFT be dead in 10 years?

If your NFT is immutable (“good”), probably not. Distributed networks are difficult to take down, should not rely on single nodes and data is likely just keep existing somewhere.

But if your NFT is mutable (“bad”), there’s a huge chance it will not outlive the next 10 years.

Why?

Because centralized servers simply stop existing. Servers need mainteinance. Things break all the time and need to be fixed, things need to be improved just to keep up with the times, services you rely on go out of business, security updates are released and need to be installed… developers are expensive, server bills and domains need to be paid, and someone just needs to assume all that cost and energy.

The default state of websites is to be dead, not alive.

It takes actual effort to keep things just afloat. If your mutable NFT project gets abandoned, no one will put in that money and effort and the NFT will die with the server.

And not only do servers stops existing altogether. If the server goes temporarily down, which happens to all of us, more often that I’d like to admit, your NFT will become void for as long as the server is down.

CyberKongz stores all NFT data in kongz.herokuapp.com, which redirects to cyberkongz.com, but the data is clearly stored in Heroku. At the time of checking, the server was completely down and no NFT data could be fetched.

Take this one, for example. This is the server of a NFT collection called CyberKongz. The cheapest NFT in their collection (floor price) currently sells for 8.5 ETH (about $20k USD at current price).

All their NFT images and data are stored in Heroku, a free app hosting service. I tried examining their NFTs data, only to find… their server was absolutely dead. Like, the only thing you could get was that error screen.

This is not what web3 is about.

What happens if a mutable NFT server goes down?

If the server goes down, your NFT becomes “empty”. You still own the NFT itself, as in: there’s a place on the blockchain that says you own “Item #123”, but “Item #123” doesn’t exist, it points nowhere. The URL just returns an error. The NFT will lose its image, its name, its description, its rarity traits and everything related to it.

Some services like Opensea might still have a cached copy of that data, but that’s just temporary and just for one single service. New services that come along, new integrations, or even if Opensea itself when it decides to refresh the data of your NFT: all of them will encounter a “404 NOT FOUND” error, with no data to fetch, and will render the NFT as what it is: an empty structure.

This is what could happen to your mutable NFT tomorrow. It’s just dead. Empty. The shell is there, but there’s nothing inside to fill it. This is just a representation, different services might implement missing data in a different way, but you get the idea.

Can the data in a mutable NFT be edited easily?

Yes. Absolutely. As easily as I can edit this blogpost. It takes me seconds.

So here’s an example:

I wanted to have my profile pic on the blockchain as an NFT, so I programmed a whole smart contract (ERC721) and deployed it on the blockchain. It’s fairly quick and easy once you’ve done it a few times.

You can check it out on Opensea, but I deployed it with a test wallet and it’s overall pretty uninteresting

I then created my own NFT data server to provide my NFT with the actual data and image it has to show:

The actual data my NFT points to. Notice how the NFT image is also just a link to my server

So to recap: there’s an NFT somewhere on the blockchain. And that NFT points to nft.rameerez.com (my NFT server) as the URL from where to get its data, including the actual picture. Opensea and any other NFT service read from there, and my profile picture gets displayed as the image associated with the NFT.

Quick test: is my NFT mutable (bad) or immutable (good)?

My NFT links to my server (nft.rameerez.com), so it’s mutable (bad).

Since the NFT is mutable and all its data lives on my server, I can change it at any moment, no matter who owns it. Let’s play around with it a bit. Of course, all changes I make get reflected on Opensea almost immediately:

The edited NFT – notice how the image, the title and the description are all different to the previous screenshot

If you look closely, you’ll even notice none of these changes got reflected in the “Item Activity” section. They don’t get reflected anywhere on the blockchain either – because this NFT is mutable and its data does not live on the blockchain. I can edit it over and over again and my footprints will never be visible.

In a similar line of thought, there’s one really cool experiment by Moxie Marlinspike, the founder of the Signal app.

