Solana's Token-2022 Transfer Hooks: How a "Safe" Feature Imported Ethereum's Deadliest Bug Class

Solana was supposed to be immune to reentrancy. The account model, the lack of dynamic dispatch, the explicit account list — all of it made the callback-based reentrancy attacks that plagued Ethereum effectively impossible. Then Token-2022 shipped Transfer Hooks, and everything changed. Transfer Hooks let token issuers attach arbitrary program logic that executes on every transfer. Compliance checks, royalty enforcement, transfer restrictions — powerful features that institutions demanded. But they also reintroduced something Solana developers never had to worry about: control flow returning to attacker-controlled code mid-transfer . This article dissects exactly how Transfer Hook reentrancy works on Solana, why traditional Solana security assumptions fail to catch it, and what you need to do before deploying any program that interacts with Token-2022 tokens. The Old Assumption: "Solana Can't Have Reentrancy" In classic SPL Token, a transfer is a single CPI (Cross-Program Invocation) c