Yes, that is definitely a possibility I considered. The upfront expense risk. I guess they could have left an admin window in the contract that allowed uploading the hashes after the project was economically successful.

You can check if the HM hash is in the provenance, but that still doesn't fix the problem of certifying that your token corresponds to a certain HM.