August 9, 2022

Expensive code, free JPEGs, and coffee NFTs

Welcome to the Block & Mortar newsletter! Every week, we bring you the top stories and our analysis on where business meets web3: blockchain, cryptocurrencies, NFTs, and metaverse. Brought to you by Scott Robbin and Q McCallum.

Last week we promised you a segment on Tokenize This™, our thought experiments on applying web3 to a business … but with the big Things Go Wrong™ stories, we figured we'd move that to next week.

Things Go Wrong™: “Bridges and Wallets and Hacks Oh My” edition

(We co-wrote this section with Shane Glynn. Some of you may know him as the guy who reviews our newsletter drafts. He's also an experienced attorney who has spent the past few years focused on crypto.)

We went an entire month without a Things Go Wrong™ segment.  (Sure, that's because we had a few Scam O'Clock™ pieces, but who's counting?)  And now it's back, in the form of two very painful software bugs.  That pain takes the form of about $200 million in immediate financial losses, with a side of Banging One's Head Against The Wall while chanting "so obvious in hindsight."

It started on Monday 01 August, when the Nomad bridge suffered a hack that led to loss of almost $200M in cryptocurrency. The origin of the hack was traced to an issue that Quantstamp, a web3 security firm, had noted several months ago (QSP-19 in this doc).  

An issue that Nomad's team marked as “not a bug.”

Oops. 

Separately, the next day, several thousand Solana users lost funds. Initially there was widespread confusion as to the source of the hack and what wallets were affected.  There were concerns that the exploit was in the Solana network code itself, and this led to degraded performance on Solana overall. 

Eventually the problem was traced to a bug in a (closed-source) software wallet named Slope.  The problem?  The app was sending the seed phrase, which is used to recover a wallet’s private key, back to Slope.  (Bad.)  

And possibly to other groups.  (Very bad.) 

In plain text.  (Realllly bad.)  

To date, this bug is responsible for approximately $5 million in losses. ([censored].)

We emphasize that the Slope issue was not a "hack," but a "bug."  A "hack" would be "an outsider broke Slope's code and got it to divulge info."  Based on what we've read, it sounds more like "Slope's developers introduced a data leak into their app, which hackers (and, frankly, anyone else) could potentially misuse."  

This leak, the "plain text" we mentioned above, appears to be some kind of logging.  This is how developers save details of application activity to assist in support efforts.  For example, an app might log: "At 7:35AM, User1234 initiated a push. At 7:36AM, the remote server failed to respond and the app crashed."

And to be clear, logging like this is generally good software development practice. When your code runs in a distributed environment, or on someone else's systems, you lose visibility into what is happening and that makes it very difficult to troubleshoot.  Experienced developers leave detailed log messages as a digital paper trail to balance that out.  Where Slope dropped the ball, in our view, is that they logged sensitive information. 

And if that is indeed the case, this would make for a very expensive log message.  About $5 million for one line of code.

Getting a piece of that secondary market

No matter where you went to school, we all share the experience of having shelled out cash for textbooks that we hardly used. Maybe it was on a topic that you knew you wouldn't need after graduation.  Or you had that one annoying prof who insisted that you buy a whole book just so they could refer to two pages of it in class. 

Whatever the case, this led to the other shared experience: Selling That Book To Get Some Of Your Hard-Earned Money Back Because It's Weird When A Few Hundred Pages Of Print Material Cost More Than A Week's Worth Of Food And We're Getting Kinda Hungry. So some other student got the book at a discount, and you got to splurge at the grocery store.  Win-win.

Textbook publishers have expressed mixed reactions to this vibrant secondary market. Some have shrugged. Others have chosen to issue barely-updated books each year, a move that just coincidentally wrecked the resale value of the previous edition because it was now technically out of date.

