DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-725G-W329-G7QR: GHSA-725G-W329-G7QR: Token-2022 Transfer Fee Bypass in Solana Kora Relayer

#security #cve #cybersecurity #ghsa

GHSA-725G-W329-G7QR: Token-2022 Transfer Fee Bypass in Solana Kora Relayer

Vulnerability ID: GHSA-725G-W329-G7QR
CVSS Score: 7.5
Published: 2026-03-12

The kora-lib crate, which serves as the core library for the Solana Kora Relayer, contains a business logic vulnerability related to SPL Token-2022 transfer fee verification. The relayer fails to accurately account for on-chain transfer fees when verifying user payments, resulting in the relayer crediting users for pre-fee transaction amounts. This discrepancy allows attackers to systematically underpay the relayer for transaction sponsorship.

TL;DR

A logic error in kora-lib causes the Solana Kora Relayer to calculate user token payments based on the pre-fee transfer amount rather than the actual amount received after SPL Token-2022 transfer fees are deducted. This allows malicious actors to drain the relayer's funds by underpaying for sponsored transactions.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-682
  • Attack Vector: Network
  • Impact: Financial Loss / Paymaster Drain
  • Exploit Status: Proof of Concept
  • Authentication: Unauthenticated
  • Component: kora-lib payment verification

Affected Systems

  • kora-lib (solana-foundation/kora)
  • Solana Kora Relayer
  • kora-lib: < commit 8cbd8217ee505e6b37c63ef835ff095cfa8ab318 (Fixed in: Commit 8cbd8217ee505e6b37c63ef835ff095cfa8ab318)

Code Analysis

Commit: 8cbd821

Fix token transfer fee calculation and program ID comparison in instruction parsing

Mitigation Strategies

  • Update kora-lib crate to a version including commit 8cbd8217ee505e6b37c63ef835ff095cfa8ab318.
  • Temporarily restrict accepted payment tokens to standard SPL Token assets, avoiding Token-2022 assets with active transfer fees.
  • Implement continuous monitoring to compare verified payment amounts against actual on-chain balance changes.

Remediation Steps:

  1. Identify all deployed instances of the Kora Relayer running vulnerable versions of kora-lib.
  2. Pull the latest changes from the solana-foundation/kora repository encompassing the fix commit.
  3. Recompile the relayer binary to ensure the new token state resolution logic is included.
  4. Redeploy the updated binary to all production relayer nodes.
  5. Audit historical relayer logs and on-chain token account balances to assess any financial discrepancies.

References

Read the full report for GHSA-725G-W329-G7QR on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)