Skip to main content
Sigvex

Token-2022 Extensions

Detects Token-2022 extension vulnerabilities including transfer hooks, fees, and confidential transfers.

Token-2022 Extensions

Overview

Remediation Guide: How to Fix Token-2022 Extensions

The Token-2022 extensions detector identifies security issues in programs using SPL Token-2022 extensions including transfer hooks, transfer fees, confidential transfers, and interest-bearing tokens. These extensions introduce new attack surfaces that require specific validation beyond standard SPL Token checks.

Why This Is an Issue

Token-2022 extensions add powerful features but also new vulnerability classes:

  • Transfer hook bypass: Transferring tokens without invoking the required transfer hook program, bypassing compliance or fee logic
  • Transfer fee bypass: Not accounting for transfer fees, causing incorrect amount calculations
  • Confidential transfer without proofs: Using confidential transfer extensions without proper zero-knowledge proof validation
  • Interest calculation overflow: Interest-bearing token calculations that overflow during compounding
  • Extension data tampering: Using extension data without validation

CWE mapping: CWE-345 (Insufficient Verification of Data Authenticity).

How to Resolve

use spl_token_2022::extension::transfer_hook;

pub fn transfer_with_hook(accounts: &[AccountInfo], amount: u64) -> ProgramResult {
    // Validate transfer hook program account
    let mint_data = accounts[2].data.borrow();
    if let Ok(hook_ext) = transfer_hook::get_hook_program_id(&mint_data) {
        if let Some(hook_program_id) = hook_ext {
            // Ensure hook program is included and validated
            let hook_program = &accounts[3];
            if hook_program.key != &hook_program_id {
                return Err(ProgramError::InvalidAccountData);
            }
        }
    }

    // Use transfer_checked which respects transfer hooks
    // ...
    Ok(())
}

Examples

Sample Sigvex Output

{
  "detector_id": "spl-token-2022-extensions",
  "severity": "high",
  "confidence": 0.78,
  "description": "Token-2022 transfer operation without transfer hook validation. The mint may have a transfer hook that is being bypassed.",
  "location": { "function": "transfer_tokens", "offset": 3 }
}

Detection Methodology

  1. Token-2022 identification: Detects CPI calls targeting the Token-2022 program ID.
  2. Extension analysis: Identifies operations that involve Token-2022 specific extensions (transfer hooks, fees, confidential transfers).
  3. Hook validation: Checks whether transfer operations include proper hook program validation.
  4. Fee accounting: Verifies that transfer fee calculations are present when the mint has a fee extension.

Limitations

  • Token-2022 extension detection depends on recognizing the Token-2022 program ID in CPI calls.
  • Extension-specific validation patterns vary widely and may not all be recognized.
  • The detector cannot determine which extensions are enabled on a specific mint without runtime state.

References