If Standard NFT Collection Isn’t Safe Enough For Galleries and Museums, What Might Be?


In our most recent WAC Weekly, we were joined by Nate Nelson, author of a recent RightClickSave article on phishing scams in the NFT space, to talk about security on Web3 and what you can do to protect yourself.

We identified security as a concern among art and culture workers in our idea lab looking at the opportunities and risks that Web3 presented for them. And just recently, the Kate Vass Galerie had several early 1/1 art pieces stolen in a hack from which there was no recovery.

Later on, the discussion moved beyond security best practices to how both software and hardware could work better for artists and museums.

How can galleries and museums protect themselves?

It seems like every month there’s a high-profile hack or scam on Web3, from Axie hack to the Wormhole smart contract hack, both looting over half a billion dollars from smart contracts. In December, art dealer Todd Kramer lost $2.2 million worth of mostly Bored Ape NFTs in an instant. On February, 17 OpenSea users were tricked into handing over their crypto wallets in a phishing scam.

What does that mean for museums thinking of getting into Web3?

In a decentralized system, there’s no authority to turn to if something goes wrong, the way your bank can take care of you if someone steals your card details. There’s a lot we can make of this, but we can’t understand the threat without looking at the specific details of these scams.

As the article details, phishing is a common and effective scam targeting individuals and businesses across industries. You might be used to poor forgeries in your junk email claiming to be from Paypal or the government, but those low-effort scams are just chumming the waters for very easy targets. Every year, valuable businesses are targeted by elaborate phishing scams in what might be an attempt to hijack an account, or just the “social engineering” component in a much larger hack.

But crypto is specifically attractive to scammers because of four factors:

Anonymity. Long alphanumeric wallet addresses make it easy to send assets to the wrong place.

Irreversibility. On Ethereum — on which OpenSea operates — finalized transactions cannot be reversed, in order to prevent double-spending.

Lack of oversight. Traditional financial institutions provide extensive custodial services. By contrast, the very ethos of blockchain since its inception has been anti-middlemen. Users encourage companies to minimize involvement in the platforms they’ve built.

Popularity. NFTs have skyrocketed in popularity since early 2021. But not everybody who’s jumped on the bandwagon is tech-savvy enough to navigate the ecosystem safely. “General usability continues to be a challenge and can contribute to confusion,” Matt Bailey, VP of Engineering at ClubNFT, told me last month. “Understanding what it is you are signing digitally as a user is not always obvious.”

Three of those factors are inherent to the technology. But it’s notable that most of these scams and hacks occur on email and Web 2.0 social media platforms like Twitter and Discord.

When Blockchain Art Directory’s Fanny Lakoubay tweeted about the Todd Kramer hack all it took was using the hashtag #metamask to be brigaded by scambots claiming to be Metamask support, asking users to report issues in an anonymous Google Form with their wallet details. Frances Liddell saw verified Twitter accounts being hacked and sold off to scammers, who would then use those reputations to send malicious links.

Compared to that, you could argue that an on-chain network where all transactions are tracked and nothing can be spoofed is the more secure technology. The paper trail all on-chain activity leaves is how authorities caught the Silk Road operators back in 2013. If you want to know what the Axie Infinity hacker is doing with their money, you can follow their every move on Etherscan here.

And as Web3 matures, we’ll see some centralization required to improve user experience and security. Email is one of the most decentralized standards imaginable, but over 70% of all users are in Gmail or Apple Mail which use their own algorithms to prevent spam on their platforms. In the case of Todd Kramer’s stolen apes, OpenSea were able to freeze the stolen NFTs and prevent them from being sold off on the platform.

But museums and galleries can’t just rely on a platform’s customer support team to keep their works safe. When asked what museums can do to protect their crypto assets, Nate says:

“I wish I had a better answer than: use a hardware wallet.”

This seems dispiriting, but on that point, the discussion turned to how hardware wallets could play a role in another way of exchanging NFTs for art galleries and museums: one separate from the hostile, trustless environment of the open marketplace.

New models for NFT artists and collectors

Beyond just using hardware wallets as a pocket-sized vault, what if museums used them to transfer NFTs to collectors?

One of the appeals of NFTs and marketplace platforms is the ease of transference. Unlike traditional art collecting, the thinking goes, you’re not burdened by paperwork, lengthy discussions with the gallery about the needs of the piece, etc.

But dedicated art collectors love that process, learning all about the piece is part of the appeal of it as a hobby. With the average resale time of NFT art being less than one month, compared to the traditional art world’s cycle of 25–30 years, this liquidity is suited to a market seeking quick profits. Art galleries courting long-term collectors shouldn’t have to build their processes around a customer they’re not actually interested in.

Using hardware wallets as the norm would take NFTs one step closer to existing digital art archiving, it would make them more compatible with museums’ existing best practices.

“Museums don’t want to buy a link to the work,” says Christiane Paul, “they want the work.”

Nowhere in the many decades of digital art history have we seen a standard practice where museums are acquiring and storing .json files linking to a work stored off-site: the archiving process is rigorous, involving backup hard drives where the work can fit there.

It’s not the only way the whole process could be rebuilt around the needs of artists, galleries, and collectors. One reason the marketplaces like OpenSea are used by artists is that it’s complicated to develop your own software: once a contract is committed to the chain it’s fixed forever, and a single error can open the contract up to hackers.

Platforms like Manifold seek to give artists and creators low-code tools to build their own contracts. While this is perhaps better than having art and artists comply with the same protocol — flattening out all diversity in the process — it’s still not developed with the artist-museum-collector relationship in mind.

Perhaps, then, we need museums working with artists and Web3 developers to write their own smart contracts, figure out storage solutions that work for them, and even open-source those processes for other institutions to follow. That’s a big investment, but it would be a huge step up from where we are with these standards just now.

We’ve yet to see contracts and protocols approaching anywhere near “museum-quality”, which encompass all the paperwork that has to happen traditionally. While the current standards suit a market selling everything from fine art to trading cards, they’re not built to help with the work that institutions do.

Existing contract standards are clear — or try to be — on the rights of the holder, but unlike traditional museum contracts, there’s little on the holder’s responsibilities. Thoroughly archiving the work, not showing it in certain contexts, using a hardware wallet and following best-practices security, that sort of thing.

With no central authority to protect or bind anyone involved, it’s up to us to design the contracts and processes that will.

Join our next WAC Weekly! It is happening every Wednesday at noon ET. Register here.

WAC Weekly is part of WAC Lab, a new program unleashing the full potential of Web3 for the arts and culture produced by We Are Museums in collaboration with TZ Connect and Blockchain Art Directory, and powered by the Tezos ecosystem.



WAC Lab - Web3 for the Arts and Culture

All insights published here come from weekly open discussion. It is collective intelligence at its best to think about a Web3 future for the arts and culture.