SPL Token Compliance Remediation
Overview
Related Detector: SPL Token Compliance
SPL Token standard violations cause wallet and exchange integration failures. The fix is to validate token program IDs, use the account-validation framework’s typed account wrappers, and follow standard token account ownership patterns.
Recommended Fix
#[derive(Accounts)]
pub struct TokenTransfer<'info> {
#[account(mut, token::authority = authority)]
pub source: Account<'info, TokenAccount>,
#[account(mut)]
pub destination: Account<'info, TokenAccount>,
pub authority: Signer<'info>,
pub token_program: Program<'info, Token>, // Enforces correct program ID
}
Alternative Mitigations
Manual Program ID Check
For native programs, explicitly validate:
require!(
*token_program.key == spl_token::id(),
ProgramError::IncorrectProgramId
);
Common Mistakes
Mistake: Accepting Any Program as Token Program
// WRONG: attacker can substitute a malicious program
invoke(&transfer_ix, &[source, dest, authority, any_program])?;
Always validate the token program key matches spl_token::id() or spl_token_2022::id().