NFTs, Incentives and Control: Technical Mechanisms and Intellectual Property Rights
By dispelling blockchain misconceptions, highlighting the code in certain NFT smart contracts on the Ethereum blockchain, and probing the concept of ownership through the lens of IP law, we can demystify what NFT “ownership” really means for both creators and NFT holders.
by David J. Kappos, Partner and Co-Chair of the IP Practice at Cravath, D. Scott Bennett, Partner at Cravath, Michael E. Mariani, Partner at Cravath, Sasha Rosenthal-Larrea, Partner at Cravath, Daniel M. Barabander, Associate at Cravath, and Callum A.F. Sproule, Associate at Cravath
Published onJan 10, 2023
NFTs, Incentives and Control: Technical Mechanisms and Intellectual Property Rights
Non-fungible tokens (“NFTs”) promise a new democratized and decentralized manner of controlling property. NFTs are individually unique digital assets built on top of blockchain technology.1 Transacting parties update the blockchain ledger with transfers in almost real time, which, in turn, is regularly broadcast to all of the blockchain’s network nodes located across the globe. This continuous process of recording and public broadcasting creates an immutable record of ownership that is designed to prevent double-spending or fraudulent cancellations without the need for trusted third parties to act as custodians or intermediaries. When a blockchain is sufficiently decentralized, no one entity, whether an individual, corporation, consortium or nation-state, is capable of controlling the blockchain network. NFTs, once introduced to the global blockchain ecosystem, become a permanent part of it.
Inherent blockchain benefits, such as decentralized security, global transferability and immutable public recordkeeping of ownership and provenance, have given rise to a Web3 ethos of “free and clear”2 ownership as part of what makes certain NFT projects attractive. NFTs are often advertised as fully intangible digital assets that can be meaningfully owned and controlled by end-users.3 NFT creators piggy-back off of the promise of blockchain technology to market NFTs as digital equivalents to physical personal property, owned free and clear to use, transfer, sell or destroy as they would any other belonging. 4 However, this characterization is not fully borne out in practice. This paper explores how NFT creators use technical and legal measures to exert control over their creations, even after those creations are sold to purchasers, and how the mechanisms for such control are a fundamental part of the smart contracts governing most NFTs. Consequently, purchasers often do not have nearly as much control over their NFTs and the related intellectual property (“IP”) as they may expect based upon marketing claims and popular discourse. We examine the topic in three parts:
Part One identifies and analyzes smart contract code that NFT creators commonly use to retain control over their creations after launch. We explore ways in which such code has been used in popular projects and the power it grants project creators. We also examine ways in which creators can exert technical control over “off-chain” assets and ways in which communities of NFT holders have been able to circumvent technical methods of creator control altogether.
Part Two examines the legal mechanisms by which NFT creators exert control by analyzing the IP rights retained by NFT creators and proprietary platforms that provide NFT utility (i.e., metaverse and gaming platforms). We consider the opportunities in and limitations to exploitation of IP rights when creators are allowed to steer their creations even after ownership of NFTs has transferred to purchasers.
In Part Three, we argue that while retained creator control exists in tension with the Web3 paradigm of free and clear ownership (a concept that goes hand-in-hand with the decentralized blockchain), some degree of control is necessary to align incentives for the good of NFT projects.
We hope that by dispelling blockchain misconceptions, highlighting the code in certain NFT smart contracts on the Ethereum blockchain, and probing the concept of ownership through the lens of IP law, we can demystify what NFT “ownership” really means for both creators and NFT holders. In so doing, we hope that creators and NFT holders alike will be able to interact with NFTs and NFT marketplaces in a more fully informed manner, which we believe will be to the benefit of the technology’s wider adoption.
I. Technical Mechanisms
A. What Is an NFT?—a Simplified Technical Explanation
Conventional blockchain tokens such as bitcoin or ether are often characterized as being totally “fungible.” This is because purchasers are assigned a quantity of tokens on a ledger but, apart from the wallet addresses of the owners, there is nothing that sets the identity of one token apart from another token of the same type. In contrast, NFTs are assigned unique identifiers to allow one token to be distinguished from any other, regardless of ownership.
