Skip to main content
Sigvex

Compressed NFT Validation Remediation

How to fix compressed NFT Merkle proof and authority vulnerabilities.

Compressed NFT Validation Remediation

Overview

Related Detector: Compressed NFT Validation

Missing Merkle proof verification allows forged compressed NFT operations. The fix is to always verify Merkle proofs and tree authority before modifying compressed NFT state.

Use Bubblegum CPI which handles all verification:

invoke(
    &mpl_bubblegum::instruction::transfer(
        tree_authority, leaf_owner, new_owner,
        merkle_tree, proof, root, nonce, data_hash, creator_hash,
    ),
    accounts,
)?;

Common Mistakes

Mistake: Trusting Leaf Data Without Proof

// WRONG: reads leaf data without Merkle verification
let leaf = read_leaf(merkle_tree, index)?;
process_leaf(leaf)?;

Always verify the Merkle proof before trusting any leaf data.

References