Skip to main content
Sigvex

SPL Token Transfer Hooks Remediation

How to fix transfer hook vulnerabilities in Token-2022 programs.

SPL Token Transfer Hooks Remediation

Overview

Related Detector: SPL Token Transfer Hooks

Transfer hook vulnerabilities allow bypassing custom transfer logic, reentrancy attacks, or circular dependencies. The fix requires using Token-2022 transfer instructions that invoke hooks and properly resolving extra account metas.

Before (Vulnerable)

// Uses standard Token transfer -- bypasses any transfer hooks
spl_token::instruction::transfer(...)?;

After (Fixed)

// Use Token-2022 transfer_checked which invokes hooks
let extra_metas = resolve_extra_transfer_account_metas(&mint_data, ...)?;
spl_token_2022::onchain::invoke_transfer_checked(
    &spl_token_2022::id(), source, mint, dest, authority,
    &extra_metas, amount, decimals,
)?;

Alternative Mitigations

1. Check for hook before choosing transfer method

let has_hook = get_transfer_hook_program_id(&mint_data)?.is_some();
if has_hook {
    // Use Token-2022 path with hooks
} else {
    // Standard transfer is safe
}

2. Reentrancy guard in hook implementation

// In your transfer hook program:
let state = load_state()?;
require!(!state.in_hook, ReentrancyDetected);
state.in_hook = true;
// ... hook logic ...
state.in_hook = false;

Common Mistakes

Mistake 1: Using Token program for Token-2022 mints

// WRONG: Token program CPI does not trigger hooks
invoke(&spl_token::instruction::transfer(...), accounts)?;
// CORRECT: Use spl_token_2022 instruction

Mistake 2: Not resolving extra account metas

// INCOMPLETE: hook expects additional accounts
// Must call resolve_extra_transfer_account_metas first

References