ERC721 - Authenticity of metadata assets mentioned in a tokenURI

Question

How do we prove the authenticity of the metadata of an NFT asset?

According to the ERC721 spec, to get the metadata of an NFT asset, we need to go to the URI mentioned in the tokenURI function. What happens if this metadata is on a centralized server, and the owner changes the metadata pointed to by the tokenURI?

Let's consider a use case - suppose I buy an NFT digital art on OpenSea, which has a tokenURI of the format https://opensea.io/<contract_address>/123 which points to an image called awesome_art.png which is on an AWS server. Now, what if the owner thereafter uploads another random image with the same name?

In this case, the NFT would still be valid; the metadata will still be valid since they follow the standards.

I guess the best way to avoid this is to hash the metadata images/asset content when it is first minted and put that on the blockchain, but just wondering if there is any other proven way/standard out there to achieve this?

FYI - I know one solution is to use decentralized solutions like IPFS, but it doesn't really solve the issue at the heart of this question.

Answer 1

ERC-2477 is one proposed standard for attaching digests of metadata to tokens: https://eips.ethereum.org/EIPS/eip-2477

A digest of the JSON schema can also be added to the blockchain. Or alternatively a $schema reference to the JSON schema embedded in the metadata JSON along with $schemaIntegrity holding a digest of the JSON schema.

FYI - I know one solution is to use decentralised solutions like IPFS, but it doesn't really solve the issue at the heart of this question.

IPFS CIDs have digests built in so IPFS does cover this I think. A number of ERC721s are using this already storing the CID on chain.