We observe confusion in the legal field as to what exactly an NFT (or, for that matter, a blockchain token more generally) actually is. This is understandable because the ways that NFTs are described often involve powerful yet misleading analogies. One of the biggest misconceptions (rooted in the popularization of illustrative analogies5) is that an NFT is something that “lives” in its holder’s wallet.6 After all, once a person purchases an NFT, it seems intuitive that this person’s ownership of her newly acquired NFT should be reflected via digital custody “within” her digital wallet. The analogy feels right—a wallet in the physical world holds our valuables, so a wallet in the digital world should hold our NFTs.
However, this analogy conflates what NFTs are and where they are stored. NFTs are not stored in their holders’ wallets. The only things accurately described as contained “within” the holder’s wallet are the holder’s public and private keys, which allow the holder to sign transactions and be identified as an NFT’s or other blockchain token’s owner of record. Rather, NFTs exist entirely in smart contracts coded to facilitate their creation and transfer, and to track ownership. Today, NFT smart contracts are most typically coded in accordance with a technical standard called “ERC-721,” which, among other things, assigns a unique index number for each token governed by a particular smart contract—this unique index number is what identifies each separate token within a series created by and governed under a particular smart contract and is what makes each token non-fungible. A person can be considered the holder of an NFT if her wallet is associated with the unique index number. The ERC-721-based smart contract thus serves as a “mini-ledger” (distinct from and being recorded on the blockchain ledger itself) that establishes ownership of each token created under that smart contract. Transferring an NFT involves marking the sender’s record in the mini-ledger with a debit and marking the recipient’s record in the mini-ledger with a credit. Nothing physically moves or is transmitted from one party to the other. The mini-ledger is simply updated to reflect the transfer.7
The term “token” is therefore also somewhat of a misnomer; NFTs only truly exist as data on their corresponding smart contract mini-ledgers. NFTs are “stored” only in the sense that ownership is communicated to, and agreed upon, by the blockchain network. In fact, all blockchain tokens—ether, alt-coins, NFTs, etc.—exist only as line items on their respective ledgers. Ownership is based upon network consensus rather than possession of the asset in a digital wallet.
To illustrate, we turn to the smart contract governing one of the most popular NFT projects to date, CryptoPunks. CryptoPunks is a series of 10,000 tokenized profile picture (“PFP”) art assets that purchasers often use in connection with an online identity, such as avatars for Twitter. Since the success of CryptoPunks, issuances of other PFP NFTs (often in series of 10,000) have become a popular trend,8 and so examining the CryptoPunks smart contract serves as a useful illustration of a common use case.
Figure 1: The CryptoPunks smart contract.9
Observing the NFT smart contract code in Figure 1, an individual token is nothing more than an identifier; namely, the unique integer in the mapping variable named punkIndexToAddress (line 3 of Figure 1). The mapping variable is equivalent to the aforementioned mini-ledger—each unique integer (uint) is an index number that “maps” to the wallet address of its holder to keep track of who owns what. 10
Figure 2: The punkIndexToAddress mini-ledger, which tracks ownership of CryptoPunks.
This punkIndexToAddress variable can be translated into an illustrative lookup table that makes analysis more intuitive:
Index of NFT
NFT Holder (i.e., Wallet Address)
The identifying index numbers are listed from 1 to 10,000, reflecting the total number of individual Punk NFTs in the collection. Put simply, each individual NFT only exists on the smart contract as an index number, which constitutes the actual “non-fungible” (unique) token that is tied to an NFT holder’s wallet address. For instance, when people refer to “Punk1”11 as a discrete NFT in the series, they are referring to the index number 1 in this lookup table. When an end-user acquires an NFT, her wallet address is simply mapped to the index number that constitutes that NFT in the smart contract.
When an NFT holder wants to transfer her NFT, she instructs the smart contract to update the punkIndexToAddress mini-ledger by calling a function named transferPunk() (lines 5–11 of Figure 1), which in turn changes the NFT’s index (punkIndex) to point to the transferee’s wallet address. Thus, if user 0xABC, as the current owner of Punk1 (per the existing punkIndexToAddress mini-ledger in Figure 2), were to call the transferPunk() function on the CryptoPunks smart contract to transfer Punk1 to user 0xDEF, then the lookup table representing punkIndexToAddress would adjust accordingly:
Index of NFT
NFT Holder (i.e., Wallet Address)
That’s it—Punk1 been transferred from 0xABC to 0xDEF.
