Question regarding data layout of mint accounts about metaboss HOT 5 CLOSED

@macadev this seems like an interesting use-case and problem but unfortunately I can't expand Metaboss issues to broader Solana support otherwise I would be completely inundated with issues and I want this repo to focus on Metaboss itself. There are a number of Solana Discords you can join where you can collaborate with developers and ask questions like this, here's one of them: https://discord.gg/solana.

Thanks for you understanding on this and let me know if you run into any more Metaboss issues.

from metaboss.

Oh, I just realized the first creator in the creators vector is the candy machine ID! This is based on the single NFT I have looked up. I may have just answered my own question.

from metaboss.

Yeah, my variable naming on this is not great so I can understand how it might be confusing. What's happening here is that get_program_accounts is querying the token-metadata program to find all the metadata accounts and then filtering by doing a memcmp with an offset that puts it into the creators array. You can see the Metadata and Data account layout here: https://github.com/metaplex-foundation/metaplex-program-library/blob/5c7a15d283776cc36c85456a0d0804ab79cdf02b/token-metadata/program/src/state.rs#L81

from metaboss.

Thanks for the help! I really appreciate it.

from metaboss.

Hey Samuel, I want to reopen this to ask a related question.

I'm trying to write a Solana program that will only process transactions coming from Token holders of a specific NFT collection. What I'm trying to figure out is how to validate that the transactions are in fact generated by holders of the NFT collection. This is how I'm planning to do that:

• Have the transaction contain the associated Token Account of the user which holds the NFT (i.e the account that has balance = 1 for some particular Mint account)
• Have the user sign the transaction using the wallet that owns the associated Token Account that holds the NFT
• Then the Solana program verifies the signature of the transaction using the public key in the 'owner' field of the associated Token Account and it also verifies that the balance of the Token Account = 1.

The crucial piece of validation I'm missing is verifying that the Mint Account linked to the associated Token Account is a part of the NFT collection I'm targeting.

This is where the candy machine ID comes in. I think that by simply verifying that the Mint account has the candy machine ID in its creators array then that proves that the associated token Account does belong to the NFT collection I'm targeting.

Does this sound like a good approach to this problem? Or am I totally off and opening myself to all kinds of security risks?

Thanks again for your time!

from metaboss.