SPL Token Delegation Chain Depth
Detects excessive delegation chain depth that increases attack surface and complexity.
SPL Token Delegation Chain Depth
Overview
Remediation Guide: How to Fix SPL Token Delegation Chain Depth
The delegation chain depth detector identifies functions that create deep delegation chains where User A delegates to B, B delegates to C, and so on. Chains exceeding 3 hops increase attack surface, make auditing difficult, and complicate access control reasoning. Chains of 5 or more hops are flagged at high severity.
Why This Is an Issue
Deep delegation chains create compounding security risks:
- Expanded attack surface: Compromise at any hop affects all downstream delegates
- Audit complexity: Each hop must be verified independently, making security reviews difficult
- Principle of least privilege violation: Deep chains accumulate permissions across many actors
- Revocation complexity: Revoking at the root may not propagate to all downstream delegates
The recommended maximum delegation depth is 3 hops.
CWE mapping: CWE-269 (Improper Privilege Management).
How to Resolve
pub fn approve_delegate(accounts: &[AccountInfo], amount: u64) -> ProgramResult {
let token_account = &accounts[0];
let delegate = &accounts[1];
let authority = &accounts[2];
// Enforce maximum delegation depth
let current_depth = get_delegation_depth(token_account)?;
if current_depth >= MAX_DELEGATION_DEPTH {
return Err(ProgramError::Custom(ErrorCode::ExcessiveDelegationDepth as u32));
}
let ix = spl_token::instruction::approve(
&spl_token::id(), token_account.key, delegate.key,
authority.key, &[], amount,
)?;
invoke(&ix, accounts)?;
Ok(())
}Examples
Sample Sigvex Output
{
"detector_id": "spl-token-delegation-chain-depth",
"severity": "medium",
"confidence": 0.78,
"description": "Detected delegation chain with 4 hops, exceeding the recommended maximum of 3. Deep chains increase attack surface and complicate access control reasoning.",
"location": { "function": "multi_delegate", "offset": 0 }
}Detection Methodology
- Delegation graph construction: Builds a directed graph from Approve/ApproveChecked CPI operations, mapping delegator to delegate relationships.
- DFS depth calculation: Uses iterative depth-first search with cycle detection to find the maximum chain depth.
- Threshold reporting: Chains exceeding 3 hops generate medium-severity findings; chains exceeding 5 hops generate high-severity findings.
Limitations
- Simplified HIR account extraction may not accurately represent delegation relationships from complex instruction layouts.
- Cross-transaction delegation chains (where each hop is a separate transaction) are not tracked.
- The detector analyzes single functions; delegation chains spanning multiple instructions are not visible.
Related Detectors
- SPL Token Delegation Security — detects unsafe delegation patterns
- SPL Token Delegation Overflow — detects overflow in delegation amounts
- Authority Chain Validation — detects authority chain issues