SVM high Detector April 6, 2026 2 min read

NFT Creator Verification

Detects missing creator signature verification in NFT metadata operations.

svmhighnft-creator-verificationaccess-controlstatic-analysisdetector

NFT Creator Verification

Overview

The NFT creator verification detector identifies missing creator signature verification in NFT metadata operations. When creating or modifying NFT metadata, all creators listed must sign the transaction to authorize being listed. Without this check, attackers can impersonate creators, claim royalties, manipulate collection verification, and create counterfeit NFTs.

For remediation guidance, see NFT Creator Verification Remediation.

Why This Is an Issue

NFT marketplaces rely on verified creator signatures to authenticate NFT provenance. If a program sets verified: true on a creator entry without verifying that creator’s signature, anyone can create NFTs appearing to be from legitimate creators. This has enabled fake collection attacks on platforms like Magic Eden and Solanart.

How to Resolve

Before (Vulnerable)

// Vulnerable: sets verified without checking signer
for creator in metadata.creators.iter_mut() {
    creator.verified = true;  // No signature check
}

After (Fixed)

// Fixed: only verify if creator signed the transaction
for creator in metadata.creators.iter_mut() {
    let is_signer = ctx.remaining_accounts.iter()
        .any(|a| a.key() == creator.address && a.is_signer);
    creator.verified = is_signer;
}

Example JSON Finding

{
  "detector": "nft-creator-verification",
  "severity": "high",
  "confidence": 0.8,
  "message": "Creator verified flag set without signature validation",
  "location": { "function": "create_metadata", "block": 1, "statement": 4 }
}

Detection Methodology

Metadata operation detection: Identifies metadata account creation and modification.
Creator array analysis: Tracks creator arrays and verified flag assignments.
Signer check correlation: Verifies that verified flags are only set after confirming creator signatures.

Limitations

False positives: Programs where the authority is the sole creator. False negatives: Indirect creator verification through governance programs.

NFT Metadata Validation — metadata quality
Metaplex Compliance — standard compliance
NFT Royalty Bypass — royalty enforcement

NFT Creator Verification

Overview

Why This Is an Issue

How to Resolve

Before (Vulnerable)

After (Fixed)

Example JSON Finding

Detection Methodology

Limitations

Related Detectors

References