Skip to main content
Sigvex

SPL Token Compliance Remediation

How to fix SPL Token standard compliance violations.

SPL Token Compliance Remediation

Overview

Related Detector: SPL Token Compliance

SPL Token standard violations cause wallet and exchange integration failures. The fix is to validate token program IDs, use the account-validation framework’s typed account wrappers, and follow standard token account ownership patterns.

#[derive(Accounts)]
pub struct TokenTransfer<'info> {
    #[account(mut, token::authority = authority)]
    pub source: Account<'info, TokenAccount>,
    #[account(mut)]
    pub destination: Account<'info, TokenAccount>,
    pub authority: Signer<'info>,
    pub token_program: Program<'info, Token>,  // Enforces correct program ID
}

Alternative Mitigations

Manual Program ID Check

For native programs, explicitly validate:

require!(
    *token_program.key == spl_token::id(),
    ProgramError::IncorrectProgramId
);

Common Mistakes

Mistake: Accepting Any Program as Token Program

// WRONG: attacker can substitute a malicious program
invoke(&transfer_ix, &[source, dest, authority, any_program])?;

Always validate the token program key matches spl_token::id() or spl_token_2022::id().

References