SVM Remediation April 6, 2026 2 min read

SPL Token Freeze Burn Validation Remediation

How to fix unsafe freeze and burn operations in Solana programs.

svmaccess-control

SPL Token Freeze Burn Validation Remediation

Overview

Related Detector: SPL Token Freeze Burn Validation

Missing authority validation on freeze/burn operations allows unauthorized account freezing or token destruction. The fix requires verifying the correct authority (freeze_authority for freeze/thaw, owner/delegate for burn) and checking balances before burns.

Recommended Fix

Before (Vulnerable)

// No authority validation
let ix = spl_token::instruction::freeze_account(
    &spl_token::id(), token_account.key, mint.key, authority.key, &[],
)?;
invoke(&ix, accounts)?;

After (Fixed)

// Validate freeze authority
if !authority.is_signer { return Err(ProgramError::MissingRequiredSignature); }
let mint_data = Mint::unpack(&mint.data.borrow())?;
if mint_data.freeze_authority != COption::Some(*authority.key) {
    return Err(ProgramError::InvalidAccountData);
}

let ix = spl_token::instruction::freeze_account(
    &spl_token::id(), token_account.key, mint.key, authority.key, &[],
)?;
invoke(&ix, accounts)?;

Alternative Mitigations

1. Anchor constraints for freeze authority

#[derive(Accounts)]
pub struct FreezeToken<'info> {
    #[account(mut)]
    pub token_account: Account<'info, TokenAccount>,
    #[account(constraint = mint.freeze_authority == COption::Some(authority.key()))]
    pub mint: Account<'info, Mint>,
    pub authority: Signer<'info>,
}

2. Disable freeze authority

If freezing is not needed, remove the freeze authority entirely:

spl_token::instruction::set_authority(
    &spl_token::id(), mint.key, None, AuthorityType::FreezeAccount, authority.key, &[],
)?;

Common Mistakes

Mistake 1: Confusing freeze_authority with mint_authority

// WRONG: using mint_authority for freeze operations
if mint_data.mint_authority != Some(*authority.key) { ... }
// CORRECT: use freeze_authority
if mint_data.freeze_authority != Some(*authority.key) { ... }

Mistake 2: Not checking balance before burn

// INCOMPLETE: SPL Token handles this, but explicit checks give better errors
// Add: require!(token_account.amount >= burn_amount)

SPL Token Freeze Burn Validation Remediation

Overview

Recommended Fix

Before (Vulnerable)

After (Fixed)

Alternative Mitigations

1. Anchor constraints for freeze authority

2. Disable freeze authority

Common Mistakes

Mistake 1: Confusing freeze_authority with mint_authority

Mistake 2: Not checking balance before burn

References