Skip to main content
Sigvex

NFT Metadata Validation Remediation

How to fix NFT metadata validation issues.

NFT Metadata Validation Remediation

Overview

Related Detector: NFT Metadata Validation

Unvalidated metadata operations enable counterfeit NFTs. The fix is to validate update authority, verify creator signatures, and check collection membership before any metadata modification.

#[derive(Accounts)]
pub struct UpdateMetadata<'info> {
    #[account(mut, has_one = update_authority)]
    pub metadata: Account<'info, NftMetadata>,
    pub update_authority: Signer<'info>,
}

pub fn update(ctx: Context<UpdateMetadata>, new_uri: String) -> Result<()> {
    require!(new_uri.len() <= MAX_URI_LEN, UriTooLong);
    ctx.accounts.metadata.uri = new_uri;
    Ok(())
}

Alternative Mitigations

Use the NFT metadata program CPI

Delegate metadata operations to the standard NFT metadata program which enforces all validations:

invoke(
    &mpl_token_metadata::instruction::update_metadata_accounts_v2(...),
    accounts,
)?;

Common Mistakes

Mistake: Not Validating URI Format

// WRONG: accepts any string as URI, including empty or malicious
metadata.uri = user_provided_uri;

Validate URI length and optionally format before storage.

References