NFT Royalty Bypass

Overview

The NFT royalty bypass detector identifies patterns that bypass NFT royalty enforcement, allowing transfers without paying required royalties to creators. It detects NFT transfers without royalty validation, missing Metaplex royalty enforcement checks, direct token transfers bypassing marketplace royalties, and custom transfer logic that skips royalty payments.

For remediation guidance, see NFT Royalty Bypass Remediation.

Why This Is an Issue

Creator royalties fund ongoing development and reward original artists. Programs that transfer NFTs without enforcing royalty payments undermine the NFT ecosystem and harm creators financially. Metaplex’s Programmable NFTs (pNFTs) were introduced specifically to enforce royalties, but programs that bypass the Token Metadata program can circumvent these protections.

How to Resolve

Before (Vulnerable)

// Vulnerable: direct token transfer bypassing royalties
pub fn transfer_nft(ctx: Context<TransferNft>) -> Result<()> {
    token::transfer(ctx.accounts.into_transfer_ctx(), 1)?;
    // No royalty payment
    Ok(())
}

After (Fixed)

// Fixed: use Metaplex transfer with royalty enforcement
pub fn transfer_nft(ctx: Context<TransferNft>) -> Result<()> {
    invoke(
        &mpl_token_metadata::instruction::transfer(
            TransferArgs::V1 {
                amount: 1,
                authorization_data: None,
            },
            // ... accounts including metadata, edition, token_record
        ),
        accounts,
    )?;
    Ok(())
}

Example JSON Finding

{
  "detector": "nft-royalty-bypass",
  "severity": "medium",
  "confidence": 0.6,
  "message": "NFT token transfer without royalty enforcement check",
  "location": { "function": "transfer_nft", "block": 0, "statement": 1 }
}

Detection Methodology

1. NFT transfer detection: Identifies token transfers of amount 1 (NFT transfers).
2. Royalty payment search: Checks for corresponding lamport/token transfers to creator addresses.
3. Metadata read analysis: Verifies whether metadata with royalty information is read before transfer.
4. Metaplex CPI detection: Checks for Metaplex Token Metadata program CPI for compliant transfers.

Limitations

False positives: Programs that enforce royalties through a separate settlement mechanism. False negatives: Complex royalty splitting across multiple transactions.

Related Detectors

• NFT Creator Verification — creator identity
• NFT Metadata Validation — metadata quality
• Metaplex Compliance — standard compliance

References

• Metaplex — Programmable NFTs
• CWE-862: Missing Authorization