Metaplex team should not updateAuthority in specific case on mint Token Metadata

[dzmitry-lahoda]

Describe the bug

Metaplex team somehow is authority on third party token. Expected it should not be.

Here is new mint and metadata as I applied

https://explorer.solana.com/address/EuRVbM38Dvseeei6Be5q8SP31d7dKySsRAM5vV48DrBs/metadata?cluster=devnet

{
  "key": 4,
  "updateAuthority": "2ALZgMNre2qynTTyxWtgWG6L2L56n39aBGegS1yvxwya",
  "mint": "EuRVbM38Dvseeei6Be5q8SP31d7dKySsRAM5vV48DrBs",
  "data": {
    "name": "Sator",
    "symbol": "SAO",
    "uri": "https://raw.githubusercontent.com/SatorNetwork/sator-solana-contracts/main/assets/sao.json",
    "sellerFeeBasisPoints": 0
  },
  "primarySaleHappened": 0,
  "isMutable": 1
}

updateAuthority is my key.

Here is 2 tokens with updateAuthority on metadata AqH29mZfQFgRpfwaPoTMWSKJ5kqauoc1FwVBRksZyQrt

https://explorer.solana.com/address/2HeykdKjzHKGm2LKHw8pDYwjKPiFEoXAz74dirhUgQvq/metadata
https://explorer.solana.com/address/So11111111111111111111111111111111111111112/metadata

See that https://explorer.solana.com/address/metaqbxxUerdq28cj1RbAWkYQm3ybzjb6a8bt518x1s and https://explorer.solana.com/address/p1exdMJcjVao65QdewkaZRUnU6VPSXhus9n2GzWfh98 Upgrade Authority is same - Metaplex team as I see.

To Reproduce
I do not know.

Expected behavior

There should be a way to set https://explorer.solana.com/address/2HeykdKjzHKGm2LKHw8pDYwjKPiFEoXAz74dirhUgQvq/metadata updateAuthority as
3fStvMDNKbG1FRu8reeMrz6V53fdtQFMs84enMGQVNXV
or
56MXtFPzsLMPhq4NjNMc7xa2E1ztB2M8RJ9EYyFzymeL
(creator of mint).

Metadata URI should be set to https://raw.githubusercontent.com/SatorNetwork/sator-solana-contracts/main/assets/sao.json

Additional context
Sator token is on Wormhole.
Information about token and owners solana-labs/token-list#4877

[dzmitry-lahoda]

I see, mint lacks mint_authority, so

Originally mint seems should be created by @islaperfito one of here case she owns

3fStvMDNKbG1FRu8reeMrz6V53fdtQFMs84enMGQVNXV
56MXtFPzsLMPhq4NjNMc7xa2E1ztB2M8RJ9EYyFzymeL

not sure - public tools do not give UI to prove that transaction

So token metadata program does not check mint_authority, but only update_authority, so technically it is possible to update without external solana wide governance process or metadata program update

metaplex/rust/token-metadata/program/src/state.rs

Line 88 in 626d15d

pub update_authority: Pubkey,

metaplex/rust/token-metadata/program/src/processor.rs

Line 184 in 626d15d

assert_owned_by(metadata_account_info, program_id)?;

if we mine prove of 3fStvMDNKbG1FRu8reeMrz6V53fdtQFMs84enMGQVNXV or 56MXtFPzsLMPhq4NjNMc7xa2E1ztB2M8RJ9EYyFzymeL created mint , could we change metadata to update_authority ?

or, actually hypothetically we can think of metaplex as abuser or authority which occupied update authority, so that others doe not. while properly. mint tool should error in case same transaction does not sets metadata. from this perspective just removing authority is kind of good.

but best seems replacing authority of update with pubkey which created mint. so would be transaction id of creator is enought for that and may be some nonce signed by creator key?

[dzmitry-lahoda]

as per https://solanabeach.io/address/2HeykdKjzHKGm2LKHw8pDYwjKPiFEoXAz74dirhUgQvq was mint authority at some point 3fStvMDNKbG1FRu8reeMrz6V53fdtQFMs84enMGQVNXV

intresting how it was removed and how to return something back - metadata authority to 3fStvMDNKbG1FRu8reeMrz6V53fdtQFMs84enMGQVNXV

[github-actions]

This Issue has received no activity for 30 days. We will close it in 2 days, please reopen if you are still experiencing this issue.

