Token Extension Security

Overview

The Token extension security detector identifies security misconfigurations in SPL Token-2022 extensions including transfer hooks without proper validation (amount/recipient checks), metadata extension authority bypass vulnerabilities, interest-bearing token rate manipulation, and default account state extension misuse.

For remediation guidance, see Token Extension Security Remediation.

Why This Is an Issue

Token-2022 extensions add powerful capabilities but introduce new attack surfaces. Transfer hooks that do not validate amounts or recipients can be exploited to bypass transfer restrictions. Metadata extension authority bypasses allow unauthorized metadata changes. Interest-bearing token rate manipulation can inflate or deflate token values.

How to Resolve

Before (Vulnerable)

// Vulnerable: transfer hook without validation
pub fn execute_hook(ctx: Context<Hook>) -> Result<()> {
    // No validation of amount or recipient
    msg!("Transfer hook executed");
    Ok(())
}

After (Fixed)

// Fixed: validates amount and recipient
pub fn execute_hook(ctx: Context<Hook>, amount: u64) -> Result<()> {
    require!(amount <= MAX_TRANSFER, ExceedsLimit);
    require!(
        !is_blacklisted(&ctx.accounts.destination),
        BlacklistedRecipient
    );
    Ok(())
}

Example JSON Finding

{
  "detector": "token-extension-security",
  "severity": "high",
  "confidence": 0.65,
  "message": "Transfer hook executes without amount or recipient validation",
  "location": { "function": "execute_hook", "block": 0, "statement": 1 }
}

Detection Methodology

1. Transfer hook detection: Identifies transfer hook implementations and CPI calls.
2. Validation analysis: Checks for amount and recipient validation in hook functions.
3. Authority check search: Verifies metadata extension authority validation.
4. Rate manipulation detection: Flags interest rate modifications without proper authorization.

Limitations

False positives: Transfer hooks that intentionally pass all transfers (logging-only hooks). False negatives: Complex validation logic in external programs called by the hook.

Related Detectors

• Token-2022 Transfer Fee Bypass — fee calculation issues
• Token-2022 Immutable Owner — owner immutability
• Token-2022 Confidential — confidential transfer issues

References

• SPL Token-2022 Extensions
• CWE-862: Missing Authorization