Token-2022 Extensions
Detects Token-2022 extension vulnerabilities including transfer hooks, fees, and confidential transfers.
Token-2022 Extensions
Overview
Remediation Guide: How to Fix Token-2022 Extensions
The Token-2022 extensions detector identifies security issues in programs using SPL Token-2022 extensions including transfer hooks, transfer fees, confidential transfers, and interest-bearing tokens. These extensions introduce new attack surfaces that require specific validation beyond standard SPL Token checks.
Why This Is an Issue
Token-2022 extensions add powerful features but also new vulnerability classes:
- Transfer hook bypass: Transferring tokens without invoking the required transfer hook program, bypassing compliance or fee logic
- Transfer fee bypass: Not accounting for transfer fees, causing incorrect amount calculations
- Confidential transfer without proofs: Using confidential transfer extensions without proper zero-knowledge proof validation
- Interest calculation overflow: Interest-bearing token calculations that overflow during compounding
- Extension data tampering: Using extension data without validation
CWE mapping: CWE-345 (Insufficient Verification of Data Authenticity).
How to Resolve
use spl_token_2022::extension::transfer_hook;
pub fn transfer_with_hook(accounts: &[AccountInfo], amount: u64) -> ProgramResult {
// Validate transfer hook program account
let mint_data = accounts[2].data.borrow();
if let Ok(hook_ext) = transfer_hook::get_hook_program_id(&mint_data) {
if let Some(hook_program_id) = hook_ext {
// Ensure hook program is included and validated
let hook_program = &accounts[3];
if hook_program.key != &hook_program_id {
return Err(ProgramError::InvalidAccountData);
}
}
}
// Use transfer_checked which respects transfer hooks
// ...
Ok(())
}Examples
Sample Sigvex Output
{
"detector_id": "spl-token-2022-extensions",
"severity": "high",
"confidence": 0.78,
"description": "Token-2022 transfer operation without transfer hook validation. The mint may have a transfer hook that is being bypassed.",
"location": { "function": "transfer_tokens", "offset": 3 }
}Detection Methodology
- Token-2022 identification: Detects CPI calls targeting the Token-2022 program ID.
- Extension analysis: Identifies operations that involve Token-2022 specific extensions (transfer hooks, fees, confidential transfers).
- Hook validation: Checks whether transfer operations include proper hook program validation.
- Fee accounting: Verifies that transfer fee calculations are present when the mint has a fee extension.
Limitations
- Token-2022 extension detection depends on recognizing the Token-2022 program ID in CPI calls.
- Extension-specific validation patterns vary widely and may not all be recognized.
- The detector cannot determine which extensions are enabled on a specific mint without runtime state.
Related Detectors
- SPL Token Transfer Hooks — focused transfer hook security analysis
- SPL Token Authority Confusion — authority confusion in Token-2022 context