SPL Token 2022 is a collection of on-chain programs targeting the Sealevel parallel runtime. These programs are tested against Solana's implementation of Sealevel, Solana runtime, and are deployed to its mainnet.
Zellic conducted an audit for Solana Foundation from September 19th to October 7th, 2022.
Our general overview of the codebase is that the migration of the code to support both legacy token accounts as well as the new, extensible form is relatively robust. The implementation appears to be devoid of major issues in the core of the token program, though some critical issues were identified in the extensions themselves. It appears that a robust platform on which to enhance the functionality of Solana token accounts has been built, though care should be taken in the implementation of the extension itself.
Zellic thoroughly reviewed the SPL Token 2022 codebase to find protocol-breaking bugs as defined by the documentation and to find any technical issues outlined in the Methodology section (ref) of this document.
Specifically, taking into account SPL Token 2022's threat model, we focused heavily on issues that would break core invariants such as proper account serialization and deserialization, mint accounting, and violations in the guarantees offered by the new extensions.
During our assessment on the scoped SPL Token 2022 contracts, we discovered seven findings. Critical issues were identified. Of the six findings, two were critical, three were of low severity, and the remaining finding was informational in nature.
Additionally, Zellic recorded its notes and observations from the audit for Solana Foundation's benefit in the Discussion section (ref) at the end of the document.