Assessment reportsPublic findings
Back to Zellic site
Assessment reports>SPL Token 2022>Critical findings>Missing check in ,process_withdraw, potentially leading to inflationary bug
GeneralOverview
Findings
Critical (2)Missing check in `process_transfer`Missing check in `process_withdraw`
High (1)
Low (3)
DiscussionMultisig account behaviorUnclear purposeUnnecessary initialization checkConfusing checkAlternative extension dedupAppendix
Audit ResultsAudit Results
Category: Coding Mistakes

Missing check in process_withdraw potentially leading to inflationary bug

Critical Severity
Critical Impact
High Likelihood

Description

Withdrawals from a token account confidential balance to its cleartext balance require a zero knowledge (ZK) argument that proves that the account encrypted balance is greater than the withdrawn amount.

Confidential withdraw transactions consist of two instructions. One contains the aforementioned ZK argument and is processed by a special built-in program that verifies its validity, reverting the transaction in case of failure. The other instruction, processed by SPL Token 2022, performs the operations on the balances to actually accomplish the withdrawal. The token program verifies that the instruction containing the ZK argument exists and that its inputs are consistent with the state of the involved accounts, tying the ZK argument to the state of the blockchain.

The token program does not correctly verify that the public key associated with the ZK argument corresponds to the public key associated to the source account encrypted balance. This potentially allows an attacker to forge a ZK argument asserting the validity of any desired withdrawal amount, regardless of the actual encrypted balance of the source account.

Refer to ref for more information on the equations implementing the ZK argument.

Impact

An attacker might be able to exploit this issue and withdraw an arbitrary amount of tokens to their cleartext balance, creating tokens from nothing and inflating the supply. Note that the supply inflation will not be reflected by the information stored in the mint account associated with the token. The plaintext balance is spendable, exactly like any other regular plaintext balance on a legitimate account.

We did not fully confirm exploitability of this issue, but the team agreed that it is likely possible to forge a malicious ZK equality argument.

Recommendations

Ensure that the public key associated with the source account corresponds to the public key associated with the ZK argument (the pubkey field of the WithdrawData struct).

Remediation

The Solana Foundation team was alerted of this finding while the audit was ongoing. The team quickly helped confirm the issue.

Pull request #3768 fixes the issue following our recommendation. The PR head commit 94b912a was merged in the master branch on October 27, 2022.

The confidential token transfer extension was not used at the time the audit was conducted; therefore, funds were not at risk.

Zellic © 2024Back to top ↑