← Back to Glossary

Token-2022

Solana token standard (Token Extensions) that adds programmable features like Transfer Hooks, Confidential Transfers, and CPI guards, reintroducing control-flow and reentrancy considerations.

Token-2022 (also called Token Extensions) extends the original SPL Token program with optional extensions such as Transfer Hooks, Confidential Transfers, Interest-Bearing Tokens, and CPI guards. These features enable richer DeFi and compliance use cases but reintroduce risks that were largely absent in the original Solana account model—including context confusion via ExtraAccountMetaList, infinite recursion in hooks, and the need to audit the Auditor Key in Confidential Transfer for compliance backdoors.

Programs integrating Token-2022 must validate hook PDAs strictly, enforce least privilege on external state, respect CPI depth limits, and enable CpiGuardInstruction::Enable and ImmutableOwner where appropriate.

Articles Using This Term

Learn more about Token-2022 in these articles:

From EVM to SVM: A senior security researcher's guide to Solana in 2026

From EVM to SVM: A senior security researcher's guide to Solana in 2026

A technical guide for senior EVM security researchers transitioning to Solana's SVM. Covers Rust, Borsh, PDAs, Anchor, and the 2026 Solana security landscape.

Feb 20, 202611 min read
Solana Audit Guide 2026: Firedancer & Token-2022 Risks

Solana Audit Guide 2026: Firedancer & Token-2022 Risks

2026 Solana security guide: Firedancer skip-vote vulnerabilities, Token-2022 transfer hook risks, localized DoS vectors, and a complete audit checklist.

Feb 7, 20269 min read
Solana Security Checklist: 45 Checks for Anchor & Native

Solana Security Checklist: 45 Checks for Anchor & Native

45 Solana vulnerability checks: account validation, CPI security, PDAs, Token-2022 hooks, and more. Essential pre-audit checklist for Solana developers.

Jan 28, 202614 min read

Related Terms

Transfer Hook

Token-2022 extension that runs custom program logic on every transfer of a mint, enabling compliance and composability but introducing reentrancy-like and context-validation risks.

Reentrancy Guard

Smart contract security pattern preventing attackers from recursively calling functions to drain funds during execution.

Hooks

External smart contracts in Uniswap v4 that execute custom logic at specific points in a pool's lifecycle.

Need expert guidance on Token-2022?

Our team at Zealynx has deep expertise in blockchain security and DeFi protocols. Whether you need an audit or consultation, we're here to help.

Get a Quote

oog
zealynx

Smart Contract Security Digest

Monthly exploit breakdowns, audit checklists, and DeFi security research — straight to your inbox

REQUEST AN AUDIT

Quick Links

Services

Company

Resources

© 2026 Zealynx