Solana-based NFT creators and collectors are in for a treat today, as a key exploit in leading marketplace Magic Eden appears to allow scammers to sell fake NFTs as part of featured, verified collections.
Debate over this vulnerability erupted this morning on Twitter, where users reported that Magic Eden was posting fake NFTs from popular collections like ABC and y00ts. Apparently, vendors could have delivered NFTs as part of these projects and sold them for hundreds of SOL dollars or more.
Magic Eden tweeted about the situation this morning, thanking community members for “alerting us that there was an issue where people could be buying fake ABC NFTs.” Marketplace said it “added more layers of verification to each collection to address the issue” and encouraged affected merchants to contact Marketplace support.
However, ABC’s pseudonymous HGE and other prominent Solana figures insisted the issue remained unresolved. HGE described the problem as βmass exploitation,β and asked Magic Eden to temporarily close the market until a full resolution.
“I know volume is important, but you need to limit your damage first,” HGE tweeted to Magic Eden. “Make sure the exploitation stops, really make sure of it.”
Shortly after 1 p.m. ET, Magic Eden tweeted that the issue has been resolved on their end, but users may still see the fraudulent listings unless they “refresh” their browsers.
“As of today, we’ve fixed the main issue, but we believe users who haven’t updated their browsers will still see unverified NFTs on fundraising and activity pages,” Magic Eden tweeted. “It is likely that this situation has affected less than 10 collections, we will conduct a public autopsy [con] in more detail.” The company did not explain how the exploit occurred and did not immediately respond to a request for comment Decode.
Magic Eden also asked users to refresh their browsers on Tuesday after some saw pornographic images and footage from the TV series “The Big Bang Theory” instead of images of their NFTs. Magic Eden blamed the problem on a third-party image caching partner that was broken, saying it has now been fixed.
In a longer statement released Wednesday afternoon, Magic Eden said the release was limited to 25 NFTs sold through four sets in the 24 hours before the fix began, though it’s possible that more unverified NFTs, fraudulent ones actually be listed in Magic Eden but have never been. has been sold.
Magic Eden has announced that it will refund users who inadvertently purchased fake NFTs from one of its verified projects. The company blamed the error on a user interface (UI) issue that occurred during the launch of two recent features, its Snappy Marketplace and Pro Trade tools.
“The technical explanation is that our activity indexer for these two tools did not confirm that the originator’s address was verified,” the company wrote. “The Magic Eden smart contract remains secure and this incident was an isolated UI issue.”
HGE told Decrypt that it believes this is an exploit that has been active for some time, possibly months, but has not been exploited at a high level until now. Twitter user Christopher Moltistonkey claimed that the exploit script was being sold on black market sites to potential scammers, and that such activities had increased the exploit’s visibility.
Magic Eden said it will investigate further to see if there were any additional fraudulent NFT trades prior to that 24-hour window.
Metaplex, the creator of the Solana token standard that defines the functionality of NFTs, tweeted that the problem is not related to the Metaplex protocol or the NFT standard.
“This issue appears to be unrelated and caused by insufficient checks at the marketplace layer,” Metaplex tweeted, suggesting it was unrelated to an earlier Metaplex bug it said had been resolved. in December.
Stay informed about crypto news, get daily updates in your inbox.