Skip to main content
Sigvex

SPL Token Metadata Validation

Detects metadata validation issues including missing PDA checks, update authority verification, and URI validation.

SPL Token Metadata Validation

Overview

Remediation Guide: How to Fix SPL Token Metadata Validation

The metadata validation detector identifies programs that interact with token metadata accounts without proper validation of PDA derivation, update authority, URI format, or creator verification. These gaps allow attackers to spoof metadata, inject malicious URIs, or add unverified creators to token metadata.

Why This Is an Issue

Token metadata accounts are PDAs derived from the mint address. Without proper validation:

  • Metadata PDA spoofing: An attacker passes a non-PDA account as metadata, potentially with modified data
  • Update authority bypass: Metadata modifications without verifying the signer is the update authority
  • Malicious URIs: Setting metadata URIs to phishing sites or malicious content without format/length validation
  • Creator verification bypass: Adding creators to metadata without requiring their signature verification

CWE mapping: CWE-345 (Insufficient Verification of Data Authenticity).

How to Resolve

use mpl_token_metadata::pda::find_metadata_account;

pub fn update_metadata(accounts: &[AccountInfo], new_uri: String) -> ProgramResult {
    let metadata = &accounts[0];
    let mint = &accounts[1];
    let authority = &accounts[2];

    // Validate metadata PDA derivation
    let (expected_metadata, _bump) = find_metadata_account(mint.key);
    if metadata.key != &expected_metadata {
        return Err(ProgramError::InvalidAccountData);
    }

    // Validate update authority
    if !authority.is_signer { return Err(ProgramError::MissingRequiredSignature); }

    // Validate URI format and length
    if new_uri.len() > 200 || !new_uri.starts_with("https://") {
        return Err(ProgramError::InvalidArgument);
    }

    Ok(())
}

Examples

Sample Sigvex Output

{
  "detector_id": "spl-token-metadata-validation",
  "severity": "medium",
  "confidence": 0.75,
  "description": "Metadata account used without PDA derivation validation. An attacker could pass a fake metadata account with manipulated data.",
  "location": { "function": "update_metadata", "offset": 1 }
}

Detection Methodology

  1. Metadata operation identification: Detects functions that interact with metadata accounts based on name heuristics and CPI patterns.
  2. PDA derivation tracking: Looks for find_program_address calls that derive metadata PDAs.
  3. Authority validation: Checks for signer and key validation on update authority accounts.
  4. URI analysis: Identifies metadata URI writes without prior format validation.

Limitations

  • Metadata PDA derivation patterns may not be recognized in all compilation outputs.
  • URI validation requirements vary by use case and may produce false positives.
  • Creator signature verification is complex and may not be fully tracked.

References