Skip to main content
Sigvex

Swap Validation Remediation

How to fix missing validation in token swap operations.

Swap Validation Remediation

Overview

Related Detector: Swap Validation

Missing swap validation allows token theft and unauthorized operations. The fix is to validate token mints, amounts, ownership, authority, and deadline before executing any swap.

Before (Vulnerable)

let output = calculate_output(pool, amount)?;
token::transfer(ctx, output)?;

After (Fixed)

require!(amount > 0, ZeroAmount);
require!(clock.unix_timestamp <= deadline, Expired);
require!(source_mint == pool.token_a_mint, InvalidMint);
require!(source.owner == authority.key(), InvalidOwner);

let output = calculate_output(pool, amount)?;
require!(output >= min_out, SlippageExceeded);
token::transfer(ctx, output)?;

Alternative Mitigations

Anchor Constraint Validation

Use an account-validation framework constraints to enforce validation declaratively:

#[derive(Accounts)]
pub struct Swap<'info> {
    #[account(
        mut,
        constraint = source.mint == pool.token_a_mint @ InvalidMint,
        constraint = source.owner == authority.key() @ InvalidOwner,
    )]
    pub source: Account<'info, TokenAccount>,
    pub authority: Signer<'info>,
    #[account(mut)]
    pub pool: Account<'info, Pool>,
}

Common Mistakes

Mistake: Validating Only One Token

// WRONG: validates input mint but not output mint
require!(source_mint == pool.token_a_mint, InvalidMint);
// Attacker can specify wrong destination token account

Validate both input and output token mints.

References