NFT Metadata Validation
Detects NFT metadata validation issues.
NFT Metadata Validation
Overview
The NFT metadata validation detector identifies programs that do not properly validate NFT metadata operations, including missing owner/signer validation before metadata modifications, unsafe account data storage without checks, missing key verification, and insufficient authorization checks.
For remediation guidance, see NFT Metadata Validation Remediation.
Why This Is an Issue
NFT metadata quality is critical for marketplace listing, collection verification, and user trust. Programs that allow unauthorized metadata modifications enable counterfeit NFTs, collection fraud, and metadata spoofing. Missing authorization checks on metadata operations can devalue legitimate collections and cause financial harm to creators and collectors.
How to Resolve
Before (Vulnerable)
// Vulnerable: stores metadata without authorization check
pub fn set_metadata(ctx: Context<SetMeta>, data: MetadataInput) -> Result<()> {
let nft = &mut ctx.accounts.nft_metadata;
nft.name = data.name;
nft.uri = data.uri;
nft.creators = data.creators;
Ok(())
}After (Fixed)
// Fixed: validates authority and creator signatures
pub fn set_metadata(ctx: Context<SetMeta>, data: MetadataInput) -> Result<()> {
require!(
ctx.accounts.authority.key() == ctx.accounts.nft_metadata.update_authority,
ErrorCode::Unauthorized
);
for creator in &data.creators {
if creator.verified {
require!(creator.address == ctx.accounts.authority.key(), ErrorCode::CreatorNotSigner);
}
}
let nft = &mut ctx.accounts.nft_metadata;
nft.name = data.name;
nft.uri = data.uri;
nft.creators = data.creators;
Ok(())
}Example JSON Finding
{
"detector": "nft-metadata-validation",
"severity": "medium",
"confidence": 0.6,
"message": "Metadata storage without authorization validation",
"location": { "function": "set_metadata", "block": 0, "statement": 2 }
}Detection Methodology
- Metadata storage detection: Identifies store operations to metadata-like accounts.
- Authorization pattern checking: Verifies authority validation before metadata writes.
- Creator verification: Checks for creator signature validation on verified creator entries.
Limitations
False positives: Admin functions for initial NFT minting may legitimately set metadata without external creator verification. False negatives: Custom metadata schemes not following Metaplex patterns.
Related Detectors
- Metaplex Compliance — Metaplex standard compliance
- NFT Creator Verification — creator signature checks