What Is the Solana Token Extensions Standard (Token-2022) and Why It Changes Risk Evaluation

The Upgraded Token Standard

Solana's Token-2022 program — also called Token Extensions — is the upgraded successor to the original SPL Token standard, introducing a suite of optional features that project teams can enable when creating a new token. Unlike standard SPL tokens which have fixed behavior, Token-2022 tokens can be configured with extensions that dramatically change how they function. Understanding these extensions is essential for risk evaluation because several of them create attack vectors that don't exist in standard tokens.

The Key Extensions and What Each Does

Transfer Fee Extension: A percentage of every token transfer is automatically redirected to a specified wallet. Example: a 5% transfer fee means every time anyone buys, sells, or transfers the token, 5% of the amount goes to the fee wallet. Legitimate use: protocol revenue sharing. Scam use: configured at 90-99% on tokens that appear to trade normally until large transfers are attempted.

Permanent Delegate Extension: Grants a specified address the permanent ability to transfer or burn tokens from any holder's account — without the holder's approval. This is one of the most dangerous extensions for buyers. The team can drain any wallet holding their token at any time. There is theoretically no legitimate retail token use case that requires permanent delegation.

Freeze Authority Extension: Allows the token authority to freeze any account holding the token, preventing transfers. Standard SPL tokens can also have freeze authority, but Token-2022 extends the functionality. Frozen tokens can be redistributed by the authority in some configurations.

Non-Transferable Extension: Tokens that cannot be transferred after minting. Legitimate use: soul-bound credentials, achievement NFTs. In tradeable tokens, creates liquidity problems.

Interest-Bearing Extension: Token balances automatically increase over time at a specified rate — without any additional assets being deposited. The "interest" is synthetic (created by updating a rate multiplier), useful for rebasing stablecoin designs.

Confidential Transfers: Hides transaction amounts using zero-knowledge proofs. Legitimate use: privacy-sensitive enterprise applications. Risk implication: reduced on-chain transparency that security tools rely on.

Transfer Hook Extension: Custom program logic executes on every token transfer. This is the most complex extension — it can implement any arbitrary logic including external validation, blacklisting, or additional fee collection.

How to Identify Token-2022 Tokens

In Phantom wallet and on Solscan, Token-2022 tokens display the program address TokenzQdBNbLqP5VEhdkAS6EPFLC1PHnBqCXEpPxuEb instead of the standard SPL token program address. Hannisol's security scanner checks the token program version and specifically analyzes any active extensions and their configurations.

The Risk Evaluation Framework for Token-2022

High risk extensions requiring strong justification before buying:

• Permanent delegate (almost never legitimate for retail tokens)
• High transfer fees (>2% is unusual; >10% is dangerous)
• Transfer hooks with unaudited custom programs

Moderate risk extensions worth noting:

• Freeze authority (standard risk, exists in both SPL and Token-2022)
• Low transfer fees (1-2% may be legitimate protocol fees)

Lower risk extensions with clear legitimate uses:

• Non-transferable (clearly disclosed and expected)
• Interest-bearing (for designed rebasing tokens)