GHSA-725g-w329-g7qr: kora-lib: Token-2022 Transfer Fee Not Deducted During Payment Verification

March 12, 2026

When a user pays transaction fees using a Token-2022 token with a TransferFeeConfig extension, Kora’s verify_token_payment() credits the full raw transfer amount as the payment value. However, the on-chain SPL Token-2022 program withholds a portion of that amount as a transfer fee, so the paymaster’s destination account only receives amount - transfer_fee. This means the paymaster consistently credits more value than it actually receives, resulting in systematic financial loss.

References

github.com/advisories/GHSA-725g-w329-g7qr
github.com/solana-foundation/kora
github.com/solana-foundation/kora/commit/8cbd8217ee505e6b37c63ef835ff095cfa8ab318
github.com/solana-foundation/kora/security/advisories/GHSA-725g-w329-g7qr

Code Behaviors & Features

Detect and mitigate GHSA-725g-w329-g7qr with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →