Scramble Suits - an analysis on NFT metadata.
Scramble Suits - an analysis on NFT metadata.
This piece seeks to clarify misconceptions regarding immutable vs on-chain NFT collections by comparing CloneX and MoonCats.
“Now you will notice," the Lions Club host said, "that you can barely see this individual... because he is wearing what is called a scramble suit…
"Let's hear it for the vague blur!" the host said loudly...
For anyone unfamiliar with the writings of Philip K Dick that often overflow with androids, simulacra, and mechanical men, the vague blur is otherwise known as a Scramble Suit from his novel, A Scanner Darkly published in 1977.
More clearly portrayed in the 2006 film adaption, the suits are an invention of Bell laboratories worn by undercover cops to disguise their identity even from coworkers, as everyone is an informant, paid to inform on everyone else. While I won't go into the fine details, the suits are a "superthin membrane" large enough to fit around an average human, upon which the features of a million different people are projected outward in all directions. The novel describes it as a vague blur, or millions of different representations of people and gives you the idea that you're seeing the person, but you can't focus on it. A blue eye for one second, and I'll shift it to a green eye to a different mouth, one with a mustache, to a full beard, to nothing.
“As the computer looped through its banks, it projected every conceivable eye color, hair color, shape and type of nose, formation of teeth, configuration of facial bone structure - the entire shroudlike membrane took on whatever physical characteristics were projected at any nanosecond, then switched to the next…
In any case, the wearer of a scramble suit was everyman and in every combination (up to combinations of a million and a half sub-bits) during the course of each hour. Hence, any description of him - or her - was meaningless.”
Hallucinatory worlds and dystopian sci-fi aside, Scramble Suits also apply to the controversial 1/1 LeBron CloneX by RTFKT and related issues about their metadata late 2022. Especially as, despite what would be the presumption of a fixed surface layer, there are, in fact, almost infinite variations that the NFT could change into, all while the "real character", the centralized actor, hides underneath (RTFKT developers) that nobody sees.
Or rather, underneath infinite variations that could be formed on the surface, there is the real character, the centralized actor disguised that can manipulate the appearance via conditions of metadata to confuse or trick the subjects into who and what they're getting involved with.
The point I'm trying to make is that there's no shortage of faulty trust assumptions in Web3. One of them is that if a collection is on-chain, that doesn't necessarily mean that the image is immutable. So, to better understand what metadata is and why buzzwords like "on-chain" obfuscate the reality of NFT permanence, allow me to provide a basic overview. But for anyone already familiar, please skip to here:
What is metadata?
Metadata is information about a group of data. It helps us understand the structure, nature, and context of a set of knowledge, which can include details such as:
How the data was created — the means.
When the data was created — the time and date.
Why the data was created — the purpose.
Who created the data — the author.
Where the data was created — the location.
How big the data is — the file size.
There are three main kinds of metadata:
Descriptive metadata - Information that helps people identify a file or resource. Examples of descriptive metadata for a document may include the official title and creator's name.
Structural metadata - provides insight into how the file or data elements are organized and related. For example, the structural metadata for a video on YouTube may include information about different parts of the video, what order they're in, and where ads play.
Administrative metadata - is information about the origin of a file or resource, such as who owns the data and who can access it. For example, the administrative metadata of something like a photo might include the copyright owner, camera equipment used, shutter speed, and image resolution.
Why is metadata relevant to NFTs?
NFT metadata is the set of data that describes the content of an NFT. It's usually saved in a JSON format or file and includes information like name, transaction history, traits, link to the hosted image, etc. Ultimately, understanding how to audit or find the metadata of an NFT is important as it helps prospective holders realize what they're buying vs relying on mere surface level conventions and narratives.
How can you find the NFT metadata, and where is it usually stored?
NFT metadata is either stored off-chain or on-chain. As alluded to in the name, on-chain means that some parts (if not all) of the NFT, including its metadata and image, live on the underlying blockchain. As JPEG files can contain a lot of data, storing them on a blockchain can potentially be prohibitively expensive. However, the decision is increasingly popular amongst more tech-savvy and long-standing collections like CryptoPunks and MoonCats, as it helps collectors efficiently audit and verify all aspects of their assets.
