Skip to main content
Sigvex

SPL Token Freeze Burn Validation

Detects unsafe freeze and burn operations with missing authority validation or balance checks.

SPL Token Freeze Burn Validation

Overview

Remediation Guide: How to Fix SPL Token Freeze Burn Validation

The freeze/burn validation detector identifies programs that perform FreezeAccount, ThawAccount, Burn, or BurnChecked operations without proper authority validation or balance checks. Missing freeze authority validation allows attackers to freeze legitimate user accounts, while missing burn authority checks enable unauthorized token destruction.

Why This Is an Issue

Freeze and burn operations have significant impact on token holders:

  • Unauthorized freeze: An attacker freezes user accounts, preventing transfers and causing denial of service
  • Unauthorized thaw: An attacker unfreezes accounts that were deliberately frozen for compliance or security
  • Unauthorized burn: An attacker burns tokens from accounts they do not own
  • Missing balance check: While the SPL Token program rejects insufficient burns at runtime, explicit checks provide better error handling

CWE mapping: CWE-863 (Incorrect Authorization), CWE-754 (Improper Check for Unusual Conditions).

How to Resolve

pub fn freeze_account(accounts: &[AccountInfo]) -> ProgramResult {
    let token_account = &accounts[0];
    let mint = &accounts[1];
    let freeze_authority = &accounts[2];

    // Validate token account ownership
    if token_account.owner != &spl_token::id() {
        return Err(ProgramError::IncorrectProgramId);
    }
    // Validate freeze authority is signer
    if !freeze_authority.is_signer {
        return Err(ProgramError::MissingRequiredSignature);
    }
    // Match against mint's freeze authority
    let mint_data = Mint::unpack(&mint.data.borrow())?;
    if mint_data.freeze_authority != COption::Some(*freeze_authority.key) {
        return Err(ProgramError::InvalidAccountData);
    }

    let ix = spl_token::instruction::freeze_account(
        &spl_token::id(), token_account.key, mint.key, freeze_authority.key, &[],
    )?;
    invoke(&ix, accounts)?;
    Ok(())
}

Examples

Sample Sigvex Output

{
  "detector_id": "spl-token-freeze-burn",
  "severity": "high",
  "confidence": 0.80,
  "description": "Freezing account without validating freeze authority. An attacker could pass an arbitrary account to freeze user tokens.",
  "location": { "function": "freeze_account", "offset": 1 }
}

Detection Methodology

  1. Operation classification: Identifies FreezeAccount (10), ThawAccount (11), Burn (8), and BurnChecked (15) CPI operations.
  2. Authority validation: Checks that freeze/burn authority accounts have been validated as signers and matched against expected values.
  3. Balance checking: For burn operations, looks for comparison operations that indicate pre-burn balance validation.
  4. Account validation: Verifies token accounts are validated before freeze/burn operations.

Limitations

  • Balance checks are heuristically detected and may not capture all validation patterns.
  • Authority matching via helper functions may not be tracked.
  • Combined freeze-then-burn attack patterns require cross-operation analysis.

References