Although I consider myself a cryptographer , I don’t find myself particularly fond of “cryptography”. I don’t think I’ve ever actually said “Get out of my lawn,” but I’m more likely to hit Pepperidge Farm remember flavor memes about how “crypto” used to mean “crypto” than the latest NFTs decline.
Also — the card here — I’m not as excited as a generation about moving every aspect of life into the instrumented economy.
However, even strictly on a technical level, I have not yet succeeded in becoming a believer. So, given all the recent attention to what is now called web3, I decided to explore some of what’s going on in the field more thoroughly to see what I might be missing.
How do I see Web1 and Web2
web3 is a somewhat vague term and it’s hard to rigorously assess what web3’s ambitions should be, but the overall thesis seems to be that web1 is decentralized, web2 centralizes everything on the platform, and web3 decentralizes everything again. web3 should give us the richness of web2, but with decentralization.
It might be good to have some understanding of why centralized platforms emerged, and in my opinion, the explanation is simple:
1. People don’t want to run their own servers, and never will. The premise of web1 is that everyone on the Internet is a publisher and consumer of content, as well as a publisher and consumer of infrastructure.
We all have our own web server and our own website, our own mail server for our own email, our own finger server for our own status messages, our own responsible server for our own character generation . However – and I don’t think this point can be overemphasized – it’s not what people want. People don’t want to run their own servers.
Even nerds don’t want to run their own servers at this point. Even organizations building software full-time don’t want to run their own servers at this point. If there’s one thing I wish we knew about the world, it’s that people don’t want to run their own servers. The companies that provide you with these services are successful, and the companies that iterate new features based on the possibilities of these networks are even more successful.
2. The protocol runs much slower than the platform. More than 30 years later, email is still uncrypto; meanwhile, WhatsApp has never been crypto to full e2ee in a year. People are still trying to standardize reliable video sharing over IRC. Meanwhile, Slack lets you create custom reaction emojis based on your face.
It’s not a funding issue. If something is truly decentralized, it becomes very difficult to change and often gets stuck in time. This is a problem for technology because the rest of the ecosystem is evolving rapidly and if you don’t keep up, you’re going to fail. Entire parallel industries are focused on defining and improving methods like agile, trying to figure out how to organize large groups of people so they can act as quickly as possible because it’s so critical.
This is a problem when the technology itself is more conducive to stillness than movement. A surefire recipe for success is to take a 90s protocol that was stuck on time, centralize it, and iterate quickly.
But web3 intends to be different, let’s take a look. To get a quick look at this space and get a better idea of what might happen in the future, I decided to build several dApps and create an NFT.
Make some distributed applications
To get a feel for the web3 world, I made a dApp called Autonomous Art that allows anyone to mint a token by making a visual contribution to an NFT. The cost of making a visual contribution increases over time, and contributions paid to mint by contributors are distributed to all previous artists (visualizing this financial structure resembles a pyramid shape). As of this writing, more than $38,000 has been spent on the creation of this collective work of art.
I also made a dApp called First Derivative that allows you to create, discover and exchange NFT derivatives that track the underlying NFT, similar to financial derivatives that track the underlying asset.
Both gave me an idea of how space works. To be clear, there’s nothing particularly “distributed” in the apps themselves: they’re just normal react websites. “Distributed” refers to where the state and the logic/authority to update the state resides: on the blockchain and not in a “centralized” database.
One of the things I’ve always found odd about the cryptocurrency world is the lack of focus on client/server interfaces. When people talk about blockchain, they are talking about distributed trust, leaderless consensus, and all the mechanisms by which it works, but often obscures the reality that clients ultimately cannot participate in those mechanisms. All network graphs are for servers, trust models are between servers, everything is about servers. The blockchain is designed to be a peer-to-peer network, but not to make it really possible for your mobile device or browser to be one of those peers.
With the shift to mobile, we’re now firmly living in a world of client and server — the former is completely incapable of acting as the latter — and these issues seem more important to me than ever. At the same time, Ethereum actually refers to servers as “clients”, so there isn’t even a word for an actual untrusted client/server interface that must exist somewhere, and doesn’t acknowledge that there will be billions eventually if it succeeds (!) more clients than servers.
