Skip to main content
Sigvex

SPL Token Freeze Burn Validation Remediation

How to fix unsafe freeze and burn operations in Solana programs.

SPL Token Freeze Burn Validation Remediation

Overview

Related Detector: SPL Token Freeze Burn Validation

Missing authority validation on freeze/burn operations allows unauthorized account freezing or token destruction. The fix requires verifying the correct authority (freeze_authority for freeze/thaw, owner/delegate for burn) and checking balances before burns.

Before (Vulnerable)

// No authority validation
let ix = spl_token::instruction::freeze_account(
    &spl_token::id(), token_account.key, mint.key, authority.key, &[],
)?;
invoke(&ix, accounts)?;

After (Fixed)

// Validate freeze authority
if !authority.is_signer { return Err(ProgramError::MissingRequiredSignature); }
let mint_data = Mint::unpack(&mint.data.borrow())?;
if mint_data.freeze_authority != COption::Some(*authority.key) {
    return Err(ProgramError::InvalidAccountData);
}

let ix = spl_token::instruction::freeze_account(
    &spl_token::id(), token_account.key, mint.key, authority.key, &[],
)?;
invoke(&ix, accounts)?;

Alternative Mitigations

1. an account-validation framework constraints for freeze authority

#[derive(Accounts)]
pub struct FreezeToken<'info> {
    #[account(mut)]
    pub token_account: Account<'info, TokenAccount>,
    #[account(constraint = mint.freeze_authority == COption::Some(authority.key()))]
    pub mint: Account<'info, Mint>,
    pub authority: Signer<'info>,
}

2. Disable freeze authority

If freezing is not needed, remove the freeze authority entirely:

spl_token::instruction::set_authority(
    &spl_token::id(), mint.key, None, AuthorityType::FreezeAccount, authority.key, &[],
)?;

Common Mistakes

Mistake 1: Confusing freeze_authority with mint_authority

// WRONG: using mint_authority for freeze operations
if mint_data.mint_authority != Some(*authority.key) { ... }
// CORRECT: use freeze_authority
if mint_data.freeze_authority != Some(*authority.key) { ... }

Mistake 2: Not checking balance before burn

// INCOMPLETE: SPL Token handles this, but explicit checks give better errors
// Add: require!(token_account.amount >= burn_amount)

References