Swap Validation

Overview

The swap validation detector identifies missing validation in token swap operations including unvalidated token pair mints, unchecked swap amounts, missing token account ownership verification, unvalidated pool or DEX authority, and missing deadline or expiry checks.

For remediation guidance, see Swap Validation Remediation.

Why This Is an Issue

Without proper validation, swap operations can accept wrong tokens (stealing user funds), execute with invalid amounts (arithmetic errors), allow unauthorized access through missing owner checks, and be manipulated by unauthorized programs. Each missing validation creates a distinct attack vector that can be exploited independently or in combination.

How to Resolve

Before (Vulnerable)

// Vulnerable: no mint validation, no amount check
pub fn swap(ctx: Context<Swap>, amount: u64) -> Result<()> {
    let output = calculate_output(&ctx.accounts.pool, amount)?;
    token::transfer(ctx.accounts.into_ctx(), output)?;
    Ok(())
}

After (Fixed)

// Fixed: validates mints, amounts, ownership, and deadline
pub fn swap(ctx: Context<Swap>, amount: u64, min_out: u64, deadline: i64) -> Result<()> {
    require!(amount > 0, ErrorCode::ZeroAmount);
    require!(Clock::get()?.unix_timestamp <= deadline, ErrorCode::Expired);
    require!(
        ctx.accounts.source_mint.key() == ctx.accounts.pool.token_a_mint,
        ErrorCode::InvalidMint
    );
    require!(
        ctx.accounts.source.owner == ctx.accounts.authority.key(),
        ErrorCode::InvalidOwner
    );

    let output = calculate_output(&ctx.accounts.pool, amount)?;
    require!(output >= min_out, ErrorCode::SlippageExceeded);
    token::transfer(ctx.accounts.into_ctx(), output)?;
    Ok(())
}

Example JSON Finding

{
  "detector": "swap-validation",
  "severity": "high",
  "confidence": 0.7,
  "message": "Swap operation missing token mint validation",
  "location": { "function": "swap", "block": 0, "statement": 1 }
}

Detection Methodology

1. Swap CPI identification: Detects CPI calls associated with token swap operations.
2. Mint validation search: Checks for comparisons of token account mint addresses against expected values.
3. Amount validation: Verifies swap amounts are checked for zero and upper bounds.
4. Authority validation: Checks for owner and signer verification on token accounts.

Limitations

False positives: Programs using Anchor’s account constraints may validate implicitly through the derive macro. False negatives: Custom swap implementations with non-standard validation patterns may not be fully analyzed.

Related Detectors

• Slippage Protection — minimum output validation
• Liquidity Manipulation — pool state manipulation

References

• Sealevel Attacks
• CWE-20: Improper Input Validation