Following a recent episode of reportedly stolen non-fungible tokens (NFTs) and hacked marketplace account, it turns out that a number of collectors may have lost their NFTs as a result of a marketplace terms of service violation that led to the image being suppressed, as well as a novel ERC-1155 standard that’s not compatible with Etherscan.
As the NFT frenzy has been growing, the number of cases of individuals claiming that their NFTs were gone has increased as well. «There was no history of me ever purchasing it, or ever owning it,” Tom Kuennen, a property manager from Ontario, told Vice. «Now there’s nothing. My money’s gone.» Vice reported that Kuennen reportedly bought a JPEG of an Elon Musk-themed “Moon Ticket” via the major marketplace OpenSea from digital art collective DarpaLabs. But instead of finding his artwork he got «404 error» and a missing page.
But how did it go missing?
One likely explanation for many cases of «missing» NFTs could be suppression by the marketplace, as by buying an NFT you’re paying for a piece of code that references a piece of media located somewhere else on the internet. OpenSea community manager Ed Clements was quoted as saying:
«Digital artworks themselves are not immutably registered «on the blockchain» when a purchase is made. When you buy an artwork, rather, you’re «minting» a new cryptographic signature that, when decoded, points to an image hosted elsewhere.»
This would mean that when Kuennen bought his NFT, there was a certificate pointing to an URL, but there was no JPEG logged onto the blockchain itself. Clements explained that his pointer can be suppressed for a number of reasons, such as a violation of terms and conditions.
Clements likened this to galleries closing windows, saying that closing the window on an NFT isn’t difficult, as «the code that finds the information on the blockchain and displays the images and information is simply told, ‘don’t display this one’.»
Per Mewny, a developer at eGirl Capital, OpenSea will usually either render the image from on-chain metadata or retrieve it from a link in the metadata, but in both cases, «it can simply choose not to.»
However, even if NFT artworks can be taken down, the NFTs still remain on Ethereum (ETH). But Kuennen claimed that he couldn’t find a record of the token itself on Ethereum, even though he was able to view the transaction in which he bought the image.
Mewny’s speculation is that the token hadn’t actually been minted at all — rather, it was left to be minted «properly» later so to save on high fees.
According to Sam Williams, the founder of Ethereum file storage application Arweave, OpenSea released an update per which they mint tokens only after a sale is made to minimize losses from gas fees in the case of a botched sale.
But there’s more to the Kuennen NFT story. Williams reportedly said that NFTs are usually ERC-721 tokens, but OpenSea began experimenting with ERC-1155, a «multitoken» that isn’t yet compatible with Etherscan.
«That means ERC-1155s saved on Ethereum don’t show up, even if we know they are on the blockchain because the payments record is there, and the “smart contracts” which process the sale are designed to fail instantly if the exchange can’t be made,» the report said.
Therefore, Kuennen seems to have ‘lost’ his NFT as a result of a terms of service violation on OpenSea leading to the image being suppressed, in combination with an unreadable ERC-1155 standard that made the NFT inaccessible on Etherscan, which OpenSea Chief Technology Officer Alex Attalah reportedly confirmed.
While there is little chance that Kuennen will be able to restore this NFT as nobody knows where or if it has been hosted, others have claimed that their accounts have been hacked.
Just two weeks ago, Third City Advisory founder Michael J. Miraflor claimed that his NFTs had been stolen from the Gemini-owned trading platform Nifty Gateway. The thief was said to have transferred the NFTs to another account, sold some on a Discord channel, and purchased more than USD 10,000 worth of NFTs with the stored credit information. And at least one other person reported their account being hacked.
«Don’t buy NFTs that point to media on centralized servers and definitely don’t buy NFTs that don’t exist (haven’t yet been minted),» commented Redditor ‘cipher_gnome’. «I do understand the point that these market places can just choose to not show the media but why would you think an NFT, where the content is unrelated to the source, has any value?»