Skip to main content
Sigvex

Token-2022 Extensions Remediation

How to fix Token-2022 extension vulnerabilities.

Token-2022 Extensions Remediation

Overview

Related Detector: Token-2022 Extensions

Token-2022 extensions introduce transfer hooks, fees, and confidential transfers that require specific validation. The fix involves checking for active extensions on each mint and handling them appropriately.

Before (Vulnerable)

// Ignores Token-2022 extensions entirely
let ix = spl_token::instruction::transfer(...)?;
invoke(&ix, accounts)?;

After (Fixed)

// Check for transfer hook
let mint_data = mint.data.borrow();
if let Some(hook_program) = get_transfer_hook_program_id(&mint_data)? {
    // Include hook program and extra account metas
    let extra_metas = resolve_extra_account_metas(&mint_data)?;
    // Use transfer_checked with hook support
}

// Account for transfer fees
if has_transfer_fee_extension(&mint_data)? {
    let fee = calculate_transfer_fee(amount, &mint_data)?;
    let net_amount = amount.checked_sub(fee)?;
}

Alternative Mitigations

1. Use Token-2022 helper functions

use spl_token_2022::onchain::invoke_transfer_checked;

// Handles hooks and fees automatically
invoke_transfer_checked(
    &spl_token_2022::id(), source, mint, dest, authority,
    extra_account_metas, amount, decimals,
)?;

2. Anchor Token-2022 support

Use anchor-spl’s Token-2022 integration which handles extensions automatically.

Common Mistakes

Mistake 1: Using Token program instructions for Token-2022 mints

// WRONG: Token program CPI does not support Token-2022 extensions
// Use spl_token_2022 instructions instead

Mistake 2: Not resolving extra account metas for transfer hooks

// INCOMPLETE: hook requires additional accounts
// Must call resolve_extra_transfer_account_metas before transfer

References