Skip to main content
Sigvex

NFT Metadata Validation

Detects NFT metadata validation issues.

NFT Metadata Validation

Overview

The NFT metadata validation detector identifies programs that do not properly validate NFT metadata operations, including missing owner/signer validation before metadata modifications, unsafe account data storage without checks, missing key verification, and insufficient authorization checks.

For remediation guidance, see NFT Metadata Validation Remediation.

Why This Is an Issue

NFT metadata quality is critical for marketplace listing, collection verification, and user trust. Programs that allow unauthorized metadata modifications enable counterfeit NFTs, collection fraud, and metadata spoofing. Missing authorization checks on metadata operations can devalue legitimate collections and cause financial harm to creators and collectors.

How to Resolve

Before (Vulnerable)

// Vulnerable: stores metadata without authorization check
pub fn set_metadata(ctx: Context<SetMeta>, data: MetadataInput) -> Result<()> {
    let nft = &mut ctx.accounts.nft_metadata;
    nft.name = data.name;
    nft.uri = data.uri;
    nft.creators = data.creators;
    Ok(())
}

After (Fixed)

// Fixed: validates authority and creator signatures
pub fn set_metadata(ctx: Context<SetMeta>, data: MetadataInput) -> Result<()> {
    require!(
        ctx.accounts.authority.key() == ctx.accounts.nft_metadata.update_authority,
        ErrorCode::Unauthorized
    );
    for creator in &data.creators {
        if creator.verified {
            require!(creator.address == ctx.accounts.authority.key(), ErrorCode::CreatorNotSigner);
        }
    }
    let nft = &mut ctx.accounts.nft_metadata;
    nft.name = data.name;
    nft.uri = data.uri;
    nft.creators = data.creators;
    Ok(())
}

Example JSON Finding

{
  "detector": "nft-metadata-validation",
  "severity": "medium",
  "confidence": 0.6,
  "message": "Metadata storage without authorization validation",
  "location": { "function": "set_metadata", "block": 0, "statement": 2 }
}

Detection Methodology

  1. Metadata storage detection: Identifies store operations to metadata-like accounts.
  2. Authorization pattern checking: Verifies authority validation before metadata writes.
  3. Creator verification: Checks for creator signature validation on verified creator entries.

Limitations

False positives: Admin functions for initial NFT minting may legitimately set metadata without external creator verification. False negatives: Custom metadata schemes not following the Metaplex Token Metadata program patterns.

References