Non-fungible token (NFT) marketplace Magic Eden said that it would refund all users affected by the exploit that involved the sale of fake NFTs - passing them off as 'members' of verified collections.
On the morning of January 4 (PT time), the marketplace team saw "a handful" of reports saying that users were being shown unverified NFTs as part of verified collections on Magic Eden, said the announcement.
The incident affected popular collections such as ABC and y00ts. ABC creator HGE described this as 'a massive exploit' affecting high-value NFTs.
HGE called for the site to be paused, saying: "I know volume is important but limit the damage first. Make sure the exploit is stopped, like really make sure of it."
The team came out to state that,
"We have identified in the last 24 hours, the impact was contained to 25 unverified NFTs sold across 4 collections."
The unverified NFTs showed up on the collection pages, they explained, while transactions of unverified NFTs could be seen in the activity tabs of the collections.
That said, the announcement claimed that the issue is resolved, that the team is currently checking if any additional NFTs were affected, and that users will be compensated, stating:
"Magic Eden is safe for trading and we will refund all the users who mistakenly bought unverified NFTs specifically due to this issue."
Magic Eden also communicated with the users about the issue via their social media accounts.
Thank you to the community for bringing this issue to our attention & for your patience. We solved the root issue around 5 am PT today. We subsequently reminded users to hard refresh their browsers & added security measures to ensure unverified NFTs can no longer be bought on ME.— Magic Eden 🪄 (@MagicEden) January 4, 2023
But per some, this wasn't enough. HGE argued that this is actually not a new incident but was just previously done on a smaller scale, and that the site shouldn't have been running while the exploit was active.
The announcement said that this was a user interface (UI) issue that occurred due to a new feature released to the marketplace's Snappy Marketplace and Pro Trade tools. While the former enabled users to see newly listed and sold items on Magic Eden directly on the screen in real time, the latter allowed them to see newly listed and sold items in real time with various stats.
However, said the announcement,
"Unfortunately, there was a bug deployed in an update to both of these features, where NFTs were not verified before being listed into these two tools, which automatically included the items into the collection at large. The technical explanation is that our activity indexer for these two tools did not check that the creator address is verified."
They stressed that Magic Eden’s smart contract is secure, and this was "an isolated UI issue."
The team took a series of steps to resolve the issue, adding an additional verification step to completely block similar types of attacks, they said.
Meanwhile, Metaplex, which created the Solana (SOL) token standard that defines the functionality of NFTs, said that the issue was not related to their protocol and offered assistance to Magic Eden.
- End User Scams and Phishing Attacks in Web3: Are They Being Underreported?
- CEO of Binance Warns Users About New Hack Targeting Cryptocurrency Industry
- Ex-President Donald Trump’s NFT Collection Receives Backlash After Users Spot Photoshop Errors
- Coinbase Disables NFT Trading on Wallet Due to Apple’s App Store Policies – Here’s What Happened
- $62M in Crypto Stolen in December
- Scammers Impersonate the US Department of State