High level summary:
Early on 4 January 2023 PT time, we received a handful of reports of users being shown unverified NFTs as part of verified collections on Magic Eden. These unverified NFTs showed up on the collection pages and transactions of unverified NFTs showed up in the activity tabs of the collections. The issue has been resolved as of this morning. Magic Eden is safe for trading and we will refund all the users who mistakenly bought unverified NFTs specifically due to this issue. Based on findings as of 5 Jan 2023, this issue's impact was contained to 13 NFTs across 5 collections. These NFTs were used in 27 transactions amounting to around 1.1K SOL. Impacted users will receive a full refund.
Source of the issue:
This was a UI issue due to a new feature deployment that we released to our Snappy Marketplace and Pro Trade tools. Snappy Marketplace refers to how on Magic Eden, newly listed and sold items will show up directly on the screen in real time to provide a more seamless user experience. Our Pro Trade tool, available for a subset of collections on Magic Eden, allows people to also see newly listed and sold items in real time with various stats to aid their decision making. Unfortunately, there was a bug deployed in an update to both of these features, where NFTs were not verified before being listed into these two tools, which automatically included the items into the collection at large. The technical explanation is that our activity indexer for these two tools did not check that the creator address is verified. Magic Eden’s smart contract remains secure, and this incident was an isolated UI issue.
Issue resolution measures:
Our team jumped on the issue immediately. The following actions were taken:
Disabled entry points to eliminate new unverified NFTs:
We disabled the Snappy Marketplace and Pro Trade features around 5:00 am PT to eliminate the entry points where unverified NFTs could be shown on the collection page. After this fix, users were no longer able to see unverified NFTs in the collection pages for new sessions.
Further security measures:
After realizing that the fix was only working for new browser sessions, around 10:14 am PT, we requested users to hard refresh their browsers to ensure that outdated unverified listings were not showing up for them.
Additionally, we added an extra verification step to completely block similar types of attacks even if the users didn’t get a chance to refresh their browser.
As of 11:10 am PT, even users who have not hard refreshed will no longer be able to buy unverified NFTs on Magic Eden. Users should hard refresh so they also cannot see the items.
We are actively monitoring the development of this issue and will refund any impacted users. If users have any questions about security, they can contact help.magiceden.io.