Since he fully owned his NFT server, and since servers can know who’s making every request, he configured his NFT data server so that it would respond with different images depending on which service was making the request.

So, if OpenSea was trying to read the NFT data (meaning: the request was made from OpenSea.io), the NFT data would return one artwork. Which would be completely different to the artwork returned by Rarible requesting that same NFT data.

The NFT mutability experiment by Signal founder Moxie Marlinspike. Screenshotted from moxie.org

Now, if it was the Metamask wallet asking for the NFT data, the NFT would just return the poop emoji.

This was all automatic, of course. No human was involved in changing the NFT image. It would just happen automatically in a fraction of a second as soon as the server identified where the request was coming from.

Yes, changing the data on mutable NFTs is that easy.

Are there any advantages for why an NFT is to be stored on a centralized server?

Not really.

Well, yes, there are advantages for the NFT makers.

  • It’s easier + quicker to develop centralized solutions vs decentralized ones like IPFS
  • It’s easier + cheaper to find developers
  • IPFS has its own learning curve developers need to go through
  • IPFS has its own costs
  • IPFS is not widely known yet by developers

Are there advantages for the NFT builders? Yes.
Are there advantages for the NFT holders? I don’t think so.

Well, there’s actually one useful use case: revealing NFTs.

Many NFT collections do a reveal event, like when eggs hatch into the final NFTs.

That’s only possible if the data is on a centralized server, and thus the NFT image can be changed easily for the reveal.

But there’s a caveat: good contracts change the URL after the reveal. They start off as mutable NFTs so they can hatch them, but they later switch the URL to IPFS, cementing the data after the hatch.

Wait, can NFTs change their mutability once a project is released into the wild and has been traded, bought and sold?

Not by default.

Some NFT smart contracts allow for a change in the URL where the NFT data is stored, though.

If the smart contract allows for a change in the URL where they store the data, then yes: it’s possible to change one NFT collection from mutable to immutable even after launch, and theoretically also vice-versa.

By default this is not the case: the makers of the project need to make an extra effort to have that implemented prior to launch. If they haven’t had it explicitly implemented before release, it’s not possible. But determining which NFTs allow for a change in the URL would require a case-by-case examination, reading the source code of the smart contract and figuring out if such feature is implemented.

MekaVerse is a good example of an NFT that launched as mutable but later cemented their data in IPFS. After their reveal, they switched the URL of the NFT to IPFS, making the collection immutable.

Some projects then burn the keys of the addresses allowed to make that change, to prevent future changes from taking place (and preventing the NFT from becoming mutable again). Other solution might be to implement a software limit. The number of times the tokenURI can be changed can in theory be limited in the contract itself. Contracts might allow only 1 or 2 changes, ever. I don’t have any practical examples of these techniques in use (please comment if you have some!), but they are in theory possible.

If the smart contract of my NFT never allows for changes… is it game over? Is then the art forever detached from the blockchain?

Essentially, yes.

There’s a few nuances I’m currently exploring. Some projects like Chromie Squiggles do have all the instructions necessary to generate the art on-chain, but the link points to a centralized server, which is where all services like Opensea read from, so even if the centralized server went down you could still theoretically re-generate the art, because it’s contained as code within the NFT.

But in practice all services would just return an empty NFT, a “404 Not Found” error.

Your art might be there, but it might not be accessible and visible.

This edge case is sort of a gray area and calls for a debate, in my opinion.

If everything that’s needed to regenerate the NFT data is on-chain, can the artwork be considered to be on-chain? Even if most services will fail to read that data and will display an empty NFT instead? If the art is so immutable, why not have it stored somewhere decentralized in the first place? Why ruin it by making the NFT point to a centralized server? Just for the developers’ convenience? Is it worth it, though?

How do I check if an NFT is immutable (good) or mutable (bad)?

The long answer would be very technical and boring, something like “find out what’s the smart contract address of the NFT. Then, find a node to interact with the contract. Using it, ask the contract if it implements the ERC721 standard. If it does, call the method that returns the URI of the metadata and…”

You get the idea.

