Magic Eden Rivals Say NFTs on Solana’s Biggest Marketplace Are at Risk

Solana’s top NFT marketplace responds to growing criticism and says it plans to change the way it manages users' assets—but not right away.

By Andrew Hayward

12 min read

There’s no bigger player than Magic Eden in the Solana NFT space. Launched last fall, the marketplace routinely commands 90% or more of all trading volume on Solana and has turned that dominance into a $1.6 billion valuation as of its latest VC funding round in June.

But as Magic Eden’s star rises, members of the Solana NFT community—both builders and collectors alike—are increasingly sharing concern that the platform has become much too “centralized” on its way up. They point to recent changes that limit access from third-party aggregators and tools, as well as the way Magic Eden manages its custody of users’ NFTs—which could leave users’ assets vulnerable to attack.

“People should be 100% aware that a hacker could get the keys to Magic Eden and ‘rug’ everyone of their NFTs,” Marty, pseudonymous founder of Zion Labs, which makes Solana NFT tools, told Decrypt. “This wouldn’t happen if it was decentralized and if their code was open-source.”

In comments sent to Decrypt, Magic Eden didn’t specifically address the perceived risks of its escrow-based trading model, but said that it believes the alternative is currently less safe for users. The marketplace plans to embrace an escrow-less system in the future, but doesn’t believe that the tech is secure enough yet.

Escrow or no?

Discussion over Magic Eden’s policy of holding users’ listed NFT assets in an escrow wallet isn’t new, but the debate is picking up steam. Magic Eden takes custody of all listed assets rather than allowing them to remain in users’ own wallets, and user NFTs are held in an escrow wallet via the marketplace smart contract.

That practice was common in the early days of the Solana NFT market, but more recent entrants to the Solana ecosystem—like OpenSea and Hyperspace—do not take that approach. When you list a Solana NFT for sale on those marketplaces, it remains in your wallet.

Last Wednesday, OpenSea tweeted out against “Solana marketplaces taking custody of NFTs,” and while Magic Eden was not named, the target was obvious. "We believe marketplaces that custody your NFTs limit choice and utility, and compromise security," OpenSea tweeted at the time. The two marketplaces have sparred over this point before, with Magic Eden recently retorting with a link about OpenSea being sued by a user over an unwitting Ethereum NFT sale due to a UI loophole.

Metaplex’s Auction House protocol for Solana enables NFT trading without the need for a marketplace to take custody of an asset. A source close to Metaplex, who asked not to be named, confirmed to Decrypt that Magic Eden’s marketplace contract is based on an early version of Auction House, which is designed as a permissionless, peer-to-peer trading system.

However, Magic Eden has made substantial changes to that contract code, along with that of its launchpad contract based on Metaplex’s Candy Machine minting tool. Magic Eden has also closed them off to the rest of the community. “They’re closed-source and permissioned derivatives of open-source tech that was provided by Metaplex,” said the source.

That approach adds potential risk for NFT traders. Closed-source software can’t be audited by the community and benefit from bug bounty programs. Even Metaplex doesn’t know what’s currently in Magic Eden’s marketplace contract code.

What would happen if Magic Eden’s escrow wallet was compromised? Or what happens if Magic Eden suddenly shutters, as some other crypto firms have in recent months amid the recent market crash? The Metaplex source said that the “centralized” escrow wallet holds some 180,000 NFTs, as of late last week.

In response to Decrypt’s questions, Magic Eden co-founder and Chief Technical Officer Sidney Zhang said that the marketplace plans to transition to a custody-free model at some point—but that current solutions aren’t adequately secure, in his team’s view.

“We are actively exploring escrowless models and plan to move to an escrowless model, but we believe the current smart contracts to implement escrowless mode that other marketplaces use are unsafe,” he wrote. “There are many security implications of this transition, and we want to do it carefully to ensure that our users do not get their assets inadvertently lost through stale listings.”

Zhang pointed to the aforementioned issues on OpenSea from earlier this year, in which some users’ Ethereum NFTs were sold for well below market price. OpenSea blamed a disconnect between its UI and the Ethereum blockchain for “inactive” offers going through, and ultimately reimbursed users to the tune of $1.8 million in ETH.

“Fairly complex smart contract changes need to be made to prevent these scenarios,” Zhang added. “We’re actively exploring how to do them in the best way.”

Recent tweaks

Besides ongoing concern about Magic Eden’s escrow-based model, the marketplace has faced increased scrutiny of late over changes made to how its platform works—and how third-party apps and protocols can build on top of or alongside it.

The discussion gained steam last week thanks to a viral Twitter thread from user “Pland,” who wrote that Magic Eden is “not a permissionless dapp anymore” due to a recent smart contract change. Smart contracts hold the code that power decentralized apps (dapps) and NFT assets. Similar rumblings circulated on Twitter in June, but the latest thread gained more traction.

According to developers that Decrypt spoke with, the contract change made it so that Magic Eden has to sign every transaction that takes place on its marketplace, which wasn’t previously the case. As a result, some third-party apps that aggregate listings from multiple marketplaces were broken, along with so-called “sniper bot” tools that can be used to buy specific NFTs.

