Skip to main content
Sigvex

Compressed NFT Validation

Detects Bubblegum/compressed NFT Merkle proof and authority vulnerabilities.

Compressed NFT Validation

Overview

The compressed NFT validation detector identifies vulnerabilities in Bubblegum compressed NFT implementations including missing Merkle proof verification, tree authority validation bypasses, delegate permission issues, and leaf hash verification problems.

For remediation guidance, see Compressed NFT Validation Remediation.

Why This Is an Issue

Compressed NFTs store metadata in Merkle trees for gas efficiency. Without proper Merkle proof verification, an attacker can forge ownership claims or modify metadata without detection. Missing tree authority validation allows unauthorized modifications to the Merkle tree, potentially affecting all NFTs in the collection.

How to Resolve

Before (Vulnerable)

// Vulnerable: processes compressed NFT without Merkle verification
pub fn transfer_cnft(ctx: Context<TransferCnft>) -> Result<()> {
    // No Merkle proof verification
    // No tree authority check
    update_leaf(ctx.accounts, new_owner)?;
    Ok(())
}

After (Fixed)

// Fixed: validates Merkle proof and tree authority
pub fn transfer_cnft(ctx: Context<TransferCnft>, proof: Vec<[u8; 32]>) -> Result<()> {
    require!(
        ctx.accounts.tree_authority.key() == expected_authority,
        ErrorCode::InvalidAuthority
    );
    verify_merkle_proof(&ctx.accounts.merkle_tree, &proof, &ctx.accounts.leaf)?;
    update_leaf(ctx.accounts, new_owner)?;
    Ok(())
}

Example JSON Finding

{
  "detector": "compressed-nft-validation",
  "severity": "high",
  "confidence": 0.7,
  "message": "Compressed NFT operation without Merkle proof verification",
  "location": { "function": "transfer_cnft", "block": 0, "statement": 1 }
}

Detection Methodology

  1. Compression program CPI detection: Identifies CPI calls to Bubblegum or SPL Account Compression.
  2. Merkle verification search: Checks for proof verification operations.
  3. Authority validation: Verifies tree authority ownership checks.
  4. Cross-block tracking: Uses CFG dataflow to track validations across blocks.

Limitations

False positives: Programs that delegate all verification to the compression program via CPI. False negatives: Custom compression implementations.

References