SPL Token Metadata Validation
Detects metadata validation issues including missing PDA checks, update authority verification, and URI validation.
SPL Token Metadata Validation
Overview
Remediation Guide: How to Fix SPL Token Metadata Validation
The metadata validation detector identifies programs that interact with token metadata accounts without proper validation of PDA derivation, update authority, URI format, or creator verification. These gaps allow attackers to spoof metadata, inject malicious URIs, or add unverified creators to token metadata.
Why This Is an Issue
Token metadata accounts are PDAs derived from the mint address. Without proper validation:
- Metadata PDA spoofing: An attacker passes a non-PDA account as metadata, potentially with modified data
- Update authority bypass: Metadata modifications without verifying the signer is the update authority
- Malicious URIs: Setting metadata URIs to phishing sites or malicious content without format/length validation
- Creator verification bypass: Adding creators to metadata without requiring their signature verification
CWE mapping: CWE-345 (Insufficient Verification of Data Authenticity).
How to Resolve
use mpl_token_metadata::pda::find_metadata_account;
pub fn update_metadata(accounts: &[AccountInfo], new_uri: String) -> ProgramResult {
let metadata = &accounts[0];
let mint = &accounts[1];
let authority = &accounts[2];
// Validate metadata PDA derivation
let (expected_metadata, _bump) = find_metadata_account(mint.key);
if metadata.key != &expected_metadata {
return Err(ProgramError::InvalidAccountData);
}
// Validate update authority
if !authority.is_signer { return Err(ProgramError::MissingRequiredSignature); }
// Validate URI format and length
if new_uri.len() > 200 || !new_uri.starts_with("https://") {
return Err(ProgramError::InvalidArgument);
}
Ok(())
}Examples
Sample Sigvex Output
{
"detector_id": "spl-token-metadata-validation",
"severity": "medium",
"confidence": 0.75,
"description": "Metadata account used without PDA derivation validation. An attacker could pass a fake metadata account with manipulated data.",
"location": { "function": "update_metadata", "offset": 1 }
}Detection Methodology
- Metadata operation identification: Detects functions that interact with metadata accounts based on name heuristics and CPI patterns.
- PDA derivation tracking: Looks for find_program_address calls that derive metadata PDAs.
- Authority validation: Checks for signer and key validation on update authority accounts.
- URI analysis: Identifies metadata URI writes without prior format validation.
Limitations
- Metadata PDA derivation patterns may not be recognized in all compilation outputs.
- URI validation requirements vary by use case and may produce false positives.
- Creator signature verification is complex and may not be fully tracked.
Related Detectors
- Metaplex Authority Bypass — detects missing authority verification
- Metadata Authority Transfer — detects unsafe authority transfers