Magic Eden acknowledged the change to Decrypt, explaining that transactions now require two signatures: one from the end user, and one from an API key provided by Magic Eden. An API key is used to authenticate developers and third-party programs that wish to access an app or service. Ethereum-centric marketplaces like OpenSea also have an API system.

“This change was rolled out so that we can maintain core site reliability and reduce botting that would jeopardize our users’ listings and trades,” Magic Eden co-founder and chief engineering officer Zhuojie Zhou told Decrypt. “We very much welcome the ecosystem to take part in our API program.”

Overwhelming activity from automated bot programs has slowed, and at times entirely taken down the wider Solana network in the past, most notably in April. Solana Labs recently instituted a number of changes to try and improve network stability.

Zhou said that Magic Eden has given out more than 300 API keys to date to developers, including aggregators like Tensor and NFTSoloist, plus wallet app makers like Exodus and Slope. He also noted that the makers of the popular Solana wallet Phantom required Magic Eden to have an API to verify that transactions were coming from its servers.

“We believe in supporting a formal developer ecosystem that enables a secure and reliable marketplace,” Zhou added, “and remain open to evolving the API program based on partner developers’ needs.”

An ‘anticompetitive move’

Some builders in the Solana space, however, see the shift as a rejection of decentralized principles, not to mention a decision made to stymie potential rival developers in the NFT space.

“We were surprised to learn they were doing this, because it’s completely centralized with no plausible benefit to end users,” a representative from NFT marketplace aggregator Hyperspace told Decrypt. “It’s in fact detrimental to users, as it increases reliance on their servers and consequently leads to an increased failure rate of transactions.”

The representative, who asked not to be named, said that Magic Eden reached out to Hyperspace ahead of the change “and threatened to shut us down if we didn’t change our platform to fully benefit/service them.” Magic Eden allegedly wanted Hyperspace to “exclusively direct listings to Magic Eden and only operate via their API,” the rep added.

“We categorically deny threatening them in these discussions,” a Magic Eden representative told Decrypt. “We encourage our partners to integrate with Magic Eden as deeply as possible in order to provide the fullest technical and operational support possible. Unfortunately, Hyperspace was not interested in such a partnership and has been antagonistic since.”

Hyperspace said that it discovered a workaround to Magic Eden’s API and continues to serve aggregated listings, but other aggregators (such as CoralCube) have apparently lost functionality as a result. “Since then, they have continued to try to and are actively working on how to block us out,” the Hyperspace representative alleged of Magic Eden.

Some builders in the Solana space told Decrypt that they believe that Magic Eden’s move was intentionally designed to exclude NFT aggregators that gained traction in recent months. It ultimately gives Magic Eden control over who can tap into its listings and benefit from its liquidity.

“We have been vocal against what has been a strictly anticompetitive move and a breach of open web principles,” the Hyperspace rep said. “We feel it’s our responsibility to stand up for decentralization and interoperability in the Web3 space, and the entire Solana ecosystem and Solana Foundation should be [up] in arms to prevent this from getting any further.”

The debate rages

Furthermore, Magic Eden has taken flak when implementing new features that appear to be strongly inspired by external Solana apps. Last week, the announcement of the Magic Eden List feature—which lets projects create allowlists of users ahead of NFT drops—got pushback for being very similar to Blocksmith Labs’ Mercury tool.

“It seems like a direct attempt to box out anyone who can do anything remotely better,” pseudonymous NFT collector Topo Gigio told Decrypt of Magic Eden’s feature additions. Meanwhile, Marty of Zion Labs alleged that Magic Eden is “using venture capital as a weapon” as it rapidly expands to become an all-in-one Solana NFT resource.

Magic Eden’s Zhou responded that the startup is a “user-first company” and that it makes feature additions based primarily on user requests. He claimed that expanded features on the platform are in service of collectors, and rejected the debate over centralization.

“This conversation is not about centralization vs. decentralization, and never has been,” Zhou said. “Partner toolings have existed on top of Magic Eden’s evolving marketplace experience since we launched, and we have no plans to change that approach.”

For some participants in the Web3 space, the overall conversation around Magic Eden is very much about centralization vs. decentralization—including how a major player in the space should approach matters like asset custody, open-source code, and composability of blockchain assets and protocols.

Between its continued use of escrow plus API-centric changes, Magic Eden’s decisions aren’t sitting right with everyone lately. But Magic Eden remains in a place of power as the primary destination where Solana collectors buy and sell.

Criticism of Magic Eden is growing, but it remains to be seen whether many NFT projects will choose to launch elsewhere (as some have recently on OpenSea), as well as whether notable collectors will opt to take a public stand and withdraw from the marketplace.

Topo Gigio is one of those people. Tweeting that he’d “fall on my sword” and forgo liquidity, the collector claimed that he will no longer use the marketplace, noting Magic Eden’s escrow policy and contract changes. In a message to Decrypt, he also cited its perceived “deflection of responsibility” around a controversial NFT drop, DegenTown.

All of the liquidity is at Magic Eden—they won't miss me,” he told Decrypt. “I was happy to take my high-value assets, but low-volume trading elsewhere.”

Get crypto news straight to your inbox--

sign up for the Decrypt Daily below. (It’s free).