Thus, ownership rights, transfers, and indeed everything immutable and intrinsic to the NFT as an asset, only ever exist in a meaningful sense in the publicly accessible smart contract that is common and universal to all NFTs within a given series. Put differently, the smart contract contains everything that defines the NFT series, including any ownership rights inherent in individual NFTs in the series, the governing rules, and all of the data that constitutes each and every individual token—none of this exists or ever moves outside of the smart contract, regardless of who buys the tokens.
We can see how misconceptions concerning the above can overemphasize the importance of possession in establishing NFT ownership. This may result in the assumption that the holder is in full control of the NFT’s destiny, as if it were simply personal property owned free and clear. While a smart contract can certainly be structured to give NFT holders free and clear ownership, an NFT by default does not have such properties; indeed, providing such autonomy is not even a commonly used pattern.
The reality is that the ownership of any given NFT is exhibited on the smart contract’s state. The smart contract defines both what the NFT is and who its owner is—there is no NFT separate and apart from the smart contract. The code of the smart contract defines the rules for who controls the NFT and what kind of control is possible. Code is flexible and expressive, so there are infinite ways for the creator to retain control of the NFTs that live on the smart contract.
B. On-Chain Control via the Ownable Pattern
Creating a bare-bones NFT is mechanically simple. A creator can make a smart contract simply by replicating or referencing open-source software (“OSS”) published or utilized by NFT developers. One of the many popular OSS libraries used in mainstream NFT projects is the “Ownable” smart contract, published by Open Zeppelin.12 For example, MutantApeYachtClub’s (“MAYC”) smart contract inherits13 from Ownable simply by stating the MAYC smart contract is an Ownable smart contract (line 3 of Figure 3):
Figure 3: The MAYC smart contract inheriting Open Zeppelin’s Ownable smart contract.
What properties or powers are vested in the creator of an NFT smart contract via inheritance from Ownable? It defines the person14 who deployed the smart contract as its owner (not to be confused with the holder of the NFT), which allows for a function modifier commonly called onlyOwner() to be utilized. The onlyOwner() modifier provides an easy way to run gatekeeping checks before executing code—it simply ensures that the person making certain admin-only requests on the smart contract is the same person assigned as the smart contract owner.15 The smart contract owner’s identity need not be immutable—there are frequently mechanisms for the owner to transfer or renounce its ownership.
To reiterate for sake of clarity, the “owner” of the smart contract is a concept that is distinct from the “owner” of an NFT. The NFT “owner” in many instances more resembles a licensee of a certain bundle of rights rather than an “owner” in the classic sense of property rights. Going forward, and to emphasize this distinction, owners of NFTs will be referred to as “NFT holders,” whereas the smart contract deployer assigned the onlyOwner() modifier (which is typically but not necessarily the NFT project creator) will be referred to as the “smart contract owner.”
C. Pausing, and Other Applications of the Ownable Pattern
A common pattern used in NFT projects that leverages the onlyOwner() modifier is “pausing.” Pausing involves toggling a switch (a variable) that keeps track of whether an action should or should not be permitted. For example, the MAYC smart contract contains the following pausing logic:
Figure 4: The MAYC smart contract’s “pausing” construct.16
This example shows how pausing interacts with the onlyOwner() modifier, which is contained in the pausePublicSale() function (lines 8–12 of Figure 4).17 A feature of the MAYC smart contract is that minting (the process of creating an NFT) can only take place when the publicSaleActive variable is set to true. The modifier’s use in pausePublicSale() (line 8) means that only the owner of the contract can successfully call the pausePublicSale() function to set the publicSaleActive variable to false (line 10), which suspends the smart contract’s minting function.18
NFT projects commonly use the pausing mechanism as an emergency break in the NFT minting process. For example, the creators behind the Adidas Original NFT project exercised this pausing ability in response to a glitch in its mint process.19 Pausing can also apply to actions far beyond restricting minting. For example, when NFTs are used in videogames, one can imagine the pause functionality being useful to punish bad actors.20 Consider the hypothetical of an NFT game developer discovering that a player is cheating in its game, making the player’s NFT far more powerful than it should be. Such behavior would lead to a poor experience for all other players. The unilateral ability for the developer to flip a switch, “pause” the NFT’s functionality, and make it unusable in the game protects all other players from the negative externalities of the cheater. In each case, the NFT owner’s ability to use the NFT can be unilaterally curtailed by the developer at any time, representing a significant departure from the bundle of rights inherent in traditional conceptions of ownership.