I thought that was pretty cumbersome and unfriendly.

That’s why I’ve built a tool that automates all this in one single click.

It’s called 👀 LooksMutable.com and it’s free to use – go ahead and analyze any NFT or any wallet.

I documented on Twitter the whole story of how I built this project, from the very first line of code to launch, in the most #buildinpublic fashion possible.

Also: I’m working on an NFT to support this project. This NFT might airdrop you access to advanced features and future tools. It’s still a very early work in progress, but make sure to leave your email to stay in the loop and get notified before minting opens:

Conclusion: are NFTs any valuable at all?

NFTs introduce an interesting technology that addresses an actual problem: how to assign ownership over digital assets. Digital assets, by definition, can be trivially copied – and each copy is absolutely identical to the last one. Who’s the real owner when every copy is the same?

NFTs are just digitalizing something that already exists in the physical world and is of critical importance: property.

The need is most likely real and something will eventually solve it, whether the solution is called NFTs or not.

The foundations are there. It’s just way too early and everyone is still exploring the possibilities, breaking things and testing where the boundaries of this field are.

But at the current stage, NFTs have many implementation problems. One of them is the immutability problem we’ve explored in this post. The good news is that it could have a fairly easy solution: decentralized storage. The bad news is the solution is not perfect.

I want to make a case for centralized services, though: they’re not that bad. We’ve been living off centralized services forever, and not everything needs to be decentralized. This blog does just fine living in a centralized server I own, and does not have any need whatsoever for a decentralized solution.

I understand this post is critical of NFTs, but only because the way they’re currently being used goes against the very foundations they rely on.

I’m personally okay with most centralized services (like my blog), but I’m not okay with people selling the idea that something is A when it’s in fact B. If we’re getting serious about building fully decentralized solutions, then let’s go ahead and do it, but don’t trick people into thinking something is decentralized when it’s not.

Right now, we’re not seeing NFTs: we’re mostly seeing pseudo-NFTs. It’s just more of the same stuff we’ve been seeing for 30 years, only with a crypto branding layer on top of it, in an attempt of trying to cash in on a viral trend.

I’m hopeful things will change for the better, though. Useless things tend to die relatively quickly and only what’s valuable survives over time.

In the future I expect NFTs to have real use cases where proving ownership over a digital asset is important. We’re starting to see such use cases, but I expect them to be way more interesting, and certainly more subtle. My ideal outcome would be that NFTs become a transparent technology for most of us, just like the internet is already transparent (and almost undistinguishable from magic) for most of us today. In the future, you may purchase something like a digital concert ticket, and you will be unknowingly owning an NFT.

As for the time being, everyone should be really conscious that most NFTs do not live on the blockchain. At least, not the really important parts. In 2022, with 70%+ of all NFTs being mutable, I need to warn you to proceed with care. Most NFTs could be dangerously unreliable. Always check for immutability, or assume the risks.

Education is a big part of what will take us to the next step, so if you liked this please share this post with anyone you think might find it helpful!


P.S.: A technical note on how NFTs work

For the more technical folks that might be reading this, I also wrote a technical blogpost outlining in detail the technical problems and nunances of everything described on this post. It’s fairly technical, so if you’re not comfortable with technical jargon, please feel free to skip it.

Oh, and by the way!

I'm most active on Twitter – follow me to stay in the loop.

You can also join my newsletter, and get cool stuff delivered directly to your inbox.

You'll be the first one to know about my private betas, early releases, and behind-the-scenes stories of an indie entrepreneur! No spam ever, unsubscribe with one single click.

As a quick reminder – I'm Rameerez, an indie software developer that's making cool stuff like Hustl or Edit used by people all around the world in 165+ countries, among cool people at companies like Google, Uber or Adobe. My work has been featured in media like Fast Company, Vox, or The Next Web.