Metaplex Compliance
Detects Metaplex metadata standard compliance violations.
Metaplex Compliance
Overview
The Metaplex compliance detector identifies programs that violate the Metaplex metadata standard including missing owner checks before metadata operations, improper signer verification, unsafe account data access, and incorrect collection linking.
For remediation guidance, see Metaplex Compliance Remediation.
Why This Is an Issue
Metaplex is the leading standard for NFT metadata on Solana. Programs that do not follow Metaplex conventions produce NFTs that are not recognized by marketplaces (Magic Eden, Tensor) and wallets (Phantom, Solflare). Incorrect metadata operations can also create security vulnerabilities where unauthorized parties modify NFT metadata or collection status.
How to Resolve
Before (Vulnerable)
// Vulnerable: modifies metadata without owner verification
pub fn update_metadata(ctx: Context<UpdateMeta>, new_uri: String) -> Result<()> {
let metadata = &mut ctx.accounts.metadata;
metadata.uri = new_uri; // No authority check
Ok(())
}After (Fixed)
// Fixed: validates update authority
pub fn update_metadata(ctx: Context<UpdateMeta>, new_uri: String) -> Result<()> {
require!(
ctx.accounts.authority.key() == ctx.accounts.metadata.update_authority,
ErrorCode::Unauthorized
);
let metadata = &mut ctx.accounts.metadata;
metadata.uri = new_uri;
Ok(())
}Example JSON Finding
{
"detector": "metaplex-compliance",
"severity": "medium",
"confidence": 0.6,
"message": "Metadata modification without update authority validation",
"location": { "function": "update_metadata", "block": 0, "statement": 2 }
}Detection Methodology
- Account data safety check: Identifies account data access without owner verification.
- Signer verification analysis: Checks for signer validation in creator operations.
- Metaplex pattern matching: Compares operations against Metaplex standard patterns.
Limitations
False positives: Custom metadata programs with non-Metaplex conventions may be flagged. False negatives: Programs that use Metaplex CPI but with subtle violations may pass.
Related Detectors
- NFT Metadata Validation — NFT metadata quality
- NFT Creator Verification — creator signature validation
- SPL Token Compliance — token standard compliance