The onlyOwner() modifier can also be used to influence trading on certain NFT marketplaces. For example, while the popular NFT trading platform OpenSea will list any NFT that meets its standardization requirements and does not violate its terms of service,21 only the smart contract owner is permitted to navigate to a “collection editor” page which contains certain administrative capabilities.22 These capabilities include the unilateral ability to set royalties on resales that occur on OpenSea (“creator earnings”)23 and determine how the collection is displayed and described on the platform.
D. Off-Chain Storage
In the case of NFTs representing digital assets such as PFP series, a frequent misconception is that the digital asset—i.e., the artwork itself—is contained on-chain (or even somehow within the NFT itself). However, storing even simplistic art on-chain is often prohibitively expensive, and, with a few pioneering exceptions, is almost never done.24 More often, project creators store the digital asset (often in the vector-based “SVG” file format) off-chain. The NFT, in turn, simply directs to the Uniform Resource Identifier (“URI”) at which the file is hosted, which is often freely accessible through a web browser. For example, the popular NFT project Otherside uses a land NFT called an “Otherdeed,” which represents an image that is stored at a private server in the project creator’s control.25 While this method of hosting can be explained by cost efficiency, an attendant side effect is that the NFT creator, by controlling the off-chain server that stores these files, controls the “content” associated with any one NFT. Under this basic arrangement, an NFT creator can freely modify or remove the image file from its server, changing the image associated with a specific NFT.
We note that it is becoming increasingly popular for projects to host referenced NFT assets on decentralized platforms, such as by storing images on the distributed storage protocol InterPlanetary File System (“IPFS”). While storage still takes place off-chain, IPFS is a distributed storage mechanism that “hashes”26 the metadata it stores as a unique URI. Mechanically, IPFS often works with NFT projects as follows: The project’s creator uploads the collection of images and other metadata to IPFS, which returns a unique hash of the collection in the form of a URI called the “base URI.” The entire collection’s metadata is accessible through the base URI. To get the metadata of a specific NFT in the collection, referred to as the token URI, the NFT’s index number is appended to the end of the base URI, forming the “token URI.”
Hash of All BAYC Metadata
Index of BAYC NFT
Figure 5: The URIs associated with the popular Bored Ape Yacht Club (“BAYC”) NFT series. The tokens all share a base URI, and have unique token URIs.27
Figure 6: Metadata returned for Bored Ape 1,217, available by accessing the token URI for this Bored Ape.28
Figure 7: The image of Bored Ape 1,217, loaded by navigating to ipfs://QmQAqW6a5wLZQt5ZMXwNuf8AYDQFRc26hGCmEVzmM46RVd (as copied from the image metadata from its token URI in Figure 6).29
Because of the way hashing works, if someone tampers with an NFT’s metadata stored on IPFS, the hash will change, and will no longer be referenced by the base URI in the smart contract. In this sense, IPFS provides a degree of immutability to off-chain assets.
While IPFS prevents creators from modifying referenced art assets, and thereby theoretically gives NFT holders a greater degree of control over their NFTs, it suffers from two drawbacks. First, as with centralized servers, the data stored on IPFS is only available for so long as a server (a “node”) is hosting it—even if there is a hash representing data, that does not mean a node will serve it up for the world to see. Second, creators can still work around this immutability through the onlyOwner() modifier. This is evident from examining the BAYC smart contract:30
Figure 8: Using the onlyOwner() modifier to override the baseURI on the BAYC smart contract.
As has been discussed by other writers,31 the owner of the BAYC smart contract has the ability to change the baseURI (the IPFS hash referenced in Figure 5 above) to an entirely new IPFS hash by calling the setBaseURI() function (lines 3–5 of Figure 8).32 This is a unilateral right available to the smart contract owner because of the onlyOwner() modifier (line 3 of Figure 8). With this power, the owner can change the IPFS location to which the NFT points, which can change the NFT images. Thus, at least in certain cases, IPFS hosting may be an illusory means of providing NFT holders with assurance of immutability through decentralization.
