SPL Token Compliance

Overview

The SPL Token compliance detector identifies programs that violate the SPL Token standard including incorrect token program ID usage, missing CPI validation before token operations, improper account checking, and incompatibility with wallet integrations.

For remediation guidance, see SPL Token Compliance Remediation.

Why This Is an Issue

The SPL Token Program defines a standard for token accounts including required fields, ownership, and operation semantics. Programs that do not follow these standards cause integration failures with wallets, exchanges, and other protocols. Incorrect token program IDs can lead to CPI calls to malicious programs, and missing ownership checks allow unauthorized token operations.

How to Resolve

Before (Vulnerable)

// Vulnerable: no token program validation
pub fn transfer(ctx: Context<Transfer>, amount: u64) -> Result<()> {
    invoke(
        &spl_token::instruction::transfer(
            ctx.accounts.token_program.key,  // Not validated
            &ctx.accounts.source.key(),
            &ctx.accounts.dest.key(),
            &ctx.accounts.authority.key(),
            &[],
            amount,
        )?,
        &ctx.accounts.to_account_infos(),
    )
}

After (Fixed)

// Fixed: use Anchor's Program type to validate token program
#[derive(Accounts)]
pub struct Transfer<'info> {
    #[account(mut)]
    pub source: Account<'info, TokenAccount>,
    #[account(mut)]
    pub dest: Account<'info, TokenAccount>,
    pub authority: Signer<'info>,
    pub token_program: Program<'info, Token>,  // Validated program ID
}

Example JSON Finding

{
  "detector": "spl-token-compliance",
  "severity": "medium",
  "confidence": 0.6,
  "message": "Token CPI without token program ID validation",
  "location": { "function": "transfer", "block": 0, "statement": 1 }
}

Detection Methodology

1. CPI operation analysis: Identifies CPI calls to token-like programs.
2. Program ID validation: Checks for explicit validation of the token program key.
3. Account pattern checking: Verifies token account ownership and mint constraints.
4. Standard compliance: Compares operation patterns against SPL Token standard requirements.

Limitations

False positives: Programs that validate the token program through PDAs or indirect checks. False negatives: Custom token implementations that mimic but do not fully follow SPL standards.

Related Detectors

• Metaplex Compliance — metadata standard compliance
• Token Extension Security — Token-2022 extension issues

References

• SPL Token Documentation
• Solana — Token Program