CPI Reentrancy Is Back: A Solana Developer's Defense Playbook for Token-2022 Transfer Hooks

For years, Solana developers enjoyed a comforting belief: reentrancy isn't a thing here. The runtime's single-threaded execution model and account locking semantics meant the recursive callback attacks that plagued Ethereum simply couldn't happen. Token-2022 transfer hooks changed that. When you call transfer_checked on a Token-2022 mint that has a transfer hook configured, the Token-2022 program will CPI into the hook program — which could be anything . That hook can then CPI back into your program before your function has finished updating state. Classic reentrancy, reborn on Solana. This isn't theoretical. The Neodyme security team demonstrated practical exploit paths in their Token-2022 security analysis , and every DeFi protocol accepting Token-2022 tokens is a potential target. Here's the defensive playbook. The Attack Anatomy Consider a lending protocol's deposit() function: pub fn deposit ( ctx : Context < Deposit > , amount : u64 ) -> Result < () > { // 1. Transfer tokens from