We wish this were just an odd trip down memory lane – a little digression that we'd forgotten to trim from the newsletter before hitting "send" – but you already know where this is going. A textbook publisher has dipped its toes into the web3 waters.  This excerpt from The Guardian (which is quoting Bloomberg) says it all:

[Pearson] CEO Andy Bird explained his plan to sell digital textbooks as NFTs, allowing the publisher to track the ownership of a book even when it changes hands, Bloomberg reported. “In the analogue world, a Pearson textbook was resold up to seven times, and we would only participate in the first sale,” he said, explaining that “technology like blockchain and NFTs allows us to participate in every sale of that particular item as it goes through its life”.

This is not the first time we've seen a publisher mix NFTs and ebooks.   (That honor goes to the folks issuing NFT ebooks of Robert Heinlein's work. We can thank a sharp-eyed reader for sending that story our way.  You know who you are!)  Nor will it be the last.  Pretty much every company will try to blend the new hotness known as web3 into their secret sauce.  And that's great.  The best way to uncover web3's capabilities is for people to try things.

On the one hand, we're business owners, so we certainly respect the hustle to find new revenue sources.  We support artists using NFTs to get a cut of resale for their work. And we want restaurants to get a piece of the action when someone sells an NFT-based loyalty pass.

On the other hand, we can't help but to see Pearson's plan as some kind of weird, reverse-Robin Hood move.  (Robin Hood the character, not the retail trading app that brought GameStop back to life.) 

By the by: what textbooks did you most enjoy selling? And which ones do you wish you'd kept?

If you love JPEGs, set them free

Licenses don't specify so much what is possible, but what is permitted. This distinction is especially important when materials are released in a form that people are able to copy, modify, or redistribute.  Books and open source software are prime examples.

As are digital images, which are the most common form of NFT these days.  And in the NFT space, big names like XCOPY and Moonbirds are opting for the Creative Commons Zero (CC0) license.  This is a creator's way of saying: "Do what you want with it.  You can make money, not make money, whatever.  You don't even have to credit me. I just want this to be out there."  To release work as CC0 is to effectively put it in the public domain.

Books and music are released under copyright, and even a lot of open source software projects use formal licenses that define boundaries on how their work may be used.  So why would an artist, having put their time and energy into creating something, release it under such liberal terms?  

Writ small, some artists are willing to trade control for fame.  CC0 reduces barriers to sharing, so this gives their work the greatest chance to spread.  As described by NFT creator and collector @Punk6529, CC0 demonstrates that an NFT – the actual record of ownership, as etched into a blockchain – has value separate from the artwork.  6529's NFTs remain valuable even though anyone can duplicate and commercially exploit them just as though they were the original artist.

Writ large, this openness to sharing and remixing can provide other creators with raw materials on which to build.  (To the patent and copyright law scholars out there: we know what you're about to say.  And we're with you on that.)  Those people may, in turn, choose to CC0 that derivative work for other creators to use, and the cycle repeats.  If enough artists release their work under CC0, they are giving the entire NFT space the greatest chance to spread.

This reminds us of the early days of open source software.  When it was released, the GNU General Public License (GPL) was a stark contrast to the commercial, proprietary software licenses of the day.  It allowed people access to the raw source code, and even granted them the right to build on it.  The catch?  The license's so-called virality requires that anything built on GPL'd software must also be released under the GPL.  GPL'd software experiences a kind of "freedom" in that it can never be locked away inside a commercial entity.

Love or loathe the GPL, it's hard to imagine the 1990s tech boom without it. The fancy Android phone in your pocket, the Linux machine that serves up this e-mail, and even the open-source compilers used to build some proprietary software, they all have their roots in early-day GPL'd tools.  It was radical when it was released and continues to be relevant thirty years later, even if it is now just one of many open source licenses in use.

GPL and CC0 are two very different licenses, as far as their terms.  But we see that they are similar in purpose: they help ideas to spread and they discourage commercial interests from closing those ideas down.  

