Creators and collectors of Solana-based NFTs are up in arms today as a major exploit at leading marketplace Magic Eden appears to be allowing scammers to pass off and sell fake NFTs as being part of prominent, verified collections.
Discussion around the exploit flared up early this morning on Twitter, where users alleged that Magic Eden was listing fraudulent NFTs from popular collections like ABC and y00ts. Sellers were apparently able to pass off the NFTs as being part of those projects, and sell them for hundreds of dollars’ worth of SOL or more.
Magic Eden tweeted about the situation this morning, thanking community members for “alerting us there was an issue where people could buy fake ABC NFTs.” The marketplace said that it had “added more verification layers per collection to resolve the issue,” and encouraged affected traders to reach out to marketplace support.
However, pseudonymous ABC creator HGE and other notable Solana figures said that the problem still wasn’t fixed. HGE described the issue as a “massive exploit,” and called on Magic Eden to temporarily shut down the marketplace until the issue is completely resolved.
“I know volume is important, but limit the damage first,” HGE tweeted at Magic Eden. “Make sure the exploit is stopped, like really make sure of it.”
Shortly after 1pm ET, Magic Eden tweeted that the issue had been resolved on its end, but that users may still see the fraudulent listings until they “hard refresh” their browsers.
Update: Please hard refresh your browsers to make sure you are only seeing verified collection items. We’re monitoring the situation & will use this thread for updates.
We have fixed 2 issues: 1) fake NFTs being listed on collection pages 2) tx of fake NFTs on activity tabs
“Earlier today, we resolved the root issue but believe users who didn’t hard refresh their browsers still saw unverified NFTs on collection & activity pages,” Magic Eden tweeted. “This is likely a situation that has impacted fewer than 10 collections. We will do a public postmortem [with] more details.” The company did not explain how the exploit happened and did not immediately respond to Decrypt‘s request for comment.
On Tuesday, Magic Eden similarly asked users to “hard refresh” their browsers after some saw pornographic images and stills from the TV show “The Big Bang Theory” in place of NFTs. Magic Eden blamed a hacked third-party image caching partner for the problem, and said that it was fixed.
In a longer statement shared on Wednesday afternoon, Magic Eden said that the issue was isolated to 25 NFTs sold across four collections over the 24 hours before the fix was instituted, although it’s possible that more unverified, fraudulent NFTs were indeed listed on Magic Eden but never sold.
Magic Eden said that it will refund users that inadvertently purchased a fake NFT from one of its verified projects. The company blamed the exploit on a user interface (UI) issue that emerged amid the launch of two recent features, its Snappy Marketplace and Pro Trade tools.
“The technical explanation is that our activity indexer for these two tools did not check that the creator address is verified,” the firm wrote. “Magic Eden’s smart contract remains secure, and this incident was an isolated UI issue.”
HGE told Decrypt that he believes that this is an exploit that has been active for some time, potentially for months, but that it hadn’t been used at a high level until now. Twitter user Christopher Moltistonki alleged that the exploit script is being sold on black market websites to potential scammers, and that such actions have elevated the visibility of the exploit.
Magic Eden said that it will investigate further to see if there were additional trades of fraudulent NFTs from before that 24-hour window.
Metaplex, the creator of the Solana token standard that defines the functionality of NFTs, tweeted that the issue is unrelated to the Metaplex protocol or NFT standard.
“This issue appears to be unrelated and caused by improper checks at the marketplace layer,” Metaplex tweeted, suggesting that it’s unrelated to a previous Metaplex bug that it said was resolved back in December.
Editor’s note: This article was updated after publication to include Magic Eden’s latest statements.
Stay on top of crypto news, get daily updates in your inbox.