In summary, NFT project creators may leverage the onlyOwner() modifier to pause transfers and disassociate NFTs from the art they represent, even after the token has been sold on the open market. These powers have the potential to undermine token value and, in any case, certainly cut against the Web3 ethos of free and clear ownership. Such issues of control were front and center in the controversy surrounding the popular NFT project “Pudgy Penguins.” After initial hype of the project, the community had grown frustrated with the creator’s management and the enormous control it wielded.33 For instance, the NFT smart contract uses a pause() function that permits the creator (using the onlyOwner() modifier) to suspend a core functionality of any NFT—the ability to transfer. What is more, the creator exempted itself from the pause() restrictions, meaning that the creator could effect transfers even if the holders could not.34 Frustration culminated with a vote among NFT holders that, while largely symbolic in effect, ultimately pressured one of the creators to renounce its control over the project.35
E. Wrapping as a Technical Mechanism for Holders to Regain Control
While NFT creators can use the technical features associated with the onlyOwner() modifier to retain control over their projects, the holder community has its own weapon: Wrapping. Wrapping occurs when an NFT holder transfers her NFT to a wrapper smart contract address. This wrapper smart contract represents the NFT holder’s ownership of the original NFT, but is not bound to the original NFT’s smart contract. Going forward, the NFT holder can interact with, and exercise the ownership rights it has in, the wrapped version of the NFT rather than the underlying original. This concept is best elaborated using the example of one of the most famous NFT communities grappling with the implications of wrapped NFTs: CryptoPunks.
The CryptoPunks collection, with an aggregate market valuation in the billions of dollars, is not the original CryptoPunks. In fact, this collection comprises the version 2 Punks (“V2 Punks”). The version 1 Punks (“V1 Punks”) were deployed in 2017 by the developer, Larva Labs, with a fatal coding error such that only the buyer, not the seller, could withdraw the ether used to pay for the Punk.36 Put simply, a purchaser could buy a Punk and then claw back the ether she paid for the Punk. After recognizing this error, Larva Labs quickly deployed the new V2 Punks smart contract, cleaning up the bug in the V1 Punks smart contract and making other small changes.
It seems this history was largely forgotten until early 2022. Its rediscovery was likely because the V2 CryptoPunks were fetching exorbitant values and many realized the original V1 Punks could also be valuable. Members of the CryptoPunks community began wrapping the V1 Punks in a smart contract called the “PunksV1Wrapper” so as to circumvent the V1 bug.37 The PunksV1Wrapper contains a wrap() function that buys the V1 Punk using the V1 Punks smart contract. The PunksV1Wrapper (the contract itself) becomes the owner of the purchased NFT.
Figure 9: The wrap() function on the PunksV1Wrapper smart contract (lines 5–12). Calling the wrap() function calls the buyPunk() function on the separate Punk V1 contract (punkAddress) to buy the underlying NFT (line 8), assigning the PunksV1Wrapper smart contract itself as holder (line 5 in Figure 10).38
Figure 10: The buyPunk() function on the V1 Punks39smart contract (lines 3–7). The PunksV1Wrapper is msg.sender (used on line 5) as it is what initiated the execution of the buyPunk() function. The buyPunk() function defines ownership of a specific Punk (designated by _punkId) on the mini-ledger, punkIndexToAddress.
If the PunksV1Wrapper is set as the NFT holder on the V1 Punks smart contract, how is an individual holder’s ownership of the wrapped Punk reflected? The wrap() function (lines 5–12 of Figure 9) creates a brand new “mirrored” NFT with an index that replicates the index of the V1 Punk it is mirroring, but the mirrored NFT is governed by a new smart contract. There is now an entirely separate NFT, a “wrapper,” that serves as a reference point to the V1 Punk.
Index of V1 Punk
V1 Punk Holder’s Address
Index of PunksV1Wrapper NFT
PunksV1Wrapper Holder’s Address
Figure 11: A demonstration of the effect of wrapping a Punk.
The result of this wrapping means that, for V1 Punks that are purchased by the PunksV1Wrapper smart contract, Larva Labs’ control through the V1 Punk smart contract is circumvented (along with the V1 bug). Going forward, V1 Punk holders can interact with and trade through the PunksV1Wrapper smart contract. They are not subject to controls based on the onlyOwner() modifier that exists on the V1 Punk smart contract, nor are they beholden to predefined image hosting services controlled by the NFT creator.