And that leads us to two questions:

For one, consider that the BSD, MIT, and Apache licenses were born as alternatives to the GPL.  They provide a different kind of "freedom," one that makes it possible for authors to maintain their original open-source work (so no corporation could claim it as their own) while still allowing for adoption in commercial spaces (because corporate software development shops are, understandably, wary of building on GPL libraries).  When we consider the alternatives to CC0, the NFT equivalents of BSD/MIT/Apache licenses – which artists will opt for non-commercial rights versus non-exclusive commercial rights versus something else altogether?

Two, what's the ideal license for releasing corporate NFTs? In theory, those groups don't need a liberal license to help spread their ideas (they have huge marketing budgets for that), so CC0 doesn't offer them much benefit.  Will they all create custom, proprietary licenses?  Over time, will those converge into a small handful of well-known, well-researched commercial licenses?

But will people customize the NFTs the way they customize their drinks?

Businesses rely on a lot of metrics.  Three that are especially important in the B2C realm are:

  • cost of customer acquisition – money you spend to convert a prospect into a customer (this is usually a function of marketing)
  • cost of customer retention – what you spend to keep customers coming back
  • customer lifetime value – oversimplifying a bit, this is the total amount of money the customer spends on you (minus what you've spent on them)

Customer acquisition and retention are investments. Lifetime value is the return on those investments.  And because customer acquisition is so costly compared to retention – a one-time customer may represent a negative lifetime value – companies are willing to throw some cash into developing loyalty programs.  Frequent flier miles and status perks work wonders for getting people to keep spending with you.  (Building predictive models to determine when a customer is pregnant and send them coupons also works, but there's the added creepy factor.  So maybe don't take that route.)

Starbucks plans to spice up its very robust loyalty program with some web3 appeal.  The combination coffee roaster/freelancer office space has offered scant details, so we don't have a lot to share.  We expect there will be plenty of NFTs with Benefits.  There will also be plenty of lessons to learn, so take notes.  You'll get to watch how a large chain's web3 decisions – the underlying blockchain, terms, and benefits – play out in public.

One particularly interesting aspect of loyalty programs is that they are sealed economies. The proprietors determine the internal value of the points ("how many miles do you trade for a free flight?") as well as its exchange rate with fiat currency ("you can buy X miles for Y dollars"). And they can change those decisions at will.  Airlines, hotels, and some coffee chains play the role of central banker.  

Adding web3 to the mix opens new questions then: how will these companies maintain their programs over the long-term?  What will be the impact of a large change, some future equivalent of moving from proof-of-work to proof-of-stake?  How much have they researched potential security problems? And will they permit people to sell their status or loyalty tokens on the secondary market?  We'll probably see a variety of answers in the near-term.  Over time, expect industry players to sort out best practices and standardize across the board.

What we’re reading

We read a fair amount of articles, blog posts, and tweets to bring this newsletter to life.  (Side note: yes, after years of using Twitter to goof off, it's now … sort of … become part of our job? It's weird.)  And we typically use those links as starting points for segments, or as support for our micro-scale think-pieces.

This week we came across an article that we'd like to share outright.  Tim O'Reilly is the founder of O'Reilly Media, a company best known for its tech books with animals on the covers.  Tim is also the person who coined the term "web 2.0" to describe the post-Dot Com world that gave us social media and sites built on user-generated content.

Last week Tim published a piece called “The Metaverse Is Not a Place,” in which he describes his take on the "metaverse" concept.  We find it a particularly thoughtful take on what a metaverse is and is not, and we think you'll enjoy it as well.

(Full disclosure: one of your Block & Mortar editors is an O'Reilly author and occasional contributor to O'Reilly Radar, but we weren't compensated for sharing this article.  We just think it's cool.)

Reading this online? Subscribers get this in their inbox on Tuesdays.

Note: We’d like to thank Shane Glynn for reviewing early newsletter drafts. Any mistakes that remain are ours.