The phrase “NFT storage” is a bit misleading, and that confusion causes real security gaps.
When people ask where to store their NFTs, they’re usually asking two different questions at once: where is the NFT itself, and where is the image or file the NFT points to? These are distinct things. Mixing them up leads to situations where someone thinks their NFT is “safely stored” when they’ve only addressed half the problem.
An NFT — at the token level — is a record in a smart contract. Specifically, it’s an entry in a mapping that associates a token ID with a wallet address. That mapping lives on the blockchain. You can’t move it off-chain, back it up separately, or store it anywhere. What you’re actually protecting is the private key for the wallet address listed as owner.
This matters because securing an NFT is functionally the same as securing a wallet. The blockchain enforces ownership; your operational security determines whether that ownership stays intact.
The token record is just a pointer. When your wallet holds an NFT, it holds a token ID. That token has metadata — usually a JSON file — and the metadata contains a link to the actual image, video, or file. Where that link points determines how durable the media actually is.
On-chain storage means the media is embedded directly in the contract or encoded in the metadata. It’s expensive, so most projects don’t do it — but when they do, the image exists as long as the chain does. Some generative art projects, Loot, and Bitcoin Ordinals work this way.
IPFS is more common. Content on IPFS is addressed by a hash of the content itself, not a server location — so ipfs://QmXyz... always points to exactly that file, and the link can’t be hijacked. The catch: the file still needs to be “pinned” by at least one node to remain accessible. If nobody’s actively pinning it, the file disappears even though the link is technically valid and the token still exists.
Arweave is designed for permanent storage. You pay once, the file is stored indefinitely by the network’s built-in economic incentives. More durable than unpinned IPFS in practice.
Centralized servers are the riskiest. If the metadata URL points to https://api.someproject.com/token/1 and that server goes offline, the image returns nothing. The NFT still exists on-chain — you still own the token — but there’s no image attached to it. This has happened to real collections.
For most established collections, metadata is on IPFS pinned by the project or a service like Pinata or NFT.Storage. But pinning isn’t guaranteed forever, and you generally can’t verify it without checking the actual metadata.
The practical choices for custody come down to where the signing key lives.
A software wallet like MetaMask or Phantom is always connected to the internet. It’s convenient for active trading. It’s also the attack surface — any wallet with a compromised seed phrase or a bad approval sitting on it is a liability.
A hardware wallet like a Ledger or Trezor keeps the private key offline. When you sign a transaction, it happens on the device, and the key never touches your computer or network. For NFTs worth protecting, this is the standard recommendation — not because software wallets are inherently broken, but because offline signing removes a whole category of attack.
Moving NFTs to cold storage is a standard on-chain transfer: you send the token from your active wallet to the address controlled by the hardware wallet. After that, the NFT can’t move without a physical signature from the device.
This one gets overlooked more than it should.
When you list an NFT on OpenSea, Blur, or another marketplace, you’re granting that marketplace contract an approval to transfer tokens from your wallet on your behalf. That approval persists indefinitely — including after your listing expires. If that marketplace contract is exploited, or if you accidentally sign an approval for a contract pretending to be a legitimate marketplace, that approval can be used to drain your wallet.
Tools like Revoke.cash let you audit all active approvals for any EVM address and revoke the ones you don’t need. If you’ve used multiple marketplaces or have approvals sitting around from months ago, this is a straightforward risk reduction step.
The cleanest security posture for serious NFT holders uses two distinct wallets.
One wallet is for active use — interacting with marketplaces, minting, participating in allowlists. It has limited NFTs, limited approvals, and gets regularly audited.
The other is a vault — cold storage, no marketplace interactions, no approvals granted. Assets that live here can’t be drained through a compromised marketplace approval because that wallet has never touched a marketplace.
The separation is simple and doesn’t require any specialized setup. You just keep them separate and don’t mix the workflows.
Account abstraction (ERC-4337) and EIP-7702, which passed in Q2 2026, are beginning to change what “wallet security” means. Smart accounts can have programmable rules — transfer rate limits, multi-signature requirements, recovery mechanisms — built directly into the wallet. This makes the hot/cold binary less absolute over time. But as of mid-2026, most NFT holders are still using traditional externally owned accounts (EOAs), and the advice above remains directly applicable.
On the media side, on-chain storage is becoming marginally more practical as Layer 2 costs fall. If a collection stores everything on-chain, the media durability question goes away. This isn’t the norm yet.
Now: Audit approvals on any wallet that’s interacted with NFT marketplaces. If you haven’t done this recently, it takes about five minutes via Revoke.cash. Move high-value NFTs to a hardware wallet address if they aren’t already.
Next: Watch how EIP-7702 smart account adoption changes wallet security patterns — the tooling is moving.
Later: On-chain media storage may become cost-effective enough to be standard on L2s, which would eliminate the metadata vulnerability layer entirely.
This covers the two-layer security question: token custody (wallet) and media durability (where the file lives). It doesn’t address how to verify NFT authenticity, how to read NFT metadata, how to list an NFT for sale, or how to transfer one. It’s not a recommendation of any specific hardware device or storage service, and it doesn’t constitute financial or legal advice.
The NFT system works as described. Whether a specific piece is worth the custody effort is outside this scope.