For example, whether running on a mobile device or the web, a dApp like Autonomous Art or First Derivative needs to interact with the blockchain in some way — in order to modify or render state (collectively produced artwork, its Edit history, NFT derivatives, etc.). However, this is practically impossible to achieve from the client side, as the blockchain cannot exist on your mobile device (or actually cannot exist in your desktop browser). So the only option is to interact with the blockchain through a node running remotely on a server somewhere.
a server! However, as we all know, people don’t want to run their own servers. As it happens, companies have emerged that sell API access to Ethereum nodes running as a service, while offering analytics, enhanced APIs they build on top of the default Ethereum API, and access to historical transactions. Sounds… familiar. At this point, there are basically two companies. Almost all dApps use Infura or Alchemy to interact with the blockchain. In fact, even if you connect a wallet like MetaMask to the dApp, and the dApp interacts with the blockchain through your wallet, MetaMask is just calling Infura!
These client APIs do not use anything to verify the authenticity of the blockchain state or responses. The result is not even signed. An application like Autonomous Art says “hey, what is the output of this view function on this smart contract”, Alchemy or Infura respond with a JSON blob that says “this is the output”, and the application renders it.
This surprised me. A lot of work, effort and time has gone into creating a trustless distributed consensus mechanism, but nearly all clients who wish to access it do so by simply trusting the outputs of these two companies without any further verification . It also doesn’t seem like the best privacy situation. Imagine if every time you interacted with a website in Chrome, your request was first sent to Google, then routed to the destination and back. This is the case with Ethereum today. All write traffic is obviously already exposed on the blockchain, but these companies can also see almost all read requests from almost all users in almost any dApp.
Blockchain proponents might argue that it’s okay if these types of centralized platforms emerge, because the state itself is available on the blockchain, so if these platforms misbehave, clients can simply move elsewhere. However, I suggest this is a very simplistic view of the dynamics that make the platform what it is.
Let me give you an example: Making NFTs
I also want to create a more traditional NFT. Most people think of images and Crypto art when they think of NFTs, but NFTs typically do not store this data on-chain. This is too expensive for most NFTs for most images.
Instead of storing data on-chain, NFTs contain a URL that points to the data. What amazes me with these standards is that the data at the URL has no hash promise. Looking at the many NFTs sold on popular marketplaces for tens, hundreds or millions of dollars, the URL usually just points to a VPS running Apache. Anyone who has access to the machine, anyone who buys the domain name in the future, or anyone who breaks the machine can always change the NFT’s image, title, description, etc. to whatever they want (whether or not they don’t “own” it) “token). There is nothing in the NFT specification that tells you what an image “should” be, or even doesn’t allow you to confirm whether something is a “correct” image.
So as an experiment, I made an NFT that will serve different images depending on who is looking at it, because the web server serving the image can choose to serve different images based on the requester’s IP or user agent. For example, it looks one way on OpenSea and another way on Rarible, but when you buy it and view it from your crypto wallet, it always shows up as one big 💩 Emoticons. What you bid is not what you get. There’s nothing unusual about this NFT, that’s how the NFT specification is built. Many of the highest priced NFTs could turn into 💩 emojis at any time; I just made it clear.
NFTs on OpenSea
The same NFT on Rarible
The same NFT in the wallet
A few days later, without any warning or explanation, the NFT I made was removed from OpenSea (an NFT marketplace):
The removal indicated that I was violating some terms of service, but after reading the terms, I didn’t see anything that prohibited NFTs, which would change based on where I looked at it, as I described it publicly.
What I found most interesting though is that after OpenSea deleted my NFT, it also no longer appears in any crypto wallets on my device , this is web3, but, how is this possible?
Crypto wallets like MetaMask, Rainbow, etc. are “non-custodial” (the keys are kept on the client side), but it has the same problem as my dApp above: the wallet has to run in a mobile device or browser. At the same time, Ethereum and other blockchains are designed with the idea that it’s a peer-to-peer network, but it’s not designed in such a way that your mobile device or browser really has the potential to be one of those peers.
A wallet like MetaMask needs to do basic things like display your balance, your recent transactions and your NFTs, as well as more complex things like constructing transactions, interacting with smart contracts, etc. In short, MetaMask needs to interact with the blockchain, but the blockchain is built so that clients like MetaMask cannot interact with it. So, just like my dApp, MetaMask does this by making API calls to three companies integrated in the space.
