contexts
In the EVM ecosystem, there is a wide variety of ERC20 tokens, which have given rise to a wide variety of malicious tokens due to the high degree of freedom in their implementation. These malicious tokens usually implement some malicious logic in the code (prohibiting users from selling, minting or destroying privileges, etc.), with the purpose of tricking users into buying and then taking their money away.
Eh! To solve this situation, Solana provides an official token template. All you need to do to issue currency on Solana is to fill in some basic information and deploy an SPL token without writing token logic.
However, even in this case, there are still many malicious tokens on the Solana chain, each using different techniques to cheat token holders. Therefore, this article tries to analyze the dimensions from which we can judge whether a SPL/SPL2022 token has security risks or malicious tendencies.
For background and definitions of SPL and SPL2022, read the official documentation:/token
SPL Token
SPL Documentation:/token
SPL Code:/solana-labs/solana-program-library/tree/master/token/program
The SPL token implements 25 instructions based on theinstruction::TokenInstruction
Summarize the commands for SPL tokens by categorizing them according to their function:
- Initialize Token Minting.
Initiali*t
,Initiali*t2
- Initialize a new token minting account. - Initialize Token Account.
InitializeAccount
,InitializeAccount2
,InitializeAccount3
- Initialize a new token holding account. - Initialize Multisignature:.
InitializeMultisig
,InitializeMultisig2
- Initialize multi-signature accounts. - Transfer.
Transfer
,TransferChecked
- Transferring tokens between accounts. - Authorization.
Approve
,ApproveChecked
- Authorizes the principal to use a certain number of tokens. - Revocation of authorization.
Revoke
- Revocation of the authorization of the principal. - Setting Privileges.
SetAuthority
- Change casting or account permissions. - Minting tokens.
MintTo
,MintToChecked
- Mint new tokens to the designated account. - Destruction of tokens.
Burn
,BurnChecked
- Destruction of tokens from the account. - Closed accounts.
CloseAccount
- Close the token account and transfer the remaining SOL. - Freeze/unfreeze accounts.
FreezeAccount
,ThawAccount
- Freeze or unfreeze token accounts. - Synchronization of native tokens.
SyncNative
- Synchronize packaged SOL account balances. - Get account data size.
GetAccountDataSize
- Get the required size of the account for the given casting. - Initialize immutable owner:
InitializeImmutableOwner
- Initialize immutable owner extensions for accounts. - Amount Conversion.
AmountToUiAmount
,UiAmountToAmount
- Converts between the original amount and the amount displayed on the UI.
Of course so many functions need not be all, we need only focus on some of them that have the potential to provide conditions for evil.
Special functions involving administrator privileges
-
Initiali*t
Initiali*t { /// Number of base 10 digits to the right of the decimal place. decimals: u8, /// The authority/multisignature to mint tokens. mint_authority: Pubkey, /// The freeze authority/multisignature of the mint. freeze_authority: COption<Pubkey>, },
Parameter Explanation:
-
decimals
: The number of decimal places for tokens. -
mint_authority
: The address of the token minting authority. -
freeze_authority
:: Address of the token account to be frozen (optional).
-
-
SetAuthority
SetAuthority { /// The type of authority to update. authority_type: AuthorityType, /// The new authority new_authority: COption<Pubkey>, },
Parameter Explanation:
-
authority_type
: Specify the type of permission to be changed (there are four categories: MintTokens, FreezeAccount, AccountOwner, CloseAccount). -
new_authority
: New permission address. If set toNone
, then the permission is removed.
-
SPL Token Evaluation Dimensions
Since SPL tokens are created by the official Program, they are not checked at the code level.
- Permission address settings, parameter settings
-
freeze_authority
Whether or not it is configured. If the Freeze Privilege account is configured, the account can freeze the user's tokens.
-
- Whether or not the power of the privileged account has been exercised
-
FreezeAccount
: Whether there has ever been a freeze on a user's token account. -
SetAuthority
:(MintTokens, FreezeAccount, AccountOwner, CloseAccount) transfer of authority。- Mint Program: MintTokens Privilege Transfer, FreezeAccount Privilege Transfer
- Token Account: AccountOwner transfer of authority, CloseAccount transfer of authority
Account initializes the CloseAccount permission account as None, requiring the account owner to first call the
SetAuthority
Configure the privileged account and then invoke theCloseAccount
Instructions.
-
SPL 2022 Tokens
SPL Documentation:/token-2022/extensions
SPL Code:/solana-labs/solana-program-library/tree/master/token/program-2022
All new commands in Token-2022 are added from the end of Token's commands. Token has 25 unique directives, indexed from 0 to 24. Token-2022 supports all of these directives, and then adds new functionality at index 25.
Mint extensions currently include:
- confidential transfers
- transfer fees
- closing mint closing mint
- interest-bearing tokens
- non-transferable tokens Non-transferable tokens
- permanent delegate permanent delegate
- transfer hook
- metadata pointer Metadata pointer
- metadata metadata
Account extensions currently include:
- memo required on incoming transfers A note is required when passing in transfers
- immutable ownership
- default account state Default Account Status
- CPI guard
SPL 2022 Token Evaluation Dimensions
Add the following evaluation dimensions to the SPL tokens
-
Permission address settings, parameter settings
-
Transfer Fees: Whether the value of Fee is within a reasonable range.
-
Default Account State: Whether the initialized Account is frozen by default. If the initialized Account is in frozen state, the token cannot be transferred (sold).
-
Immutable Owner: The owner of the user's ATA token account is not allowed to be transferred.
-
-
Whether or not the power of the privileged account was exercised
-
Non-Transferable Tokens: soul tokens, which are not allowed to be transferred.
-
Interest-Bearing Tokens: whether or not they are interest-bearing tokens (createInterestBearingMint), and whether or not the interest parameter has been modified by a call to (updateRateInterestBearingMint).
-
Permanent Delegate: In the case of permanent delegation of authority, the delegated account has the authority to mint tokens to any account and destroy tokens from any account.
-
CPI Guard: whether the token employs the CPI Guard feature (createEnableCpiGuardInstruction) to prevent unconventional calls, enable (enableCpiGuard), disable (disableCpiGuard)
-
-
Whether there is malicious logic in the code implementation
- Transfer Hook: Focus on the business logic of the Hook program to see if there is any possibility of mischief. the Hook program is deployed and specified by the administrator, and the Hook program will be invoked to perform additional business logic when the token transfer is carried out.
Case Study
SPL2022 Malicious tokens:/token/Bz7vBYYuNuK8Y4KRTjaunFFAjzVbAiE1mFM9EGnZ8SHU
Looking at the behavior of the transaction, the evil means of this token is to use a privileged account to destroy all of the user's tokens after they have been acquired.
This involves the "perpetual delegation" feature of SPL2022, which allows the delegate "mewfbQ" to mint or destroy tokens in any account. This is a malicious abuse of privilege.
As you can see from the browser's message, Permanent Delegate's account is set to the mewfbQ address, and it is through this account that the malicious operation was carried out.