Token Extension Security Remediation

Overview

Related Detector: Token Extension Security

Misconfigured Token-2022 extensions create bypass opportunities. The fix is to validate amounts, recipients, and authorities in all extension hooks and operations.

Recommended Fix

// Transfer hook with full validation
pub fn execute_hook(ctx: Context<Hook>, amount: u64) -> Result<()> {
    require!(amount <= MAX_TRANSFER, ExceedsLimit);
    require!(!is_blacklisted(&ctx.accounts.destination), Blacklisted);
    require!(ctx.accounts.source.owner == expected_program, InvalidSource);
    Ok(())
}

Common Mistakes

Mistake: Empty Transfer Hook

// WRONG: hook does nothing -- defeats purpose of the extension
pub fn execute_hook(_ctx: Context<Hook>) -> Result<()> {
    Ok(())  // No validation at all
}

If a transfer hook is configured, it should perform meaningful validation.

References

• SPL Token-2022 Extensions
• CWE-862: Missing Authorization