Metaplex Releases Audit Report, Addresses Issues In pNFTs, Token Integration

Perma DAO
3 min readDec 29, 2023

💡Web3 is booming, and Arweave is becoming a popular infrastructure choice for developers. PermaDAO is a community where everyone can contribute to the Arweave ecosystem. It’s a place to propose and tackle tasks related to Arweave, with the support and feedback of the entire community. Join PermaDAO and help shape Web3!

Author: Adeola @ Contributor of PermaDAO

Reviewer: Henry @ Contributor of PermaDAO

Metaplex has published a security audit report that analysed the Metaplex Token Metadata Programme and reviewed major software releases between February to November 2023 and found five vulnerabilities that have been resolved.

Metaplex, which uses Arweave to store NFTs, contracted Mad Shield to audit its system, found three vulnerabilities categorized as critical; one high-severity; one low-severity. The Metaplex programme library went through upgrades to address evolving industry challenges and leverage new feature capabilities.

“By meticulously examining the codebase, this audit aims to ensure the continued robustness and security of the Metaplex Token Metadata, fostering trust and promoting safe adoption of new innovative features for both creators and users within the Solana NFT Ecosystem,” Mad Shield stated.

The upgrades the Metaplex programme library went through are programmable non-fungible tokens and token-22 integration. The report stated that generally, upgrades which involve addition of codes come with risks. Metaplex is a Solana native NFT marketplace that uses Arweave as a storage system.

“The addition of substantial new code presents potential risks alongside the anticipated benefits. Breaking changes, potential footguns, and security vulnerabilities can emerge within the revamped system,” the report stated in part. This report presents a comprehensive analysis of the implemented changes and their security implications, focusing on identifying and mitigating program vulnerabilities.

Vulnerability in the critical category involves low to moderate difficulty, 3rd-party attacker which could result in irreparable financial harm; high category involves risk of external attacks or specific user interaction which could result in recoverable financial harm; low severity involves issues with implementation variance and uncommon scenarios and could lead to zero financial implications and minor inconvenience.

Mad shield described the detected critical security vulnerabilities as having implications which include burn instruction that could be exploited to permanently disable all programmable non-fungible operations; all programmable non-fungible token rules can be bypassed in the transfer instruction; programmable non-fungible token ‘allowlist rule’ can be bypassed in the transfer instructions. Other detected vulnerability descriptions in the high, low and informational security levels respectively are programmable non-fungible tokens could become non-transferable; programme panics during lock and unlock of fungible tokens; token accounts for non-transferable mints must have the immutable owner extension.

Mad Shield stated that the identified vulnerabilities had been addressed and removed risks to user funds.

“Our thorough audit of the Metaplex Token Metadata program has yielded significant results. By identifying and remediating critical vulnerabilities, we’ve addressed potential threats jeopardizing user funds. Moreover, proposed solutions for the remaining vulnerabilities enhance the overall reliability and performance of the program,” it stated.

Meanwhile, Metaplex Foundation announced a grant to dReaderApp to help bring the next generation of collecting comics on-chain. The grant is the first awarded by Metaplex DAO. dReader app said the grant would help it increase its user base to 5000 and deliver 400 creators on Solana.

🔗 More about PermaDAO :Website | Twitter | Telegram | Discord | Medium | Youtube



Perma DAO

@ArweaveTeam will be adopted by more developers. All projects of Arweave ecology can post their tasks and rewards here. 💓 @everVisionHQ @permaswap