i already messaged a mod about this but he got off so just posting it here. In short i sold two domains but it looks like the fida is stuck in this program, check spl transfers. If looks like a days worth of fida is stuck in here if i’m understanding this correctly.
Can you DM me the tx or domain names so I can have a look?
Yes, but I don’t see a DM/message button anywhere. I also sent all the details + domain info to Majik Hana.
I have just sent you a DM
Update; Looks like there is some issue with their platform and it’s possible that many of you are missing FIDA that should have been sent to you. The owner paid me for the two domains, but obviously it raises a lot of questions. I’m almost certain I have other domains i have not been paid for too, and possibly based on that program, another 168 people have no either. The owner stopped replying to me, and Majik (mod) is basically saying they will only pay people if they know they haven’t been paid.
It sounds like they do not plan to refund anyone unless you know catch them not paying you.
I think i have had this issue before but was unsure how to check because they don’t give transaction details.
Last week Bonfida discovered a critical vulnerability on the Metaplex auction program. The vulnerability allowed an attacker to steal all the funds of the Metaplex auction program. It’s a vulnerability that affected 100% of the auctions using Metaplex (including NFT market places like Holaplex etc) and 100% of the funds were at risk. The name services uses this program to auction domain names. We immediately patched the program on our end and contacted the Metaplex team. They released a patch a few hours after we disclosed the vulnerability (announce: https://twitter.com/metaplex/status/1482178833428144130 and fix (fix) fixes for allowing old bids to cancel when made with old token … · metaplex-foundation/metaplex-program-library@e7f98f2 · GitHub).
The vulnerability came from the fact that the program did not perform any check on the bidder pot token account (escrow wallet for the bids). The solution Bonfida gave to the Metaplex team to fix it was to use a Program Derived Address (PDA) for the bidder pot token account as it guarantees the initialisation is made program side. However, in the first patch deployed on the name service, the PDA account was assigned to the program id instead of the auction public key. Bonfida quickly released another patch to fix the PDA assignation. However, this assignation error affected a small amount users, if you think you are affected feel free to DM me.
No communication was made earlier because in this type of situation where critical vulnerabilities are found one needs to be careful before making anything public. A lot of projects are relying on the Metaplex framework and they were all vulnerable, so it’s critical to make sure they are made aware and upgrade their code before anything is made public. Based on Metaplex volumes, it’s realistic to say that > 10mil were at risk (this could have been the biggest Solana hack ever).
The Bonfida dev team will write an article about this vulnerability in order to explain it and help other devs to write more secure code in the future.
TL;DR: Bonfida found a critical vulnerability in Metaplex, in the patching process a small bug was introduced and was patched as well. All funds are now safe in Metaplex
Why are you labeling this as spam? @bonfida It was an issue and still is an issue that you guys have neglected to give the proper attention to.
Look, I’m not trying to be a pain in the ass but like i told @ellttBen It isn’t just about me getting my money, but it’s about Bonfida being a legit service where your customers know they are properly being paid.
You want people in the space to trust you right? So far you guys have closed channels to help new customers who actually need help and are trying to push everything to the forums which you monitor every post. Take this issue as another example, look how much work i had to put in to just have you guys look at it.
Lets get all this stuff fixed and push out the best possible domain market for Solana my dude.
@YeeeHAA Discourse is labelling your posts as spam for several reasons:
- Insulting language in your posts towards mods and other community members
- Tendency to edit your posts
- Posting several posts with the same links
- Your posts are being reported by community members
The latter is the reason why your posts recently got hidden by the spam filter. I will manually unflag them, but it’s important for every community member to be respectful of others and watch their language.
Everybody that was impacted and reached out was compensated immediately (including you cf bamboozle.sol and nftpool.sol)
Yeah on those two domains i was compensated. Like i said, this isn’t just about me, it’s about your users who i think should be compensated even if it’s only affects one other person or even if they are 100% unaware of this. If i never caught this would anyone have been compensated?
bear with me, but people inside here have not been paid correct? https://bafkreigidcodvdk4qlaij4noprjzs43l2kohtwbbgvk7apn2kyw6qhlcpm.ipfs.infura-ipfs.io/
Edit: I think it would help with transparency if you guys added a history tab to the new layout. domain:tx id:buyer:seller:cost:state:etc. This would help people better understand what’s happening plus this would help re-sellers better keep track off funds and so on for taxes and so on.
I will sync up with @ellttBen about this, but as he said in his latest message
As of right now, we have received exactly one complaint from the community, which wasn’t enough to perform proper validation. In the interest of moving forward, I’m publishing these findings here anyways.
This bug happened 2-3 months ago my dude, if I don’t say something then would it ever get attention again? Notice how larger platforms in this space see an exploit then they are 100% transparent and say what they are going to do then follow up and do it? It goes along way. Some of those people on that list might actually need that money. Is them using their last 100 dollars or w/e to speculate on domains the correct thing? prob not, but that isn’t the point.
As for me being rude, at least I’m honest. I’m not on here trying to be your best friend then abusing stuff on the site, which people have done on here. If you go back I openly even said I knew about stuff being abused but there was 0 urgency to even look into it. Look what happened with the staking bug, and how the platform is advertised as decentralized however you guys have god power over domains as you were able to take the domains from the gent who was mainly doing staking exploit. Look how few people defended you guys in that event, then imagine if it was something larger where huge players lost money because something was falsely advertised but you guys are just chill about it. Twitter would have a field day. There was actually a 9 figure trader who was following that event and just ended up getting rid of all his domains because he had no idea if his money was safe. He thought he owned his domains. He will not use domains because as far as we’re concerned you can just move a domain to a dif wallet then when they’re moving money it can just end up in a new wallet because the name was moved.
Stop fudding bro, they have been very transparent since the beginning, they went and looked at all the transaction history. It seems only natural that they would want to verify their results with user testimonials before making a script to send tokens to the list they have. Especially when the only one complaining insults everyone else on the forum…
@bonfida Thank you for putting in the time and insuring that everyone was refunded. Idk if i was paid twice because i assume the program just paid everyone and you guys refunded me when i first found the error. If you want me to return the extra fida lmee the amounts i owe. Dm me or something.