But as most projects can't afford these storage costs, they opt for storing data off-chain - which is the inverse. Or rather, storing files on a centralized or decentralized server outside the blockchain like Amazon Web Services (AWS), InterPlanetary File System (IPFS) or Arweave. But these aren't without their issues.
See also: https://www.artnome.com/news/2021/10/27/back-up-your-nft-art-or-it-could-disappear
Finding the metadata depends on the specific blockchain. For Ethereum collections, which require assets to follow either the ERC-721 or ERC-1155 contract standards, holders can find the metadata through blockchain explorers like Etherscan.
Now, onto CloneX.
CloneX - LeBron
In early September 2022, the brand behind CloneX (RTFKT) directly changed one of their NFTs to create a custom 1/1 for LeBron James, a well-known basketball player.
Although the team had claimed that some components of CloneX were on-chain, the 1/1 revealed that the metadata of the broader collection was not locked, contradicting what some had assumed. A faulty assumption at best considering a team member had previously tweeted that changes to the asset's appearance required the owner's consent, which would mean that that it was not locked all along.
Given that Nike/RTFKT are a centralized brand, in retrospect, it may also seem unsurprising that they’d be directly controlling the dynamic of their collection, and some of the more savvy collectors weren't caught unawares.
But, as noted by Nate, the NFT community places great importance on decentralization, and RTFKT's ability to centrally manage any asset in the CloneX collection raised concerns among investors and holders. The main issue being that this centralized control undermines a key benefit of NFTs, which is immutable tech, and more importantly verified/autonomous ownership.
While there are valid arguments against locking metadata for dynamic assets (it prevents future ingenuity for in-game assets that do need to change as players progress), the key issue here seems to center around transparency and clarity in educating people about what they are buying and how to audit the code.
As mentioned by BenJamminx, locking metadata may not be necessary, but it is essential to understand if implemented - and most people have little to no awareness that, in many cases, their assets can be changed. Ultimately, the idea that a project creator can change visuals, metadata, or other characteristics of an NFT on a whim is alarming. Unfortunately, we've already seen examples of this happening, and it confirms some projects only value a veneer of decentralization.
To help clear up misconceptions around metadata and help people understand the potential risks involved with their assets, I reached out to the mooncatrescue team for previous articles I've written. Released in 2017, I'm always impressed by how ahead of its time technologically MoonCats are. While I am a holder, that doesn't detract from the fact that MoonCats objectively serve as a strong foundation in terms of what people should be looking for in their collections (codewise). But, of course, it also helps that the project lead @midnight426 has a talent for effortlessly explaining complex concepts.
Immutable vs on-chain:
At the risk of sounding repetitive, two important terms that are often used interchangeably, but have vastly different meanings: "immutable" (never changing), and "on-chain" (verifiable, public information) are not synonyms! How these concepts work & how projects are using them wildly differ.
For MoonCats, the original contract includes a hash that identifies a “parser script” that turns MoonCat "DNA" identifiers into artwork. While this parser could be replaced, the old hash value would always be query-able - it is immutable. It might be one of the only historical NFTs to be so.
The MoonCats' original hexadecimal identifier of each MoonCat is also recorded on-chain, and any tampering, such as claiming a specific MoonCat's identifier was now something different would be easy to prove.
While finding the metadata through blockchain explorers like Etherscan is relatively simple, identifying if a project is on-chain or immutable can sometimes be a little tricky. To really deeply understand it, you'd likely need a developer to look at it (similar to how if you have a huge legal document, you likely need a lawyer to analyze it for you), but knowing a little can help a lot.
For non-programmers, the key things to look for are to first find the source code file that is named the same as the smart contract - those are the main source files, and all the others are "libraries" included with it. Let’s go back to our original example, the changed CloneX
(The contract address of cloneX can be found here) https://etherscan.io/address/0x49cf6f5d44e70224e2e23fdcdd2c053f30ada28b#code.
Every contract that adheres to the ERC721 URI standard will have a function defined as function tokenURI(uint256 tokenId). For CloneX it's on line 112. To tell how it changes, there’s a key function on line 74 (function secureBaseUri) that allows changing the URI to a new one.
