Description

Tokens managed by SPL Token 2022 can be configured to require a transfer fee consisting of a percentage of the transferred amount (with the possibility to cap the maximum fee at a fixed amount). This configuration also applies to confidential transfers, relying on zero-knowledge cryptographic arguments to prove the validity of the encrypted balances being manipulated.

Information about the value of every transfer is leaked to the owner of the keys controlling the transfer fees for the mint.

Impact

The owner of the private key associated with management of the transfer fees can gather information on the value of confidential transfers. Since the key is able to decrypt the fee balance before and after the transfer has occurred, the fee amount for every transfer can be obtained. If the fee is lower than the cap amount, then the exact transferred amount can be inferred. Otherwise, the transferred amount is guaranteed to be at least as big as the minimum amount that would require the maximum fee.

Recommendations

Completely blinding the transfer fee amounts appears to be challenging and likely to require a significant engineering effort. If this information leak is accepted, we suggest to inform SPL token developers and users of this privacy pitfall of confidential transfers involving fees.

Remediation

Pull request #3773↗ addresses the issue by adding more documentation on the confidential transfer extension code, acknowledging the potential information leak if a confidential transfer with fees is performed. The PR head commit 1c3af5e was merged in the master branch on October 28, 2022.