Kora Paymaster, Token-2022 Transfer Fee Miscalculation (High)

Listen to this Post

The vulnerability resides in Kora’s `verify_token_payment()` function, which validates whether a user has paid sufficient transaction fees using an SPL Token-2022 token that includes a `TransferFeeConfig` extension. When a user initiates a `transfer_checked` instruction, the on-chain Token-2022 program automatically deducts a configured transfer fee (e.g., 5%) from the specified amount and credits only the net amount to the paymaster’s destination account. However, `verify_token_payment()` extracts the raw `amount` from the instruction and uses this pre-fee value to compute the equivalent lamport value via calculate_token_value_in_lamports(). The function never subtracts the transfer fee, so the paymaster credits the full raw amount as payment, while actually receiving amount - transfer_fee. This discrepancy causes the paymaster to systematically over-credit value for every transaction paid with a fee‑bearing Token‑2022 token. Although the codebase contains a `calculate_transfer_fee()` function (used elsewhere for fee estimation), it is never invoked during payment verification. As a result, an attacker can pay less than the required fee by exploiting this asymmetry, causing the paymaster to suffer cumulative financial losses proportional to the transfer fee percentage.

dailycve form

Platform: Kora Paymaster
Version: Unspecified (pre‑patch)
Vulnerability: Token‑2022 fee miscalc
Severity: High
date: 2025-02-25

Prediction: Patch expected 2025-03-15

What Undercode Say:

Analytics

The flaw is a classic example of inconsistent state handling: the verification logic uses the gross transfer amount while the on‑chain program settles the net amount. For a token with a transfer fee of f basis points, the paymaster loses exactly f/10000 of every payment. Over many transactions, this loss accumulates linearly. The vulnerability exists only for Token‑2022 mints that have the `TransferFeeConfig` extension and are whitelisted in allowed_spl_paid_tokens. The test suite already includes such mints (e.g., `create_usdc_mint_2022` with 1% fee), making the issue easily reproducible.

Bash Commands & Code

  1. Check if a mint has transfer fees (using Solana CLI):
    solana account <MINT_ADDRESS> --output json | jq '.data.parsed.info.extensions[] | select(.extension=="transferFeeConfig")'
    
  2. Simulate the loss (bash one‑liner for a 5% fee token):
    fee_basis_points=500; amount=1000; fee=$((amount fee_basis_points / 10000)); net=$((amount - fee)); echo "Credited: $amount, Received: $net, Loss: $fee"
    
  3. Rust test snippet (from the ) to verify the discrepancy:
    [tokio::test]
    async fn test_token2022_transfer_fee_not_deducted() {
    let transfer_amount: u64 = 1_000_000;
    let credited_amount = transfer_amount;
    let actual_received = transfer_amount - (transfer_amount 1000 / 10000);
    assert!(credited_amount > actual_received);
    }
    

How Exploit:

An attacker can craft a transaction that pays the required fee using a Token‑2022 token with a transfer fee. They send a `transfer_checked` instruction with an amount that, after the on‑chain fee deduction, delivers exactly the required net value to the paymaster. However, because `verify_token_payment()` uses the pre‑fee amount, it considers the payment sufficient even though the paymaster received less. The attacker thus pays less than the required fee. Repeating this for every transaction yields a steady drain of funds from the paymaster.

Protection from this CVE

The fix requires modifying `verify_token_payment()` to deduct the transfer fee before calculating the lamport value. The effective amount should be obtained by fetching the mint’s `TransferFeeConfig` and calling calculate_transfer_fee(), then subtracting that fee from the raw amount. The patched code would look like:

let effective_amount = if is_2022 {
let mint_info = Token2022MintInfo::from_account_data(&mint_account.data)?;
if let Ok(Some(fee)) = mint_info.calculate_transfer_fee(amount, current_epoch) {
amount.saturating_sub(fee)
} else { amount }
} else { amount };

Until the patch is applied, operators should avoid whitelisting any Token‑2022 mint that has a transfer fee, or temporarily disable Token‑2022 fee payments.

Impact

  • Systematic Financial Loss: Every transaction using a fee‑bearing Token‑2022 token results in the paymaster crediting more value than it receives.
  • Loss Scale: Proportional to the transfer fee percentage. For a 5% fee token, the paymaster loses 5% of every payment amount. Over 100 transactions of $1 each, that is $5 lost.
  • Precondition: Requires a Token‑2022 mint with `TransferFeeConfig` to be whitelisted in allowed_spl_paid_tokens. Many projects using SPL Token‑2022 may inadvertently enable this.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top