For example, MetaMask displays your recent transactions by making an API call to etherscan:
GET https://api.etherscan.io/api?module=account&address=0x0208376c899fdaEbA530570c008C4323803AA9E8&offset=40&order=desc&action=txlist&tag=latest&page=1 HTTP/2.0
Display your account balance by making an API call to Infura:
POST https://mainnet.infura.io/v3/d039103314584a379e33c21fbe89b6cb HTTP/2.0
{
“id”: 2628746552039525,
“jsonrpc”: “2.0”,
“method”: “eth_getBalance”,
“params”: [
“0x0208376c899fdaEbA530570c008C4323803AA9E8”,
“latest”
]
}
Display your NFT by making an API call to OpenSea:
GET https://api.opensea.io/api/v1/assets?owner=0x0208376c899fdaEbA530570c008C4323803AA9E8&offset=0&limit=50 HTTP/2.0
Again, like my dApp, these responses are not authenticated in some way. They don’t even sign so you can later prove they’re lying. It reuses the same connections, TLS session tickets, etc. for all accounts in your wallet, so if you manage multiple accounts in your wallet to maintain some kind of separation of identities, the companies know they’re linked.
MetaMask doesn’t actually do much, it’s just a view of the data provided by these centralized APIs. This is not a problem specific to MetaMask – what other options do they have? Rainbow, etc. are set up exactly the same way. (Interestingly, Rainbow owns their own data for the social features they build in the wallet — social graphs, presentations, etc. — and chose to build all of this on Firebase rather than the blockchain.)
All this means, if your NFT is removed from OpenSea, it will also disappear from your wallet. My NFT is indelible on the blockchain somewhere, it doesn’t matter functionally, because the wallet (and more and more everything else in the ecosystem) just uses the OpenSea API to display the NFT and it starts returning 304 No Content is used to query owned NFTs by my address.
recreate the world
Given the history of web1 becoming web2, I am curious about web3 that a technology like Ethereum has built many of the same implicit pitfalls as web1. To make these technologies usable, the space is consolidating around… platforms. again. The people who will run the server for you and iterate on new features as they emerge. Infura, OpenSea, Coinbase, Etherscan.
Likewise, the web3 protocol has been slow to develop. When building First Derivative, it is best to price minted derivatives as a percentage of the underlying value. This data is not on-chain, but in the API provided to you by OpenSea. People are excited about the ways NFT royalties can benefit creators, but there are no royalties specified in ERC-721 and it’s too late to change it, so OpenSea has its own way of configuring the royalties that exist in the web2 space. Rapid iteration on a centralized platform has outpaced distributed protocols and incorporated control into the platform.
Given these dynamics, I don’t think it’s surprising that we’re already in a place where what your crypto wallet thinks of your NFTs is what OpenSea thinks of your NFTs. I don’t think we should be surprised that OpenSea isn’t a pure “view” that can be replaced, since it’s been busy iterating the platform beyond what is strictly impossible/hard to change.
I think this is very similar to the situation with email. I can run my own mail server, but functionally it doesn’t matter for privacy, censorship resistance, or control — because GMail will be on the other end of every email I send or receive anyway. Once a distributed ecosystem is centralized around a platform for convenience, it becomes the best of both worlds: centralized control, but still decentralized enough to get bogged down in time. I could build my own NFT marketplace, but if OpenSea mediates the view of all NFTs in the wallets people use (and every other application in the ecosystem), it doesn’t provide any additional control.
This isn’t a complaint about OpenSea, or something they’ve built. Quite the contrary, they are trying to build something that works. I think we should expect this kind of platform integration to happen, and given the inevitable design system, when things are organized this way, we can give us what we want. However, my feeling and concern is that the web3 community is expecting different results than what we have seen.
It’s still early days
“It’s still early days” is the most common adverb I see when people in the web3 space discuss these kinds of issues. In some ways, the failure of cryptocurrencies to surpass relatively nascent engineering allows one to think that the “early” days are over when objectively it’s been a decade or more.
However, even if this is just the beginning (and it likely is!), I’m not sure we should consider any consolation. I think the opposite might be true; it seems like we should have noticed from the outset that these technologies immediately tend to centralize through platforms in order to enable them, which has zero negative impact on the speed of the ecosystem, and most Participants don’t even know or care that it’s happening. This might suggest that decentralization itself has no immediate practical or urgent importance to most people downstream, the only amount of decentralization that people want is the minimum required for something to exist, if not very consciously considered Well, as the days get less early, forces will push us farther from the desired outcome, not closer.
