Skip to main content
Sigvex

SPL Token Metadata Validation Remediation

How to fix metadata validation issues including PDA checks and URI validation.

SPL Token Metadata Validation Remediation

Overview

Related Detector: SPL Token Metadata Validation

Missing metadata validation allows attackers to pass fake metadata accounts or inject malicious content. The fix requires validating PDA derivation, checking update authority, and enforcing URI format constraints.

Before (Vulnerable)

// Accepts any account as metadata without PDA check
let metadata = &accounts[0];
let data = Metadata::from_account_info(metadata)?;

After (Fixed)

let metadata = &accounts[0];
let mint = &accounts[1];

// Verify metadata PDA
let (expected, _) = find_metadata_account(mint.key);
require!(metadata.key == &expected, InvalidMetadataAccount);

// Verify update authority
let data = Metadata::from_account_info(metadata)?;
require!(data.update_authority == *authority.key, InvalidAuthority);

// Validate URI
require!(new_uri.len() <= 200 && new_uri.starts_with("https://"), InvalidUri);

Alternative Mitigations

1. Anchor metadata constraints

#[account(
    seeds = [b"metadata", mpl_token_metadata::id().as_ref(), mint.key().as_ref()],
    bump,
    seeds::program = mpl_token_metadata::id()
)]
pub metadata: Account<'info, MetadataAccount>,

2. Read-only metadata access

For read-only operations, verify PDA derivation and owner but skip authority checks.

Common Mistakes

Mistake 1: Not verifying metadata PDA derivation

// WRONG: accepts any account as metadata
// Must derive and compare: find_metadata_account(mint.key)

Mistake 2: Not checking creators are verified

// WRONG: trusting unverified creator entries
// Check: require!(creator.verified, UnverifiedCreator)

References