SPL Token Transfer Hooks
Detects transfer hook vulnerabilities including bypass, reentrancy, and missing validation.
SPL Token Transfer Hooks
Overview
Remediation Guide: How to Fix SPL Token Transfer Hooks
The transfer hook security detector identifies vulnerabilities in Token-2022 transfer hook implementations and usage. Transfer hooks allow custom logic to execute during token transfers, but improper implementation or usage creates bypass opportunities, reentrancy risks, and circular dependency issues.
Why This Is an Issue
Transfer hooks are a Token-2022 extension that invokes a custom program during every token transfer. Security issues include:
- Hook bypass: Using standard Token program transfer instead of Token-2022 transfer, bypassing the hook entirely
- Missing extra account metas: Not providing required additional accounts that the hook expects, causing failures or partial execution
- Hook reentrancy: A transfer hook that makes reentrant calls back into the token program
- Circular dependencies: Hook programs that call back into the transferring program, creating infinite loops
CWE mapping: CWE-863 (Incorrect Authorization), CWE-696 (Incorrect Behavior Order).
How to Resolve
pub fn transfer_with_hooks(accounts: &[AccountInfo], amount: u64) -> ProgramResult {
let mint = &accounts[2];
// Check if mint has transfer hook extension
let mint_data = mint.data.borrow();
let hook_program_id = get_transfer_hook_program_id(&mint_data)?;
if hook_program_id.is_some() {
// Must use Token-2022 transfer_checked which invokes hooks
// Must include extra account metas
let extra_metas = resolve_extra_transfer_account_metas(
&mint_data, accounts[0].key, mint.key, accounts[1].key,
accounts[3].key, amount,
)?;
// Include extra_metas in CPI accounts
}
// Use invoke_transfer_checked for Token-2022
invoke_transfer_checked(
&spl_token_2022::id(), accounts[0].key, mint.key,
accounts[1].key, accounts[3].key, &extra_accounts,
amount, decimals,
)?;
Ok(())
}Examples
Sample Sigvex Output
{
"detector_id": "spl-token-transfer-hooks",
"severity": "high",
"confidence": 0.78,
"description": "Transfer operation does not validate or invoke the transfer hook program. Token-2022 mints with transfer hooks require hook invocation on every transfer.",
"location": { "function": "transfer_tokens", "offset": 2 }
}Detection Methodology
- Transfer detection: Identifies token transfer CPI operations.
- Hook validation: Checks whether transfer operations include hook program validation when Token-2022 is involved.
- Extra account metas: Verifies that required additional accounts for hooks are resolved and included.
- Reentrancy analysis: Detects patterns where hook programs make CPI calls back to the transferring program.
- Circular dependency detection: Identifies bidirectional CPI relationships that could cause infinite loops.
Limitations
- Determining whether a mint has a transfer hook extension requires runtime state not available at static analysis time.
- Hook reentrancy detection is limited to single-function analysis.
- Complex multi-program circular dependencies may not be fully detected.
Related Detectors
- Token-2022 Extensions — broader Token-2022 extension analysis
- CPI Reentrancy — general CPI reentrancy detection