It should be noted that wrapping is only effective insofar as there is a sufficient degree of community buy-in to sustain a market for the new wrapper tokens. Just as the underlying NFT series is only as valuable as the market determines, so too are wrapped tokens. The threat of wrapping may cause creators to act judiciously in deciding when and to what extent the smart contracts they deploy permit leveraging the onlyOwner() modifier. The Pudgy Penguins saga discussed earlier demonstrates this effect. In response to the frustration with the project’s creators, many in the community began wrapping their Pudgy Penguins into “Wrapped Penguins” to escape the project creator’s extensive control.41 As the organizers spearheading the wrapping stated: “Wrap your Penguin to keep it safe from the evil founders. It’s time we huddled up under quilts and stopped letting [the] founders abuse us.”42
II. Legal Mechanisms
A. Direct IP Rights
An NFT and its corresponding digital asset are usually not intertwined. More typically, an NFT project creator names the NFT series and also creates the digital assets the NFT is meant to reference. The digital assets are likely covered by copyright law, as they are “works” fixed in a tangible medium of expression. The name of the NFT series may be covered by copyright and/or trademark law, depending on whether it meets the substantive requirements for protection under these legal regimes.
Under the current legal framework, when a purchaser buys an art-referencing NFT, two legal mechanisms are often operating behind the scenes: The purchaser obtains (i) legal title to the NFT itself and (ii) a license to use the NFT’s corresponding digital asset. These rights are almost always conveyed through a clickwrap or browsewrap agreement on the creator’s website where the NFTs are initially purchased.43 For example, while Otherdeed’s terms of service state that purchasers “own all personal property rights to that Otherdeed,” they continue to state that such rights are limited to “the non-exclusive right to use, copy and display the Art linked to his/her Otherdeed . . . solely for [the purchaser’s] own personal, non-commercial use,” with no “right or license to use, copy, display or otherwise exploit the Art for any non-personal or commercial purposes, or to create any derivative works of the Art.”44 Even more restrictively, the license for the Koda NFTs, which “live” on certain Otherdeeds, is a “revocable license . . . [to] the [associated Koda] Art,” meaning that a holder may find itself holding an NFT with absolutely no rights to use or even display the art the NFT references.45 Popular NFT game Axie Infinity contains similar restrictions on the purchaser’s rights to the digital art asset that represents the Axie NFT, stating that “no Content or Marks may be . . . exploited for any commercial purpose whatsoever, without our express prior written permission.”46
Taken together, the NFT creator, as the rights holder to the name of the collection (e.g., “CryptoPunks”) and to the digital art asset has, in many NFT projects, the exclusive right to license this IP to any subsequent NFT holders. Thus, while the token may belong to the purchaser “free and clear” (subject to the technical controls discussed above), the digital art asset is often merely licensed rather than transferred upon purchase. This limitation on rights is so powerful it can even obviate workarounds to technical control, such as wrapping.
To illustrate, after the PunksV1Wrapper NFTs began to gain traction, Larva Labs said it “didn’t like” the V1 Punks. At the same time, Larva Labs began selling the V1 Punks it held (it had 1,000 of them), which was met with criticism online for its perceived hypocrisy.47 In response to the criticism, Larva Labs stated: “Let there be no confusion about the legitimacy of the [PunksV1Wrapper project]. It has no right to use the art or the name. We will be taking appropriate steps in the coming days.”48
True to its word, on February 5, 2022, Larva Labs sent a Digital Millennium Copyright Act (“DMCA”) takedown notice to OpenSea, where the PunksV1Wrapper NFTs were being sold with the name CryptoPunks and displaying the artwork referenced by V1 Punks.49 The notification stated that “[m]ultiple images have been copied onto [OpenSea’s] servers without permission. The original images, to which we own the exclusive copyrights, can be found at: https://larvalabs.com/cryptopunks.”50 OpenSea removed the listing, until the PunksV1Wrapper NFT creator issued a counter-notification, as provided for in the DMCA.51 While the PunksV1Wrapper project is now back on OpenSea (presumably because Larva Labs did not obtain a court order as required by the DMCA) this case shows that even when all technical controls are avoided via wrapping, the creator still has powerful recourse through IP law to control its NFT project.
The bundle of rights granted under the IP license are a central (if sometimes under-appreciated) aspect of NFT ownership. For instance, in early 2021, a public dispute between the anonymous holder of Punk4156 and the CryptoPunks project creators erupted on Twitter. The holder, wishing to build “a brand and identity around his CryptoPunk,” contacted the CryptoPunks creators (as the IP licensor) to request permission to monetize his Punk’s image;52 the holder was summarily “ignored and unfollowed on Twitter.”53 In response, the Punk4156 holder sold the NFT, stating that “it became clear to me that there was probably no chance that I would ever own the rights to the thing that I was building . . . . It’s just kind of an illogical position to continue building your brand around something over which you don’t have the strongest claim.”54 As the Punk4156 saga demonstrates, IP rights can serve as a lever of control that dictate whether the community will contribute to the project or abandon it altogether.
