Are NFTs really decentralized?

An investigation of MekaVerse, Cool Cats, Pudgy Penguins, and more.

In this post, we’ll look into how popular NFT collections store their metadata. If stored incorrectly, an NFT’s metadata (e.g. image) may be changed or deleted at any time.

How NFT metadata works

There are two parts to an NFT collection like MekaVerse or Cool Cats.

  1. There’s the smart contract, which is some code and data that lives on the blockchain. For example, this is the smart contract for BAYC.
  2. There’s the NFT metadata (e.g. the image, name, and description) which is typically stored on IPFS. For example, Surreals metadata can be accessed at https://surreals.mypinata.cloud/ipfs/QmWmiuEpxJiZ7uuBiGqcFFuFKk8UnfssMmuV9MQZaoB1wR/1.

The smart contract is always decentralized, since it’s stored on-chain. In other words, the smart contract is stored by every full node in the Ethereum network, making it basically impossible to change or delete.

But what about the NFT metadata? First, let’s briefly cover how NFT metadata works. Each NFT in a collection is associated with a token URL, which points to the NFT’s metadata. This URL is stored on-chain, and typically cannot be changed.

However, the content that the URL points to may be changed! As a concrete example, the token URL for the first MekaVerse NFT is https://api.themekaverse.com/meka/1.

When a centralized server controls access to the metadata, the metadata may be changed or deleted.

The token URL matters because it determines whether or not an NFT’s metadata can be changed or deleted. For example, MekaVerse could change the metadata returned by https://api.themekaverse.com/meka/1 at any point in time! In other words, your MekaVerse NFT might have an image today—but it could easily be gone tomorrow.

Here’s how you can find out how an NFT’s metadata is stored 👇

How do popular collections store metadata?

I took a look at how 22 of the most popular NFT collections store their metadata, and the results are not very good. Here are the projects I looked at:

NFT collections and their token URLs.

Here’s the breakdown of how they store metadata:

50% of these projects store their metadata in a centralized way 😬 A project counts as “Centralized” if its token URL looks like https://api.themekaverse.com/meka/1. Remember, if metadata is stored this way, it can be changed or deleted at the owner’s discretion. Or, if the website goes down, everyone’s metadata breaks along with it.

41% of the projects use IPFS in some way.

IPFS guarantees that the metadata will not change, but does not guarantee the metadata will not be deleted. So these projects are still at risk. Using an IPFS gateway URL (instead of a plain IPFS URL) introduces additional risk, since it relies on the gateway provider to keep data available and accessible.

One project stored the metadata on-chain (Anonymice), and one project has not verified its smart contract (meaning I couldn’t look at the token URL).

What does this mean?

It means that if you own a MekaVerse, Pudgy Penguin, or Winter Bear, the metadata may be changed or deleted. Is it likely to happen? Probably not. But permanence and immutability are certainly not guaranteed.

It’s sad that so many big projects fail to store their metadata properly. Apparently, most people either don’t care or are unaware of the issue. Just look at the chart below—these projects do crazy volume!

What’s the solution?

It’s simple—NFT metadata should be stored permanently and immutably. Arweave makes it easy to do this—data stored on Arweave will persist forever, and cannot be deleted or changed. For more on Arweave, check out my other article!

I’m not trying to shill Arweave—it’s actually just a great way to store NFT metadata, and is used by most Solana NFT collections.

That’s it! If you have any questions or feedback, reach out on Twitter!

Software Engineer. Tweeting @pencilflip. Mediocre boulderer, amateur tennis player, terrible at Avalon. https://www.mattlim.me/