Token-2022 Transfer Fee Bypass
Detects token transfers that do not account for Token-2022 transfer fees.
Token-2022 Transfer Fee Bypass
Overview
The Token-2022 transfer fee bypass detector identifies programs that perform token transfers via CPI to the Token-2022 program and subsequently validate balance changes using exact comparisons without accounting for the Transfer Fee extension. When transfer fees are enabled, the receiver gets amount - fee, but programs using exact equality checks create accounting discrepancies.
For remediation guidance, see Token-2022 Transfer Fee Bypass Remediation.
Why This Is an Issue
Token-2022’s Transfer Fee extension deducts a configurable fee from each transfer. Programs that validate balance_after == balance_before + amount will fail or create incorrect state because the actual received amount is amount - fee. This can cause stuck transactions, incorrect accounting in lending protocols, and exploitable balance discrepancies.
How to Resolve
Before (Vulnerable)
let balance_before = destination.amount;
token_2022::transfer(ctx, amount)?;
destination.reload()?;
require!(destination.amount == balance_before + amount, Mismatch); // Fails with feesAfter (Fixed)
let balance_before = destination.amount;
token_2022::transfer(ctx, amount)?;
destination.reload()?;
// Account for transfer fee
let received = destination.amount - balance_before;
require!(received <= amount, Mismatch);
require!(received >= amount * (10000 - MAX_FEE_BPS) / 10000, FeeTooHigh);Example JSON Finding
{
"detector": "token2022-transfer-fee-bypass",
"severity": "high",
"confidence": 0.7,
"message": "Post-transfer balance checked with exact equality -- does not account for Token-2022 fees",
"location": { "function": "deposit", "block": 2, "statement": 4 }
}Detection Methodology
- CPI transfer tracking: Identifies CPI token transfer operations.
- Post-transfer comparison: Detects exact equality comparisons on account balances after transfers.
- Fee awareness check: Verifies whether the comparison accounts for potential transfer fee deductions.
Limitations
False positives: Programs exclusively using SPL Token (not Token-2022) do not have transfer fees. False negatives: Custom fee calculation patterns may not be recognized.
Related Detectors
- Token-2022 Immutable Owner — immutable owner extension
- Token Extension Security — general Token-2022 issues
- SPL Token Compliance — token standard compliance