Compressed NFT Validation Remediation

Overview

Related Detector: Compressed NFT Validation

Missing Merkle proof verification allows forged compressed NFT operations. The fix is to always verify Merkle proofs and tree authority before modifying compressed NFT state.

Recommended Fix

Use Bubblegum CPI which handles all verification:

invoke(
    &mpl_bubblegum::instruction::transfer(
        tree_authority, leaf_owner, new_owner,
        merkle_tree, proof, root, nonce, data_hash, creator_hash,
    ),
    accounts,
)?;

Common Mistakes

Mistake: Trusting Leaf Data Without Proof

// WRONG: reads leaf data without Merkle verification
let leaf = read_leaf(merkle_tree, index)?;
process_leaf(leaf)?;

Always verify the Merkle proof before trusting any leaf data.

References

• Metaplex — Bubblegum
• CWE-345: Insufficient Verification of Data Authenticity