Skip to main content
Sigvex

the NFT metadata program Compliance Remediation

How to fix standard NFT metadata standard violations.

the NFT metadata program Compliance Remediation

Overview

Related Detector: the NFT metadata program Compliance

the NFT metadata program violations cause NFTs to be unrecognized by marketplaces and wallets. The fix is to validate update authority, verify creators, and follow the NFT metadata program account structure conventions.

// Validate update authority via the NFT metadata program CPI
invoke(
    &mpl_token_metadata::instruction::update_metadata_accounts_v2(
        mpl_token_metadata::id(),
        metadata.key(),
        update_authority.key(),  // Must be current update authority
        Some(update_authority.key()),
        Some(new_data),
        None,
        None,
    ),
    accounts,
)?;

Alternative Mitigations

Use the NFT metadata program SDK

Use the NFT metadata Rust SDK for type-safe metadata operations that enforce compliance:

use mpl_token_metadata::instructions::UpdateMetadataAccountV2Builder;
let ix = UpdateMetadataAccountV2Builder::new()
    .metadata(metadata_key)
    .update_authority(authority_key)
    .build();

Common Mistakes

Mistake: Missing Creator Verification

// WRONG: setting creators without verifying their signatures
metadata.creators = Some(vec![Creator {
    address: fake_creator,
    verified: true,  // Cannot set verified without signature
    share: 100,
}]);

Only the creator themselves can set verified: true by signing the transaction.

References