Skip to main content
Sigvex

SPL Token Transfer Hooks

Detects transfer hook vulnerabilities including bypass, reentrancy, and missing validation.

SPL Token Transfer Hooks

Overview

Remediation Guide: How to Fix SPL Token Transfer Hooks

The transfer hook security detector identifies vulnerabilities in Token-2022 transfer hook implementations and usage. Transfer hooks allow custom logic to execute during token transfers, but improper implementation or usage creates bypass opportunities, reentrancy risks, and circular dependency issues.

Why This Is an Issue

Transfer hooks are a Token-2022 extension that invokes a custom program during every token transfer. Security issues include:

  • Hook bypass: Using standard Token program transfer instead of Token-2022 transfer, bypassing the hook entirely
  • Missing extra account metas: Not providing required additional accounts that the hook expects, causing failures or partial execution
  • Hook reentrancy: A transfer hook that makes reentrant calls back into the token program
  • Circular dependencies: Hook programs that call back into the transferring program, creating infinite loops

CWE mapping: CWE-863 (Incorrect Authorization), CWE-696 (Incorrect Behavior Order).

How to Resolve

pub fn transfer_with_hooks(accounts: &[AccountInfo], amount: u64) -> ProgramResult {
    let mint = &accounts[2];

    // Check if mint has transfer hook extension
    let mint_data = mint.data.borrow();
    let hook_program_id = get_transfer_hook_program_id(&mint_data)?;

    if hook_program_id.is_some() {
        // Must use Token-2022 transfer_checked which invokes hooks
        // Must include extra account metas
        let extra_metas = resolve_extra_transfer_account_metas(
            &mint_data, accounts[0].key, mint.key, accounts[1].key,
            accounts[3].key, amount,
        )?;
        // Include extra_metas in CPI accounts
    }

    // Use invoke_transfer_checked for Token-2022
    invoke_transfer_checked(
        &spl_token_2022::id(), accounts[0].key, mint.key,
        accounts[1].key, accounts[3].key, &extra_accounts,
        amount, decimals,
    )?;
    Ok(())
}

Examples

Sample Sigvex Output

{
  "detector_id": "spl-token-transfer-hooks",
  "severity": "high",
  "confidence": 0.78,
  "description": "Transfer operation does not validate or invoke the transfer hook program. Token-2022 mints with transfer hooks require hook invocation on every transfer.",
  "location": { "function": "transfer_tokens", "offset": 2 }
}

Detection Methodology

  1. Transfer detection: Identifies token transfer CPI operations.
  2. Hook validation: Checks whether transfer operations include hook program validation when Token-2022 is involved.
  3. Extra account metas: Verifies that required additional accounts for hooks are resolved and included.
  4. Reentrancy analysis: Detects patterns where hook programs make CPI calls back to the transferring program.
  5. Circular dependency detection: Identifies bidirectional CPI relationships that could cause infinite loops.

Limitations

  • Determining whether a mint has a transfer hook extension requires runtime state not available at static analysis time.
  • Hook reentrancy detection is limited to single-function analysis.
  • Complex multi-program circular dependencies may not be fully detected.

References