SPL Token Freeze Burn Validation
Detects unsafe freeze and burn operations with missing authority validation or balance checks.
SPL Token Freeze Burn Validation
Overview
Remediation Guide: How to Fix SPL Token Freeze Burn Validation
The freeze/burn validation detector identifies programs that perform FreezeAccount, ThawAccount, Burn, or BurnChecked operations without proper authority validation or balance checks. Missing freeze authority validation allows attackers to freeze legitimate user accounts, while missing burn authority checks enable unauthorized token destruction.
Why This Is an Issue
Freeze and burn operations have significant impact on token holders:
- Unauthorized freeze: An attacker freezes user accounts, preventing transfers and causing denial of service
- Unauthorized thaw: An attacker unfreezes accounts that were deliberately frozen for compliance or security
- Unauthorized burn: An attacker burns tokens from accounts they do not own
- Missing balance check: While the SPL Token program rejects insufficient burns at runtime, explicit checks provide better error handling
CWE mapping: CWE-863 (Incorrect Authorization), CWE-754 (Improper Check for Unusual Conditions).
How to Resolve
pub fn freeze_account(accounts: &[AccountInfo]) -> ProgramResult {
let token_account = &accounts[0];
let mint = &accounts[1];
let freeze_authority = &accounts[2];
// Validate token account ownership
if token_account.owner != &spl_token::id() {
return Err(ProgramError::IncorrectProgramId);
}
// Validate freeze authority is signer
if !freeze_authority.is_signer {
return Err(ProgramError::MissingRequiredSignature);
}
// Match against mint's freeze authority
let mint_data = Mint::unpack(&mint.data.borrow())?;
if mint_data.freeze_authority != COption::Some(*freeze_authority.key) {
return Err(ProgramError::InvalidAccountData);
}
let ix = spl_token::instruction::freeze_account(
&spl_token::id(), token_account.key, mint.key, freeze_authority.key, &[],
)?;
invoke(&ix, accounts)?;
Ok(())
}Examples
Sample Sigvex Output
{
"detector_id": "spl-token-freeze-burn",
"severity": "high",
"confidence": 0.80,
"description": "Freezing account without validating freeze authority. An attacker could pass an arbitrary account to freeze user tokens.",
"location": { "function": "freeze_account", "offset": 1 }
}Detection Methodology
- Operation classification: Identifies FreezeAccount (10), ThawAccount (11), Burn (8), and BurnChecked (15) CPI operations.
- Authority validation: Checks that freeze/burn authority accounts have been validated as signers and matched against expected values.
- Balance checking: For burn operations, looks for comparison operations that indicate pre-burn balance validation.
- Account validation: Verifies token accounts are validated before freeze/burn operations.
Limitations
- Balance checks are heuristically detected and may not capture all validation patterns.
- Authority matching via helper functions may not be tracked.
- Combined freeze-then-burn attack patterns require cross-operation analysis.
Related Detectors
- SPL Token Mint Authority — detects mint authority vulnerabilities
- SPL Token Authority Confusion — detects authority type confusion
- Token Balance Invariant — detects balance invariant violations