Magic Eden’s $5B Token Airdrop Raises Questions About Crypto Wallet Security

Early traders of the NFT marketplace Magic Eden’s new ME token had plenty to be grateful for – if they could access their airdrops, of course.

In the first minutes of trading on Tuesday, the token’s fully diluted valuation reached $15 billion. But as more and more claimants managed to process their airdrops – and in some lucky cases, sell – that valuation began to collapse. It ultimately settled at an FDV of approximately $5 billion.

ME’s troubled rollout stands in stark contrast to other recent token launches. HYPE of hyperliquids token immediately went parabolic after its launch in late November. And Move is a few days old MOVE the token has had a much more stable deployment – ​​even rising at times.

Some observers saw ME’s price drop as a reward for a crypto project whose airdrop processing procedure was highly atypical and, according to three industry insiders, threatened to violate security best practices.

Magic Eden did not respond to questions from CoinDesk.

Traders who successfully publicly claimed thousands of dollars from ME avoided anyone who disparages their “free money”. Others deplored apparently empty their wallets while going through the convoluted process of Magic Eden.

It was a mixed day for Solana’s best-known NFT trading platform, which partly weathered the collapse of crypto’s digital collectibles economy by also supporting newer, flashier, more traded NFTs on the Bitcoin blockchain.

Security issues

The same wallet issues that complicated ME’s launch could also threaten users’ privacy, according to an industry source who asked to remain anonymous.

Magic Eden has reserved ME tokens for NFT traders as rewards for their past activities. To get their airdrop, these traders had to either import the private keys of their eligible wallets into the Magic Eden wallet app, or create a new wallet on the Magic Eden app and link it to their old ones. This latter action potentially creates a privacy-violating link between previously unaffiliated wallets.

Usually, crypto apps just allow their users to claim airdrops into their preferred wallet. Of course, most apps don’t associate their token launch with an internal wallet. The process has undoubtedly boosted adoption of Magic Eden’s new portfolio.

Nonetheless, CoinDesk discovered a number of atypical security practices within the Magic Eden wallet. It keeps a backup of users’ recovery phrases and private keys on the app with no clear route to deleting this information. While this makes the service more user-friendly, it also goes against established standards for wallet design and security.

“It’s a very bad idea to store this data” anywhere in digital form, whether locally on one’s own device or — even worse — remotely on a company’s servers, said Ogle, a detective pseudonym in crypto-security. It is unclear where Magic Eden stores wallet recovery information.

The process also opened airdrop requesters to attacks from bad actors who might pretend to be Magic Eden.

Wallets created in the Magic Eden app cannot be easily transferred to other wallet apps. CoinDesk attempted to recover a wallet created by Magic Eden on Phantom using the 12-word recovery phrase provided by Magic Eden. This process resulted in control of a completely different address.

An industry source said this was because Magic Eden relied on a different technology setup than other major wallets. This problem can be overcome by importing the private key, which is located deeper in the Magic Eden app settings.

Less savvy users might attempt to move their Magic Eden wallets to another app using only the 12-word recovery phrase.

“They won’t find any money in there,” the source said, predicting that these users would panic and perhaps wrongly assume their money was gone for good.