NFT Creator Verification Remediation

Overview

Related Detector: NFT Creator Verification

Missing creator verification enables impersonation. The fix is to only set verified: true for creators who have signed the current transaction, and use Metaplex’s sign_metadata for post-creation verification.

Recommended Fix

// Only verify creators who signed
for creator in metadata.creators.iter_mut() {
    creator.verified = ctx.remaining_accounts.iter()
        .any(|a| a.key() == creator.address && a.is_signer);
}

Alternative Mitigations

Use Metaplex CPI for creator verification:

invoke(
    &mpl_token_metadata::instruction::sign_metadata(
        mpl_token_metadata::id(),
        metadata_key,
        creator_key,  // Must be a signer
    ),
    accounts,
)?;

Common Mistakes

Mistake: Batch-Setting All Creators as Verified

// WRONG: marks all creators verified regardless of signatures
for creator in &mut creators { creator.verified = true; }

Only the signing creator can be marked as verified per transaction.

References

• Metaplex — Creator Verification
• CWE-345: Insufficient Verification of Data Authenticity