It's defined as having the onlyOwner modifier, so only the owner of the collection can call it, and this particular function also has a "lock" option (line 79) that once called, the URI can never be updated again. It CAN be immutable - but it’s not by default.
The CloneX contract is furthermore currently not locked. However, there was no transaction from the "owner" on or around September 8 2022 to trigger a change in URI. So…it wasn't actually on-chain data that changed. If not on-chain, then how was it changed?
By using the tokenURI function we see an URL pointing to a "web 2.0" server owned by the CloneX team – not IPFS, no hash or any other unique metadata trait. What that URL hosts up is a bit of raw JSON data formatted to describe the token, including an "image" to represent it.
https://clonex-assets.rtfkt.com/images/1.png
(If you go on Etherscan to the "Read Contract" tab and expand the tokenURI function, try putting in a number and submitting it. Currently you get a URL like https://clonex-assets.rtfkt.com/1. That's the "centralized API" that Nate was referring to).
Because those URLs are on a .com standard website and not on a blockchain, they could change at any moment, with no on-chain transaction. All of the "traits" that each CloneX has are in that JSON data, but that appears to be it. Data can be changed at a whim.
Compare that to the MoonCatRescue metadata contract at https://etherscan.io/address/0xB39C61fe6281324A23e079464f7E697F8Ba6968f#readContract with imageOf function (#19). It straight up returns SVG image data directly, rather than pointing to an external source for that data. One tweet to explain, rather than six.
To be clear, I’m not fudding CloneX - and the team has indicated they’ll go fully on-chain. But six months after moving “some data” on-chain (and not even the same quality of hash data MoonCats uses) there doesn’t seem to be much more happening. Seems like a broken promise at this point.
If a duo back in 2017 could figure this out, why can’t a team backed by a billion dollar brand and a cadre of highly talented programmers? If their priorities are making it so you can customize your NFT and walk around in the metaverse, well, it turns out that MoonCats beat them to that too.
I’d like to publicly thank both Midnight and @pawsrpg from @mooncatrescue for their explanations of on-chain via the above. You can also read a much larger article about the concept (and two others) here:
https://mooncatcommunity.medium.com/on-chain-generative-art-dd9cfc3e5fb4
Closing thoughts and key takeaways:
So what does this mean for NFTs that derive a large amount of value from the visual component i.e. generative art and 1/1 collections? For the most part, I’d say it would be to not rely on assumptions. As the age-old saying goes, don't trust, verify. But if you’re still weary of how to assess risk, some further questions to consider might be:
If the aesthetics are important, on a personal or overall market level, then asking where the visuals come from should be a core question before buying anything. For example, is the collection on-chain or stored off-chain on centralized or decentralized servers? If the former, what parts of the asset have been stored on-chain and does that include metadata?
Check etherscan and reach out to savvy developers to help audit the contracts.
If it isn't on-chain, what are the reasons they haven't opted for this choice?
If the meta-data isn't locked, what are the reasons? Is the project/team/artist planning to integrate games or anything that would require the NFT to change? Or, are the NFTs meant to be dynamic or customizable in any way?
As generative art and PFP collections aren’t the only type of NFTs out there, for "membership" style NFTs (e.g. Metakey), what the NFT looks like (or what “traits”it has) doesn’t really matter. Like a real-world gym membership or library card, the value isn’t in the aesthetics. Therefore it makes no difference if the visuals for Metakey NFTs are stored on-chain or not.
For land or game-style NFTs, what the NFT looks like in an NFT marketplace is likely much different from what it looks like in the virtual world (e.g. Decentraland land plots are a map-like visual on marketplaces, but in-game they're 3D land with structures to interact with). But for NFTs where the visual component is important to you as a buyer/collector, then definitely doing the "don't just trust; verify" steps are important.
Ultimately with the ongoing development of Ethereum, many brands and companies will invariably build gated ecosystems on top of Ethereum's permissionless landscape. Such is the nature of the global digital economy. And, as per the nature of any free market, people will gravitate towards the collections they resonate with most and bear the responsibility or consequences that come with those choices. But aligned with the ethos of open, permissionless ecosystems, it might just be that the projects and communities that adhere to those same principles (or varying degrees thereof) also add true immutability in their assets that will stand the test of time.