Why half of the NFT’s we own are susceptible to “rug pulls”
Lately, I’m working on creating an NFT contract for a project I’m working on. I do own some NFT’s but never gave myself the chance to look into it properly. I found out that an NFT is basically an ID within a contract with a URL to the metadata. (whether it’s EIP-721 or EIP-1155) These URLs are pretty often an API hosted by the NFT creator. (or OpenSea when you create your NFT on OpenSea) This means, e.g., that when this API is taken down, your NFT does not exist anymore. Quite often, it also means that it’s possible to change the contents of your NFT. In my opinion, the fact that you own something that cannot be changed is the whole point of an NFT.
To explain this a little more, I took the following example from a collection where I also own some NFT’s. (this one is not mine, though) When you check out this NFT on OpenSea, you can retrieve the contract address and ID from the NFT from the URL: https://opensea.io/assets/0xa7d8d9ef8d8ce8992df33d8b8cf4aebabd5bd270/72000480
Contract: https://etherscan.io/address/0xa7d8d9ef8d8ce8992df33d8b8cf4aebabd5bd270#readContract
Go to the field tokenURI and fill in the ID (72000480). This results in the URL to the metadata: https://api.artblocks.io/token/72000480, where you can also find the URL to the image: https://api.artblocks.io/image/72000480. As you can see, this is hosted on an API from Art blocks itself. I love Art blocks btw, but I just needed a good (bad) example. A crypto artist named “Neitherconfirm” also made a perfect example to prove this point.
So I looked into this a little bit more and found this post which also confirmed my research. During my research, I also found out that lots of NFT’s store their contents on IPFS. Basically, on IPFS, it’s only possible to add content and retrieve a CID (Content IDentifier) in return. This CID is directly derived from the data itself and links to the data in the IPFS network. This means that you cannot edit the data, and it’s also not possible to delete it.
IFPS also wrote a How-To guide to create NFT’s with IFPS URLs for the developers among us. Another option to pin your NFT as IPFS content, which I would like to add, is Infura.
Conclusion: to make sure that you own a real NFT, always make sure that it’s hosted on IPFS. Otherwise, content can be deleted or changed, so it’s possible to pull the rug. To check this, you can use the method I described above. Also, make sure that it’s an IPFS URL in the contract and not a gateway hosted by the creator.