Of course, NFTs are simply identifiers—they are not restricted to representing digital assets. Indeed, one of their most promising use cases for NFTs is to use them to represent physical assets.55 Some have suggested that physical asset NFTs may present more autonomy for the NFT holder than NFTs representing digital assets because their interaction with the underlying asset is not subject to restriction under IP laws.56 However, the NFT creator often holds custody of the physical asset these NFTs represent, and physical custody is arguably one of the strongest mechanisms of control. Furthermore, tangential IP rights tied to the physical asset can still be at issue.
For instance, StockX is a “sneaker resale marketplace” that uses NFTs in its “Vault” product to allow users to sell physical shoes.57 Under the Vault product, StockX authenticates and verifies sneakers traded on its marketplace using physical-asset NFTs.58 What is sold and purchased on the marketplace is the NFT, and until the physical shoe is claimed by redeeming the NFT token, it stays in StockX’s custody.59 StockX’s Vault product shows how control factors into physical asset NFTs. First, StockX retains physical possession of the shoe and users rely on StockX’s certification process to determine the shoe’s condition and authenticity.60 Second, the image used to represent that physical shoe on the marketplace website is protected under IP law, albeit with such IP rights inuring to the shoe brand rather than the NFT’s creator. This latter issue is central to a recent lawsuit Nike filed against StockX, alleging that the NFTs it sells displaying Nike branding infringe Nike’s trademarks.61 Effectively, while a purchaser of a shoe NFT on StockX may have the right to redeem the NFT for, and take possession of, the physical shoe referenced, she does not have rights to the digital images or branding associated with the NFT.
B. Contextual IP Rights
A project’s creator can also retain control of its NFTs simply through its ownership of “context[ual]” IP that interacts with the tokens.62 The concept of contextual IP is especially relevant for utility-based NFTs, which are NFTs that are primarily useful for how they interact with a piece of software, often owned or controlled by the NFT creator. For example, consider Axie Infinity’s core NFT, the Axie. Sky Mavis, the developer behind Axie Infinity, coded the Axie NFT specifically to be used on its proprietary video game. For example, in the game there is the concept of “evolving” an Axie, which enhances its functionality. Correspondingly, there is a function on the Axie NFT smart contract to support this activity called evolveAxie().63 Thus, even if the Axie NFT is fully portable to a new competing environment, its smart contract functions are only designed to work with Sky Mavis’s game. By controlling the IP to the Axie Infinity game, Sky Mavis can control the utility of the NFT itself.
To understand how powerful this concept is, consider how intertwinement shifts incentives. Why would a competing NFT project create an alternative game that properly interacts with Sky Mavis’s Axie NFT smart contract functions such as evolveAxie()? More likely, a project creator is incentivized to launch its own NFT collection and its own game that supports that NFT collection so that it retains full control over both the environment and the NFT displayed. Even if the competing creator merely wants to allow users to bring in “outside” NFTs as referential objects rather than for specialized smart contract utility, the competing creator now needs to consider the underlying IP rights and licensing terms of the NFT, such as its art, to avoid infringement if it does not have the cooperation of the “outside” NFT creator.64 IP restrictions pose a substantial hurdle for the viability of cross-platform metaverse projects in which NFTs issued for use in one platform retain their utility on competing platforms.65 Creation and control tend to be tightly intertwined.
III. Why Control Exists
To some in the blockchain space, these technical and legal levers that a project creator can use to control its project may be unsettling. Control seems to go against the entire ethos of what distributed ledger technology is supposed to represent—a controller often creates centralization, but the promise of this technology is decentralization. However, we do not take such a gloomy perspective. Rather, we argue that some level of control is necessary for an NFT project to succeed. Technical and legal “clawbacks”66—when used judiciously—are neither surprising nor problematic for the viability of the Web3 model.
To illustrate we can examine the broader OSS community, which is a largely decentralized loose-knit movement that overlaps with the Web3 ethos professed by many blockchain developers. Whereas the source code of conventional privately developed software is often a tightly guarded proprietary secret, OSS code is publicly published and often even developed through public collaboration. Popular OSS projects include the Firefox web browser, LibreOffice suite of word processing software, the video game “NetHack” (initially published in 1987 and regularly updated to this day), and the Linux operating system.
