Early traders of NFT marketplace Magic Eden's new token ME had a lot to be thankful for – if they could access their airdrops, that is.
In the first minutes of trading Tuesday, the token's fully diluted valuation hit $15 billion. But as more claimants managed to process their airdrops – and in some lucky cases, sell – that valuation began to crater. It eventually settled at an FDV around $5 billion.
ME's rocky rollout stood in sharp contrast to other recent token launches. Hyperliquid's HYPE token immediately went parabolic after launching in late November. And Move's days-old MOVE token had a far more stable rollout – even shooting up at times.
Some observers saw ME's down-only price action as comeuppance for a crypto project whose airdrop processing procedure was highly atypical, and, according to three industry insiders, threatened to breach security best practices.
Magic Eden did not respond to CoinDesk's questions.
Traders who managed to claim thousands of dollars-worth of ME publicly shunned anyone badmouthing their "free money." Others bemoaned apparently getting their wallets drained while wading through Magic Eden's convoluted process.
It was a mixed day for Solana's best-known NFT trading platform, which has partly weathered the hollowing-out of crypto's digital collectibles economy by supporting newer, flashier and more highly-traded NFTs on the Bitcoin blockchain too.
Security concerns
The same wallet issues that complicated ME's launch also could threaten user privacy, according to one industry source who asked not to be named.
Magic Eden earmarked ME tokens for NFT traders as a reward for their past business. To get their airdrop, those traders had to either import the private keys from their qualifying wallets into Magic Eden's wallet app or create a new wallet on Magic Eden's app and link it to their old ones. The latter action potentially creates a privacy-busting link between previously unaffiliated wallets.
Usually, crypto apps are content to let their users claim airdrops within their wallet of preference. Of course, most apps don't pair their token launch with an in-house wallet. The process doubtless boosted adoption of Magic Eden's new wallet.
Nevertheless, CoinDesk found a number of atypical security practices within the Magic Eden wallet. It keeps a backup of users' recovery phrases and private keys on-app with no clear route to delete that information. While this makes the service more user-friendly, it also goes against established norms in wallet design and security.
"It's a very bad idea to store this stuff" anywhere digitally, be it locally on one's own device or – even worse – remotely on a company's servers, said Ogle, a pseudonymous crypto-security sleuth. It's not clear exactly where Magic Eden is storing the wallet recovery information.
The process also opened up airdrop claimants to attack from bad actors who might pretend to be Magic Eden.
Wallets created within Magic Eden's app cannot easily be transferred to other wallet applications. CoinDesk attempted to recover a Magic Eden-created wallet on Phantom by using the Magic Eden-provided 12-word recovery phrase. This process resulted in the control of a completely different address.
An industry source said it had to do with Magic Eden's reliance on a different tech setup than other leading wallets. It can be overcome by importing the private key, which is nestled deeper in Magic Eden's app settings.
Not-so-savvy users might attempt to move their Magic Eden wallets to a different app using the 12 word recovery phrase alone.
"They are not going to be finding any money in there," the insider said, predicting such users would panic, and perhaps incorrectly assume their money was gone for good.