← Back to Glossary

Transfer Hook

Token-2022 extension that runs custom program logic on every transfer of a mint, enabling compliance and composability but introducing reentrancy-like and context-validation risks.

A Transfer Hook is a Token-2022 extension that executes custom logic (via a program specified by the mint) on every transfer of that mint. It enables use cases such as transfer allowlists, fees, and compliance checks. Hooks receive additional accounts through an ExtraAccountMetaList; failure to strictly validate PDA derivation and seeds can allow attackers to inject malicious accounts (e.g., a spoofed whitelist) and bypass transfer logic.

If a Transfer Hook triggers a CPI that initiates another transfer of the same mint, it can create a recursion loop—potentially leading to griefing or asset freeze. Auditors must verify hook acyclicity, enforce read-only access on external state where possible, and respect Solana's CPI depth limit (4) for DeFi composability.

Articles Using This Term

Learn more about Transfer Hook in these articles:

Solana Audit Guide 2026: Firedancer & Token-2022 Risks

Solana Audit Guide 2026: Firedancer & Token-2022 Risks

2026 Solana security guide: Firedancer skip-vote vulnerabilities, Token-2022 transfer hook risks, localized DoS vectors, and a complete audit checklist.

Feb 7, 20269 min read
Solana Security Checklist: 45 Checks for Anchor & Native

Solana Security Checklist: 45 Checks for Anchor & Native

45 Solana vulnerability checks: account validation, CPI security, PDAs, Token-2022 hooks, and more. Essential pre-audit checklist for Solana developers.

Jan 28, 202614 min read

Related Terms

Token-2022

Solana token standard (Token Extensions) that adds programmable features like Transfer Hooks, Confidential Transfers, and CPI guards, reintroducing control-flow and reentrancy considerations.

Hooks

External smart contracts in Uniswap v4 that execute custom logic at specific points in a pool's lifecycle.

Reentrancy Guard

Smart contract security pattern preventing attackers from recursively calling functions to drain funds during execution.

Need expert guidance on Transfer Hook?

Our team at Zealynx has deep expertise in blockchain security and DeFi protocols. Whether you need an audit or consultation, we're here to help.

Get a Quote

oog
zealynx

Smart Contract Security Digest

Monthly exploit breakdowns, audit checklists, and DeFi security research — straight to your inbox

REQUEST AN AUDIT

Quick Links

Services

Company

Resources

© 2026 Zealynx