But you can’t stop the gold rush
Come to think of it, OpenSea would actually be much “better” in a direct sense if all the web3 parts were gone. It will be faster, cheaper for everyone, and easier to use. For example, to accept a bid for my NFT, I would have to pay over $80 to over $150 in Ethereum transaction fees. This sets an artificial floor for all bids, or you’ll lose money by accepting bids that are lower than gas costs. Compared to credit cards, credit card payment fees often feel extortionate, but look cheap. OpenSea can even publish a simple transparency log if people want a public record of transactions, quotes, bids, etc. to verify their accounts.
But if they build a platform to buy and sell images that are not nominally based on crypto, I don’t think it will take off. Not because it’s not distributed, because as we’ve seen, a lot of what is needed to make it work is not distributed. I don’t think it will take off because it’s a gold rush. People make money from cryptocurrency speculation, and these people are interested in using cryptocurrencies in a way that supports their investments while offering additional returns, defining the environment for the wealth transfer market.
Those who are flipping NFTs fundamentally don’t care about distributed trust models or payment mechanisms, but they care about where the money goes. So funding draws people to OpenSea, they improve the experience by building a platform that iterates the underlying web3 protocol in the web2 space, they finally provide the ability to “mint” NFTs through OpenSea itself rather than through your own smart contracts, and eventually This all opens the door for Coinbase to access a verified NFT marketplace on their platform via your debit card. This opens the door for Coinbase to self-manage tokens through dark pools held by Coinbase, which helps eliminate transaction fees and can completely avoid interacting with smart contracts. Ultimately, all the web3 part is gone and you have your debit card to buy and sell the JPEGS website. Due to market dynamics, the project cannot start off as a web2 platform, but the same fundamental forces of market dynamics and centralization may propel it to eventually get there.
At the end of the stack, NFT artists are excited about this progress because it means more speculation/investment in their art, but if the purpose of web3 is to avoid the pitfalls of web2, we should be concerned that this is already these There should be a natural tendency to provide new protocols for different futures.
I think these market forces are likely to persist, and the question for how long, in my opinion, is whether the massive accumulation of cryptocurrency ends up in the engine or the leaky bucket. If the money flowing through the NFT ends up flowing back into the crypto space, it may continue to accelerate forever (regardless of whether it’s just web2x2). If it comes out in large numbers, then it’s going to be a flash in the pan. Personally, I think enough money has been made at this point that there are enough faucets to keep it going, and it’s not just a flash in the pan. If that’s the case, it seems worth considering how urgently you can avoid web3 becoming web2x2 (web2 but with less privacy).
Creativity may not be enough
I’m just dabbling in the web3 waters, but from the perspective of these little projects, I can easily see why so many people think the web3 ecosystem is so clean. I don’t think it will free us from centralized platforms, I don’t think it will fundamentally change our relationship with technology, and I think the privacy story is already below the internet’s standard (which is a pretty low one!) , but I also understand why nerds like me get excited about it. It’s at least nerdy-level new – it creates a space for creativity/exploration, somewhat reminiscent of the early days of the internet. Ironically, part of this creativity may stem from the limitations that make web3 so unwieldy. I hope the creativity and exploration we are seeing will have positive results.
If we do want to change our relationship with technology, I think we have to do it consciously. My basic idea is roughly:
1. We should accept the premise that people don’t run their own servers by designing systems that can distribute trust without distributing infrastructure. This means that the architecture can expect and accept the corollary of a relatively centralized client/server relationship, but use cryptography (rather than infrastructure) to distribute trust. Although web3 is built on “crypto”, one of the things that surprises me is how little cryptography seems to be involved!
2. We should minimize the burden of building software. At this point, software projects are labor-intensive, and even a relatively simple application requires a group of people sitting in front of a computer for eight hours a day, every day, and forever. This wasn’t always the case, and there was a time when 50 people working on a software project weren’t considered a “small team”. As long as software requires such coordinated energy and such highly specialized human focus, I think it will tend to serve the interests of the people who sit in that room every day, rather than the broader goals we might think. I think changing our relationship with technology may require making software easier to create, but in my lifetime I’ve seen the opposite happen, sadly.