SPL Token Transfer Hooks Remediation
How to fix transfer hook vulnerabilities in Token-2022 programs.
SPL Token Transfer Hooks Remediation
Overview
Related Detector: SPL Token Transfer Hooks
Transfer hook vulnerabilities allow bypassing custom transfer logic, reentrancy attacks, or circular dependencies. The fix requires using Token-2022 transfer instructions that invoke hooks and properly resolving extra account metas.
Recommended Fix
Before (Vulnerable)
// Uses standard Token transfer -- bypasses any transfer hooks
spl_token::instruction::transfer(...)?;After (Fixed)
// Use Token-2022 transfer_checked which invokes hooks
let extra_metas = resolve_extra_transfer_account_metas(&mint_data, ...)?;
spl_token_2022::onchain::invoke_transfer_checked(
&spl_token_2022::id(), source, mint, dest, authority,
&extra_metas, amount, decimals,
)?;Alternative Mitigations
1. Check for hook before choosing transfer method
let has_hook = get_transfer_hook_program_id(&mint_data)?.is_some();
if has_hook {
// Use Token-2022 path with hooks
} else {
// Standard transfer is safe
}2. Reentrancy guard in hook implementation
// In your transfer hook program:
let state = load_state()?;
require!(!state.in_hook, ReentrancyDetected);
state.in_hook = true;
// ... hook logic ...
state.in_hook = false;Common Mistakes
Mistake 1: Using Token program for Token-2022 mints
// WRONG: Token program CPI does not trigger hooks
invoke(&spl_token::instruction::transfer(...), accounts)?;
// CORRECT: Use spl_token_2022 instructionMistake 2: Not resolving extra account metas
// INCOMPLETE: hook expects additional accounts
// Must call resolve_extra_transfer_account_metas first