Moxie Marlinspike, the noted cryptographer and founder of popular encrypted messaging app Signal, has spent the last few months exploring the so-called web3, the idea that the internet is moving toward a new era of decentralization built on cryptocurrencies and blockchains.
Last Friday, he published a blog post that went viral in which he explained some of web3’s early failing points—most notably the fact that some important aspects of this decentralized internet aren’t really decentralized at all.
Videos by VICE
Marlinspike made an experiment to show the pitfalls of web 3 and NFTs, which are collectible items—usually images—that are linked to a unique address on a blockchain. He created an NFT that takes advantage of the fact that NFTs sometimes only point to an image file stored somewhere on the web to change appearance depending on what platform it is displayed on—such as marketplaces OpenSea and Rarible—and that always looks like a poop emoji in the wallet of the person who owns it.
Marlinspike launched his NFT in October and talked about this experiment in a scathing critique of web3 that he published last week on his personal blog. The experiment, he explained, made him realize that web3 is not as decentralized as its proponents want everyone to believe.
“What you bid on isn’t what you get. There’s nothing unusual about this NFT, it’s how the NFT specifications are built,” he wrote. “Many of the highest priced NFTs could turn into 💩 emoji at any time; I just made it explicit.”
The reason Marlinspike’s NFT is not unique at all is that the web3 ecosystem actually depends on centralized platforms that are themselves interdependent. The NFTs displayed on OpenSea or other marketplaces point to a server where the images are stored. In turn, wallets like MetaMask use OpenSea’s API to display the NFT, Marlinspike explained.
Marlinspike realized this because at some point, according to him, OpenSea removed his NFT from its marketplaces, which made it disappear from his MetaMask wallet.
“Many of the highest priced NFTs could turn into 💩 emoji at any time.”
Marlinspike did not respond to a request for comment.
An OpenSea spokesperson said that the company banned Marlinspike’s account because it considered one of his collections to be engaged in “copyminting,” a practice where users mint NFTs based on plagiarized content. This is against OpenSea’s terms of service, but the company reverted the decision when it realized Marlinspike’s other collections did not violate the terms of service. Today, OpenSea bans individual collections separately from creator accounts.
The spokesperson also reiterated that NFTs don’t disappear from the blockchain when they are removed from OpenSea.
“When an NFT is removed from OpenSea, it is removed from your OpenSea profile but remains on-chain and visible on Etherscan and other blockchain explorers. Other applications in the space choose to leverage OpenSea’s public API as a means of easily accessing NFT metadata.”
Even people who work in the cryptocurrency world, such as investor Nic Carter, were surprised by Marlinspike’s discovery.
“I will admit I wasn’t aware that most (all??) NFT wallets just query Opensea. That part was genuinely shocking to me,” Carter tweeted. “Seems like “not querying a centralized corporate API for blockchain data should be a pretty easy win. Like, the data is there on the blockchain.”
As Marlinspike noted in his blog, technologies such as Ethereum and decentralized apps, or dApps, have quickly consolidated around platforms like OpenSea or companies like Infura and Alchemy, which allow dApps to interact with blockchain data via APIs. For example, Marlinspike explained, Metamask queries Etherscan to grab users’ recent transactions, not the blockchain itself.
“Eventually, all the web3 parts are gone, and you have a website for buying and selling JPEGS with your debit card,” Marlinspike wrote.
Do you research vulnerabilities on cryptocurrencies and their networks? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email lorenzofb@vice.com
This isn’t the first time that the current wave of blockchain products, whether you call them “web3” or “DeFi” or some other neologism, have been called out for not being as decentralized as advertised. For example, a recent Amazon Web Services outage caused a “decentralized” cryptocurrency exchange with part of its infrastructure running on Amazon to go down, and recent research has pointed out that the NFT market appears highly concentrated.
Marlinspike’s experiment, according to Nicholas Weaver, a senior researcher at the International Computer Science Institute at UC Berkeley and an fervent critic of cryptocurrencies and web3, is “amusing.”
“It is also a good reminder that despite the “decentralized” rhetoric so much requires central services to actually work,” Weaver said in an email to Motherboard.
UPDATE, Jan. 11, 20:21 .a.m ET: This story was updated to include OpenSea’s comments.
Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.