[injaan]

Hi @dzmitry-lahoda,

We recently patched community tokens which were missing metadata to add compatibility with Wormhole. Because the token in question no longer has mint_authority, this token’s metadata would never be able to be updated or become compatible. To improve the entire community, we patched all similar tokens.

Today there is no process in place for token owners that no longer have mint_authority to fix their metadata. In the future we foresee this type of wide community action being facilitated through a DAO, but we are not there yet.

Please let us know if you still need the updateAuthority changed.

@aheckmann Hello, can I take my tokens update authority now?

[scara89]

@aheckmann @metaplex are you in control of that adress?

[scara89]

Hi @dzmitry-lahoda,
We recently patched community tokens which were missing metadata to add compatibility with Wormhole. Because the token in question no longer has mint_authority, this token’s metadata would never be able to be updated or become compatible. To improve the entire community, we patched all similar tokens.
Today there is no process in place for token owners that no longer have mint_authority to fix their metadata. In the future we foresee this type of wide community action being facilitated through a DAO, but we are not there yet.
Please let us know if you still need the updateAuthority changed.

@aheckmann Hello, can I take my tokens update authority now?

@aheckmann @metaplex
is there any way to update metadata for those tokens you took the update authority with “AqH29mZfQFgRpfwaPoTMWSKJ5kqauoc1FwVBRksZyQrt”?

We are having issues with a community token being displayed as NFT rather than a token because its missing decimals, and the new metaplex standard classifies it like this, so third parties follows it like phantom or solscan. And now our community token only could be edited with “Aq..”. Are you in control of that adress that you used for this?

[commander-APE]

Hi @dzmitry-lahoda,

We recently patched community tokens which were missing metadata to add compatibility with Wormhole. Because the token in question no longer has mint_authority, this token’s metadata would never be able to be updated or become compatible. To improve the entire community, we patched all similar tokens.

Today there is no process in place for token owners that no longer have mint_authority to fix their metadata. In the future we foresee this type of wide community action being facilitated through a DAO, but we are not there yet.

Please let us know if you still need the updateAuthority changed.

Hi, it seems this issue still exists because wormhole tokens deployed to Solana by their permissionless process do not have metadata URIs and therefore cannot have important metadata (like the token image) appear on explorers, wallets, or web3 UIs. Instead, all tokens created by the bridge forever have no metadata and it's impossible to update them.

Is there a way to patch these tokens periodically such that teams who manage them can add images to their metadata? This will prevent users from selecting the incorrect token that a scammer deploys with the correct image, which right now in our case, 12 have popped up. All scam tokens are using our token image while ours (the real one) does not have it.

Our token ID for reference: 7ZCm8WBN9aLa3o47SoYctU6iLdj7wkGG5SV2hE5CgtD5

[Skelt24]

Hello, I have a token which was created through wormhole when the way to add metadata was done on GitHub token list repo.
It seems to be that metaplex automatically sets the update authority to the same address than the mint authority. (Wormhole contract).
It means that I don't have any way to update the details of the token do you know if there is a way to handle this situation?

Mint address: 4JWktLr39ZbyutVnym7wKxV1RDoJz7ifDYxMUHDmAbPB

Authority:
BCD75RNBHrJJpW4dXVagL5mPjzRLnVZq4YirJdjEYMV7

@aheckmann

[mustvlad]

Have you found any solution @Skelt24 ?

[Skelt24]

Unfortunately no @mustvlad still stuck on this one

[smbpndk]

Looks related #2282

Any proposed solution from the metaplex team?

[Gogucoin]

I am having the same issue, i have verified the contract from BNB to SOL using wormhole and contract authority is BCD75RNBHrJJpW4dXVagL5mPjzRLnVZq4YirJdjEYMV7
gogu wormhole

Meanwhile this token with the same authority managed to update the logo/socials
maga wormhole

Can someone explain how is this possible?