Like NFT projects, OSS projects are popularly perceived as community-driven flat structures. And yet, in spite of this perception, many of the most successful OSS projects are run by a controller with significant retained power. For example, Linux was run by a “‘benign dictatorship’”67 under its “natural leader” and founder, Linus Torvalds.68 Torvalds took decisive action when internal disputes arose to “prevent major forks from emerging,” and is credited for Linux’s success.69 An OSS project controller can define the rules of its project in a way that makes sure its investment, and that of the community, will pay dividends. This is directly analogous to NFT project creators using technical controls and IP rights to incentivize investment in their projects and mitigate negative externalities. The controller must align incentives with its community, especially in the early stages of the project when an end-goal may be less defined. Control is necessary to ensure projects survive long enough to develop into scalable, self-sustaining ecosystems. Put differently, control protects the creator’s upfront investment in building out a scalable NFT community. Once the community begins flourishing, the controller can begin to relinquish some of its control and instead rely upon network effects. One of the founders of the popular NFT project Doodles explained this concept well in an interview:
Initially we wanted to launch a[n] . . . NFT project that is fully decentralized . . . [but] the motivation changed . . . when we started . . . seeing the concepts, the art . . . we just realized that we . . . just want to create something that’s lasting, we want to create legacy together . . . . The decentralization bit it’s always a balance . . . you’re balancing decentralization with usability, you’re balancing decentralization with user experience . . . for us to achieve our vision we need to have more control over how . . . Doodles operates, we need to have more control over the treasury.70
One particularly interesting NFT project regarding its balance of control is “Nouns.”71 Nouns discards many mechanisms of control we have discussed in this paper. For example, the digital art asset representing each NFT is stored on-chain, which is not the norm for an NFT project. Additionally, this art asset is in the public domain, as the project utilizes the CC0 license—meaning it has waived all copyright protections.72 Perhaps most critically, decisions concerning the project are governed by the Nouns Decentralized Autonomous Organization (“DAO”), which is an unincorporated entity that is managed through decentralized governance—in this instance, each Nouns holder gets one vote on DAO proposals.73 Yet despite its DAO structure for managerial decision making, the project’s creators retain a degree of control. For example, the project’s creators “will veto proposals that introduce non-trivial legal or existential risks” to the project “until Nouns DAO is ready to implement an alternative.”74 The project acknowledges that the right must remain in place until “a more complete understanding of the incentives and risks” crystallizes.75
Relying solely on a community of NFT holders to develop long-term viability of an NFT project is fraught with misaligned incentives, making success challenging. The most promising example may be the NFT project “Loot.”76 Loot has no significant controller—the smart contract does not retain technical control in any meaningful way (for example, while it does use the onlyOwner() modifier, it does so in a limited manner) and there are no significant external IP rights.77 While the initial hype for this project was significant, topping $230m in sales at one point, the collection’s value is down 95% at the time of this writing.78 While there remains a small community integrating these NFTs, and Loot may yet become the exception to the rule, the major hurdle for the project remains weak “incentives to fuel further growth” given the project is “without financial propellant[s] to ensure that creators can invest their time and be rewarded for what they’re contributing to the ecosystem.”79 These deflated financial propellants are a direct result of the project’s creators purposefully abstaining from retaining control.
NFTs constitute a promising yet frequently misunderstood and mischaracterized technology. It is important for lawyers and the general public alike to delve past popular discourse and appreciate the NFT mechanisms that operate behind the scenes. By analyzing NFT smart contract code, we have explored what “owning” an NFT really means. While NFT marketers may emphasize free and clear ownership of a particular token, these claims must be assessed in the context of the technical and legal controls applicable to a given project. Retained control is not inherently problematic for the ethos associated with Web3—to the contrary, developing projects into self-sustaining networks of participants may well require it. However, transparency is the best long-term policy to promote adoption by the broader public and to avoid regulatory or legal challenges. Those considering purchasing an NFT as an investment or store of value should be aware of what they are and are not purchasing and make their own determinations about whether the value ascribed to the NFT in the marketplace appears to appropriately reflect the ownership and control rights that are actually being acquired.
Over 60% of NFT projects use ipfs to store the metadata offchain, while ipfs hashes the actual content, the NFT smart contract itself may change its uri() function’s return value, so as to change the metadata location on ipfs. This is called “reveal” and is often used to release the actual token media when sale events happen.
On the physical property side, blockchain alone won’t provide much protection, unless coupled with proof of ownership mechanisms.