Skip to main content
Sigvex

SPL Token Mint Authority

Detects mint authority vulnerabilities including missing validation and unlimited minting.

SPL Token Mint Authority

Overview

Remediation Guide: How to Fix SPL Token Mint Authority

The mint authority security detector identifies programs that perform MintTo or MintToChecked operations without properly validating the mint account, the mint authority signer, or enforcing supply caps. Unauthorized minting enables token inflation attacks that devalue existing holdings and can lead to protocol insolvency.

Why This Is an Issue

Mint authority controls token supply. Without proper validation:

  • Unauthorized minting: An attacker passes an arbitrary account as mint authority to create tokens from any mint they choose
  • Unvalidated mint account: An attacker passes a mint they control, receiving tokens for a worthless mint while the protocol treats them as valuable
  • No supply cap: Even with valid authority, unlimited minting causes inflation, devaluing existing tokens
  • Authority transfer: Unauthorized SetAuthority operations can permanently transfer minting capability to an attacker

CWE mapping: CWE-863 (Incorrect Authorization), CWE-770 (Allocation of Resources Without Limits).

How to Resolve

pub fn mint_tokens(accounts: &[AccountInfo], amount: u64) -> ProgramResult {
    let mint = &accounts[0];
    let destination = &accounts[1];
    let authority = &accounts[2];

    // Validate mint account is owned by Token program
    if mint.owner != &spl_token::id() { return Err(ProgramError::IncorrectProgramId); }
    // Validate it's the expected mint
    if mint.key != &EXPECTED_MINT { return Err(ProgramError::InvalidAccountData); }
    // Validate authority
    if !authority.is_signer { return Err(ProgramError::MissingRequiredSignature); }
    let mint_data = Mint::unpack(&mint.data.borrow())?;
    if mint_data.mint_authority != COption::Some(*authority.key) {
        return Err(ProgramError::InvalidAccountData);
    }
    // Enforce supply cap
    if mint_data.supply.checked_add(amount).ok_or(ProgramError::ArithmeticOverflow)? > MAX_SUPPLY {
        return Err(ProgramError::Custom(ErrorCode::SupplyCapExceeded as u32));
    }

    let ix = spl_token::instruction::mint_to(
        &spl_token::id(), mint.key, destination.key, authority.key, &[], amount,
    )?;
    invoke(&ix, accounts)?;
    Ok(())
}

Examples

Sample Sigvex Output

{
  "detector_id": "spl-token-mint-authority",
  "severity": "critical",
  "confidence": 0.80,
  "description": "Minting tokens without validating the mint authority. An attacker could pass an arbitrary account as the authority, allowing unauthorized minting.",
  "location": { "function": "mint_tokens", "offset": 1 }
}

Detection Methodology

  1. CPI classification: Identifies MintTo (discriminator 7), MintToChecked (14), and SetAuthority (6) operations.
  2. Validation tracking: Tracks owner, signer, and key validations for accounts used in mint operations.
  3. Authority verification: Checks that the authority account in MintTo operations has been validated as a signer and matched against expected values.
  4. Supply cap detection: Looks for comparison operations that indicate supply limit enforcement.

Limitations

  • Simplified account index extraction may not accurately identify authority accounts in complex CPI layouts.
  • Supply cap checks via external state queries or helper functions may not be detected.
  • PDA-based mint authority validation requires seed verification that may not be visible at the HIR level.

References