Non-fungible token (NFT) marketplace Magic Eden said that it would refund all users affected by an exploit that involved the sale of fake NFTs that were passed off as being part of verified collections.
On the morning of January 4 (PT time), the marketplace team saw “a handful” of reports saying that users were being shown unverified NFTs as part of verified collections on Magic Eden, said the announcement.
The incident affected popular collections such as ABC and y00ts. ABC creator HGE described this as ‘a massive exploit’ affecting high-value NFTs.
HGE called for the site to be paused, saying: “I know volume is important but limit the damage first. Make sure the exploit is stopped, like really make sure of it.”
The team came out to state that,
“We have identified in the last 24 hours, the impact was contained to 25 unverified NFTs sold across 4 collections.”
The unverified NFTs showed up on the collection pages, they explained, while transactions of unverified NFTs could be seen in the activity tabs of the collections.
That said, the announcement claimed that the issue is resolved, that the team is currently checking if any additional NFTs were affected, and that users will be compensated, stating:
“Magic Eden is safe for trading and we will refund all the users who mistakenly bought unverified NFTs specifically due to this issue.”
Magic Eden also communicated with the users about the issue via their social media accounts.
But per some, this wasn’t enough. HGE argued that this is actually not a new incident but was just previously done on a smaller scale, and that the site shouldn’t have been running while the exploit was active.
What happened?
The announcement said that this was a user interface (UI) issue that occurred due to a new feature released to the marketplace’s Snappy Marketplace and Pro Trade tools. While the former enabled users to see newly listed and sold items on Magic Eden directly on the screen in real time, the latter allowed them to see newly listed and sold items in real time with various stats.
However, said the announcement,
“Unfortunately, there was a bug deployed in an update to both of these features, where NFTs were not verified before being listed into these two tools, which automatically included the items into the collection at large. The technical explanation is that our activity indexer for these two tools did not check that the creator address is verified.”
They stressed that Magic Eden’s smart contract is secure, and this was “an isolated UI issue.”
The team took a series of steps to resolve the issue, adding an additional verification step to completely block similar types of attacks, they said.
Meanwhile, Metaplex, which created the Solana (SOL) token standard that defines the functionality of NFTs, said that the issue was not related to their protocol and offered assistance to Magic Eden.