SPL Token Metadata Validation Remediation
How to fix metadata validation issues including PDA checks and URI validation.
SPL Token Metadata Validation Remediation
Overview
Related Detector: SPL Token Metadata Validation
Missing metadata validation allows attackers to pass fake metadata accounts or inject malicious content. The fix requires validating PDA derivation, checking update authority, and enforcing URI format constraints.
Recommended Fix
Before (Vulnerable)
// Accepts any account as metadata without PDA check
let metadata = &accounts[0];
let data = Metadata::from_account_info(metadata)?;After (Fixed)
let metadata = &accounts[0];
let mint = &accounts[1];
// Verify metadata PDA
let (expected, _) = find_metadata_account(mint.key);
require!(metadata.key == &expected, InvalidMetadataAccount);
// Verify update authority
let data = Metadata::from_account_info(metadata)?;
require!(data.update_authority == *authority.key, InvalidAuthority);
// Validate URI
require!(new_uri.len() <= 200 && new_uri.starts_with("https://"), InvalidUri);Alternative Mitigations
1. Anchor metadata constraints
#[account(
seeds = [b"metadata", mpl_token_metadata::id().as_ref(), mint.key().as_ref()],
bump,
seeds::program = mpl_token_metadata::id()
)]
pub metadata: Account<'info, MetadataAccount>,2. Read-only metadata access
For read-only operations, verify PDA derivation and owner but skip authority checks.
Common Mistakes
Mistake 1: Not verifying metadata PDA derivation
// WRONG: accepts any account as metadata
// Must derive and compare: find_metadata_account(mint.key)Mistake 2: Not checking creators are verified
// WRONG: trusting unverified creator entries
// Check: require!(creator.verified, UnverifiedCreator)