Skip to main content
Sigvex

SPL Token Delegation Chain Depth

Detects excessive delegation chain depth that increases attack surface and complexity.

SPL Token Delegation Chain Depth

Overview

Remediation Guide: How to Fix SPL Token Delegation Chain Depth

The delegation chain depth detector identifies functions that create deep delegation chains where User A delegates to B, B delegates to C, and so on. Chains exceeding 3 hops increase attack surface, make auditing difficult, and complicate access control reasoning. Chains of 5 or more hops are flagged at high severity.

Why This Is an Issue

Deep delegation chains create compounding security risks:

  • Expanded attack surface: Compromise at any hop affects all downstream delegates
  • Audit complexity: Each hop must be verified independently, making security reviews difficult
  • Principle of least privilege violation: Deep chains accumulate permissions across many actors
  • Revocation complexity: Revoking at the root may not propagate to all downstream delegates

The recommended maximum delegation depth is 3 hops.

CWE mapping: CWE-269 (Improper Privilege Management).

How to Resolve

pub fn approve_delegate(accounts: &[AccountInfo], amount: u64) -> ProgramResult {
    let token_account = &accounts[0];
    let delegate = &accounts[1];
    let authority = &accounts[2];

    // Enforce maximum delegation depth
    let current_depth = get_delegation_depth(token_account)?;
    if current_depth >= MAX_DELEGATION_DEPTH {
        return Err(ProgramError::Custom(ErrorCode::ExcessiveDelegationDepth as u32));
    }

    let ix = spl_token::instruction::approve(
        &spl_token::id(), token_account.key, delegate.key,
        authority.key, &[], amount,
    )?;
    invoke(&ix, accounts)?;
    Ok(())
}

Examples

Sample Sigvex Output

{
  "detector_id": "spl-token-delegation-chain-depth",
  "severity": "medium",
  "confidence": 0.78,
  "description": "Detected delegation chain with 4 hops, exceeding the recommended maximum of 3. Deep chains increase attack surface and complicate access control reasoning.",
  "location": { "function": "multi_delegate", "offset": 0 }
}

Detection Methodology

  1. Delegation graph construction: Builds a directed graph from Approve/ApproveChecked CPI operations, mapping delegator to delegate relationships.
  2. DFS depth calculation: Uses iterative depth-first search with cycle detection to find the maximum chain depth.
  3. Threshold reporting: Chains exceeding 3 hops generate medium-severity findings; chains exceeding 5 hops generate high-severity findings.

Limitations

  • Simplified HIR account extraction may not accurately represent delegation relationships from complex instruction layouts.
  • Cross-transaction delegation chains (where each hop is a separate transaction) are not tracked.
  • The detector analyzes single functions; delegation chains spanning multiple instructions are not visible.

References