Skip to main content
Sigvex

Token-2022 Immutable Owner

Detects Token-2022 Immutable Owner extension validation issues.

Token-2022 Immutable Owner

Overview

The Token-2022 Immutable Owner detector identifies vulnerabilities related to the Immutable Owner extension. This extension prevents token account owner reassignment after initialization. Programs that do not validate this extension properly can allow unauthorized owner changes on accounts that should be immutable, affecting custody programs, vaults, and multi-sig wallets.

For remediation guidance, see Token-2022 Immutable Owner Remediation.

Why This Is an Issue

When an account should have an immutable owner (e.g., a protocol-controlled vault), failing to enable the Immutable Owner extension at initialization allows the owner to be reassigned via SetAuthority. An attacker who gains temporary access to the current authority can permanently transfer ownership, bypassing future access controls.

How to Resolve

Before (Vulnerable)

// Vulnerable: initializes without immutable owner extension
token_2022::initialize_account3(
    ctx.accounts.token_program.key,
    ctx.accounts.vault.key,
    ctx.accounts.mint.key,
    ctx.accounts.authority.key,
)?;

After (Fixed)

// Fixed: enable immutable owner extension before initialization
token_2022::initialize_immutable_owner(
    ctx.accounts.token_program.key,
    ctx.accounts.vault.key,
)?;
token_2022::initialize_account3(
    ctx.accounts.token_program.key,
    ctx.accounts.vault.key,
    ctx.accounts.mint.key,
    ctx.accounts.authority.key,
)?;

Example JSON Finding

{
  "detector": "token2022-immutable-owner",
  "severity": "high",
  "confidence": 0.65,
  "message": "Token account initialized without Immutable Owner extension",
  "location": { "function": "init_vault", "block": 0, "statement": 2 }
}

Detection Methodology

  1. Initialization detection: Identifies Token-2022 account initialization CPI calls.
  2. Extension check search: Verifies whether Immutable Owner extension is initialized.
  3. SetAuthority detection: Flags SetAuthority CPI calls on accounts that should be immutable.
  4. Owner modification tracking: Identifies direct owner field writes on token accounts.

Limitations

False positives: Token accounts where owner changeability is intentional. False negatives: Extension initialization in separate transactions before the program under analysis.

References