Skip to content

[program] Disable apply pending balance when the account is frozen #911

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
samkim-crypto merged 1 commit into from
Jan 7, 2026
Merged

[program] Disable apply pending balance when the account is frozen #911

samkim-crypto merged 1 commit into from
Jan 7, 2026

Conversation

@samkim-crypto
Copy link
Contributor

@samkim-crypto samkim-crypto commented Jan 2, 2026
edited
Loading

Problem

The ApplyPendingBalance instruction of the Token-2022 Confidential Transfer Account extension does not verify the freeze status of the token account. As a result, confidential-transfer balances may still be updated though the account is not supposed to allow any state changes.

According to the Token-2022 specification, once a token account has been frozen, no instruction that alters its state should be executable. A frozen account must remain immutable until explicitly thawed. Allowing ApplyPendingBalance to bypass this rule constitutes a violation of the expected behavior defined in the spec.

Furthermore, this flaw causes external explorers and other transaction inspectors to incorrectly interpret frozen accounts as active, since confidential-transfer state transitions continue to occur despite the frozen status. This misrepresentation can mislead auditors, monitoring tools, and downstream applications relying on on-chain state consistency.

Summary of Changes

Disabled apply pending balance when the account is frozen.

@samkim-crypto samkim-crypto force-pushed the freeze-apply-pending-balance branch from 5d34a6c to 47fd273 Compare January 2, 2026 06:26
@samkim-crypto samkim-crypto marked this pull request as ready for review January 6, 2026 08:00
joncinque
joncinque approved these changes Jan 6, 2026
View reviewed changes
Copy link
Contributor

@joncinque joncinque left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great!

@samkim-crypto samkim-crypto merged commit bfa4bb8 into solana-program:main Jan 7, 2026
38 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joncinque joncinque joncinque approved these changes

+2 more reviewers

@Ari4ka Ari4ka Ari4ka approved these changes

@aggnhutquachcdc-roam aggnhutquachcdc-roam aggnhutquachcdc-roam approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@samkim-crypto @joncinque @Ari4ka @aggnhutquachcdc-roam