Token-2022 Immutable Owner
Detects Token-2022 Immutable Owner extension validation issues.
Token-2022 Immutable Owner
Overview
The Token-2022 Immutable Owner detector identifies vulnerabilities related to the Immutable Owner extension. This extension prevents token account owner reassignment after initialization. Programs that do not validate this extension properly can allow unauthorized owner changes on accounts that should be immutable, affecting custody programs, vaults, and multi-sig wallets.
For remediation guidance, see Token-2022 Immutable Owner Remediation.
Why This Is an Issue
When an account should have an immutable owner (e.g., a protocol-controlled vault), failing to enable the Immutable Owner extension at initialization allows the owner to be reassigned via SetAuthority. An attacker who gains temporary access to the current authority can permanently transfer ownership, bypassing future access controls.
How to Resolve
Before (Vulnerable)
// Vulnerable: initializes without immutable owner extension
token_2022::initialize_account3(
ctx.accounts.token_program.key,
ctx.accounts.vault.key,
ctx.accounts.mint.key,
ctx.accounts.authority.key,
)?;After (Fixed)
// Fixed: enable immutable owner extension before initialization
token_2022::initialize_immutable_owner(
ctx.accounts.token_program.key,
ctx.accounts.vault.key,
)?;
token_2022::initialize_account3(
ctx.accounts.token_program.key,
ctx.accounts.vault.key,
ctx.accounts.mint.key,
ctx.accounts.authority.key,
)?;Example JSON Finding
{
"detector": "token2022-immutable-owner",
"severity": "high",
"confidence": 0.65,
"message": "Token account initialized without Immutable Owner extension",
"location": { "function": "init_vault", "block": 0, "statement": 2 }
}Detection Methodology
- Initialization detection: Identifies Token-2022 account initialization CPI calls.
- Extension check search: Verifies whether Immutable Owner extension is initialized.
- SetAuthority detection: Flags SetAuthority CPI calls on accounts that should be immutable.
- Owner modification tracking: Identifies direct owner field writes on token accounts.
Limitations
False positives: Token accounts where owner changeability is intentional. False negatives: Extension initialization in separate transactions before the program under analysis.
Related Detectors
- Token-2022 Transfer Fee Bypass — transfer fee issues
- Token Extension Security — general Token-2022 extension security