Token-2022 Extensions Remediation
How to fix Token-2022 extension vulnerabilities.
Token-2022 Extensions Remediation
Overview
Related Detector: Token-2022 Extensions
Token-2022 extensions introduce transfer hooks, fees, and confidential transfers that require specific validation. The fix involves checking for active extensions on each mint and handling them appropriately.
Recommended Fix
Before (Vulnerable)
// Ignores Token-2022 extensions entirely
let ix = spl_token::instruction::transfer(...)?;
invoke(&ix, accounts)?;After (Fixed)
// Check for transfer hook
let mint_data = mint.data.borrow();
if let Some(hook_program) = get_transfer_hook_program_id(&mint_data)? {
// Include hook program and extra account metas
let extra_metas = resolve_extra_account_metas(&mint_data)?;
// Use transfer_checked with hook support
}
// Account for transfer fees
if has_transfer_fee_extension(&mint_data)? {
let fee = calculate_transfer_fee(amount, &mint_data)?;
let net_amount = amount.checked_sub(fee)?;
}Alternative Mitigations
1. Use Token-2022 helper functions
use spl_token_2022::onchain::invoke_transfer_checked;
// Handles hooks and fees automatically
invoke_transfer_checked(
&spl_token_2022::id(), source, mint, dest, authority,
extra_account_metas, amount, decimals,
)?;2. Anchor Token-2022 support
Use anchor-spl’s Token-2022 integration which handles extensions automatically.
Common Mistakes
Mistake 1: Using Token program instructions for Token-2022 mints
// WRONG: Token program CPI does not support Token-2022 extensions
// Use spl_token_2022 instructions insteadMistake 2: Not resolving extra account metas for transfer hooks
// INCOMPLETE: hook requires additional accounts
// Must call resolve_extra_transfer_account_metas before transfer