As you may be aware at this point, it’s been pointed out that SecretPunks’ private background images are not so private after all. This is because we uploaded the images to Arweave, a public blockchain used for permanent storage of large files, similar to IPFS. Many modern NFT collections use Arweave for this, including Anons, due to the fact that image files are often too large to store on the native chain. We knew that we couldn’t simply upload the private image files with their default punk file names, such as “punk0001.png”, because that would be very simple to type into an Arweave URL and find. The solution we came up with was to use a salted hash function to transform “punk0001.png” into “7690d80f8639c05b83505596180e587f.png”. This would be nearly impossible for someone to guess. Unfortunately, what we didn’t think about was the fact that someone could browse the Arweave blockchain looking for transactions that occurred around the same time as their own punk’s private background was uploaded.
For example, if you own a SecretPunk, go to the gallery page for that punk and right click on the private background image, and copy the URL. You’ll get something like https://7g7orxin7qkophjzbxmwbm6jhocyimq3itbxt2doyn4orurkdlca.arweave.net/-b7o3Q38FOedOQ3ZYLPJO4WEMhtEw3nobsN46NIqGsQ/. That last section is the transaction ID. If you paste it into a block explorer like https://viewblock.io/arweave/tx/-b7o3Q38FOedOQ3ZYLPJO4WEMhtEw3nobsN46NIqGsQ, then click on the “Bundled In” link https://viewblock.io/arweave/tx/1hVDSQa7OyrDYv–RFl0NRm5V43kKTErCVDFt7AtovA, you can start to browse other images that were uploaded around the same time. Although the punk images are mixed in with thousands of images from other NFT projects, if you take the time, you can find other private punk background images relatively easily. Oops.
So how can this be avoided by other Secret NFT projects, including Stashh? The solution is fairly simple. A private image file must first be encrypted before uploading it to any publicly accessible storage solution. A private key stored in the NFT’s private metadata can be used to decrypt this image file and view it. If anyone other than the NFT owner tries to access the file, it will not show up as a viewable image, but instead appear as if it’s just random jumbled text. Although our team could have implemented this fairly easily if we had thought of it at the time, this probably would have resulted in Stashh not being able to display SecretPunk private background images (after switching them to public), as our code would be custom and Stashh would not know how to read it. From what we’ve heard in talking with the Stashh team, they have already implemented this solution and future projects should not have to worry about this, as long as they follow Stashh’s code standards or mint using their platform.
The good thing is, although the alternate background images are not truly private, the rest of SecretPunk’s privacy features are still solid. No one can see the wallet address that your punk belongs to. You can prove ownership of your punk via our website by adding links to your social media profiles, or by encrypting a message using your punk’s private key. Also, it can be argued that a SecretPunk’s true value can only be determined if you know the rarity of all of its attributes. So while your background may be public knowledge now, it is not any less valuable because of it.
All that being said, since SecretPunks’ private backgrounds are no longer much of a secret, we’ve decided to go ahead and release the exact rarity statistics to save everyone the trouble of scouring the Arweave blockchain for hours to compile a complete database. One more interesting thing to note, although some of the rarest background images are about to be revealed, the names of those backgrounds are still a secret, as the name is stored in the private metadata of the NFT and not on Arweave. We will not reveal these names, and instead will leave it up to the owner of these punks to choose whether or not they want the world to know. Enjoy!
