Creators and collectors of Solana-based NFTs is up in arms today as a great exploitation in the leading marketplace. Magic Eden appears to allow fraudsters to issue and sell fake NFTs as part of prominent, verified collections.
The discussion surrounding the exploit flared up early this morning on Twitter, where users alleged that Magic Eden was listing fake NFTs from popular pools such as ABC and y00ts. Sellers were apparently able to release the NFTs as part of these projects, and sell them for hundreds of dollars in SOL or more.
Magic Eden tweeted about the situation this morning, thanking community members for “notifying us that there was an issue where people could buy fake ABC NFTs.” The marketplace said it had “added multiple verification layers per collection to address the issue,” and encouraged affected traders to contact marketplace support.
However, pseudonymous ABC creator HGE and other notable Solana figures said the issue was still not resolved. HGE described the problem as a “massive exploit”, and urged Magic Eden to temporarily shut down the marketplace until the issue is fully resolved.
“I know volume is important but limit the damage first,” HGE tweeted at Magic Eden. “Make sure the exploitation is stopped, like really make sure of it.”
Just after 1 p.m. ET, Magic Eden tweeted that the issue had been resolved at the end, but that users could still see the fraudulent entries of the “hard refresh” browsers.
“Earlier today we fixed the root issue, but believe users who did not upload their browsers were still seeing unverified NFTs on collection and activity pages,” Magic Eden tweeted. “This is probably a situation that has affected fewer than 10 collections. We will do a public postmortem [with] more information.” The company did not explain how the exploit occurred and did not immediately respond to Decryptits request for comment.
On Tuesday, Magic Eden similarly asked users to “refresh” their browsers after some saw pornographic images and stills from the TV show “The Big Bang Theory” instead of NFTs. Magic Eden blamed a hacked third-party image caching partner for the problem, and said it had been fixed.
HGE told Decrypt that he believes that this is an exploit that has been active for a while, potentially for several months, but that it has not been used at a high level until now. Twitter user Christopher Montistonki alleged that the exploit script is being sold on black market websites to potential fraudsters, and that such actions have increased the visibility of the exploit.
HGE explained that he believes the issue has to do with Magic Eden’s index inadvertently including data from fraudulent NFTs on the real project pages.
“They told me they fixed it when they said they fixed it,” HGE told Decrypt. “But it’s clear they’ve screwed up fixing it.”
Metaplex, creator of the Solana token standard that defines the functionality of NFTs, tweeted that the problem is not related to the Metaplex protocol or the NFT standard.
“This issue appears to be unrelated and caused by faulty controls on the marketplace layer,” Metaplex tweeted, suggesting it is unrelated to a previous Metaplex bug that it said was fixed back in December.
Stay up to date on crypto news, get daily updates in your inbox.