Exploring Solana: A Comprehensive Guide to Accounts, Tokens, Transactions, and Ensuring Asset Security
Solana is a Dynamic and Scalable Blockchain Protocol for Empowering Decentralized Applications (DApps). Amidst the recent resurgence in the Solana ecosystem that has captured global interest, this article delves into the intricacies of Solana, including its account structures, token dynamics, transaction processes, and essential strategies for safeguarding assets in this burgeoning ecosystem.
Understanding accounts is the first step in ensuring asset security. Unlike accounts in Ethereum, accounts in Solana primarily serve to store data.
There are three main types of accounts in Solana:
- Data Accounts: These are used for storing data.
- Program Accounts: These accounts store executable programs.
- Native Accounts: These refer to native programs on Solana, such as System, Stake, and Vote.
Data accounts can be further divided into two categories:
- System-Owned Accounts: These accounts are generated by native programs on Solana.
- Program-Derived Accounts (PDA): These accounts have their signing authority controlled by a program, making them different from other accounts which are controlled by private keys.
Each account on Solana has an address (usually a public key) and an owner (the address of a program account). The former is similar to accounts on Ethereum, while the latter can be understood as the program that created the account.
Accounts generated by ordinary users through wallets are categorized under data accounts as system-owned accounts. By default, the owner of these accounts is the System program. This can be simplified as: users generate a system-owned account through the System program, which stores their basic information and assets. This account has an address, which is essentially the public key.
Taking Solana Explorer as an example, the accounts used by ordinary users, which are system-owned accounts, are displayed on the browser as follows:
In Solana accounts, ‘Assigned Program Id’ signifies the owner of the account. ‘Allocated Data Size’ indicates the size of data already stored in the account. ‘Executable’ denotes whether the account is executable or not, which is typically a feature of program accounts. Regular users, however, should primarily concern themselves with the account’s address.
With this information, we now have a basic understanding of Solana accounts. Let’s proceed to learn about Solana Tokens.
On the Solana network, SPL-Token represents all non-native tokens, including both fungible tokens and non-fungible tokens (NFTs).
Similar to ERC20 and ERC721 tokens on Ethereum, SPL tokens are issued and traded on the Solana network. However, there are differences in their mechanisms:
In Solana, the issuer of a Token creates a ‘mint-account’ through the native program ‘token-program’. This mint-account stores the basic information of the Token. For instance, the mint-account address for USDC on Solana Explorer is EPjFWdd5AufqSSqeM2qN1xzybapC8G4wEGGkZwyTDt1v. The browser displays detailed information about the USDC Token Mint, including the current token supply, addresses with minting and freezing permissions, and the token’s decimal precision.
Next, let’s understand what a token-account is on Solana.
On Solana, each Token holder possesses a specific token-account, which records the balance and related information of that particular Token for the holder. For example, if Alice owns both USDT and USDC tokens, she would have two separate token-accounts: one recording the balance of USDT and the other for USDC.
So, how does one view their token-account?
One can use the Solana Beach browser. By entering the address of a data account and clicking on ‘Portfolio’, it’s possible to clearly see each token-account. Each account records the balance of a specific Token.
Through the Solana Beach browser, one can also view detailed information about each account, including recorded Token information and authorization details.
On Solana, each transaction contains the following key information:
- Instructions: One or more instructions that define the actions within the transaction, such as transfers, program interactions, Token transfers, etc.
- Blockhash: This includes the latest block hash value, which is used to ensure that the transaction executes on the correct block.
- Signatures: One or more signatures indicating the authorization of the transaction. Each signature corresponds to a signatory account involved in the transaction, ensuring that only authorized accounts can execute it.
A single transaction on Solana can include multiple instructions. This means that multiple different operations can be executed in one transaction. For example, a user can bundle several transfer instructions into one transaction. These instructions are executed in sequence. If any instruction in the transaction fails, the entire transaction will fail.
Solana’s transaction records are slightly different from Ethereum’s. Let’s explore how to effectively read transaction records on Solana.
When examining transaction records on Solana, let’s use the SOLSCAN browser as an example and focus on the following main information:
- Signature: Similar to a transaction hash, it serves as the index of the transaction in the records, using the first signature in the transaction.
- Result: This indicates the outcome of the transaction, showing whether it was successful or not.
- Signer: The address of the account that executed the transaction, i.e., the signer’s address.
- Main Actions: The primary operation instructions contained in the transaction, which could include transfers, program calls, etc.
- Instruction Details: The specific operational instructions executed in the transaction.
In the Main Actions section, we can see the account addresses of both parties involved in the transfer.
In the ‘Instruction Details’ section, we can see that the primary instruction for a SOL transfer transaction is ‘SOL Transfer,’ which is intended for transferring SOL. By examining the details of this instruction closely, we can obtain information about the program that called this instruction, as well as the account addresses of both parties involved in the transfer.
Token Transfers: The following transaction is a transfer of USDT.
In the ‘Instruction Details’ section, Token transactions usually begin with the ‘Create Associated Account’ instruction. This is used to create a Token account for the recipient if they do not already have one, for storing data like the USDT balance.
This is followed by the ‘Token Transfer’ instruction, which completes the transfer of USDT. It’s important to note that unlike the ‘SOL Transfer’ instruction, the ‘Source’ and ‘Destination’ in the ‘Token Transfer’ instruction do not represent the direct account addresses of the parties involved in the transfer. Instead, they are their Token accounts (PDA accounts), which is a crucial detail to be aware of.
Swap Transaction: Here’s an example of a Swap transaction, where a user exchanges USDT for USDC.
Multi-Instruction Transactions: In Solana transactions that contains various operations such as SOL transfers, Swap transactions, and Token transfers are multi-instruction transactions.
Even with multiple instructions, we can still view the detailed instructions executed in a transaction through the ‘Instruction Details’ section, understanding each specific step involved.
As the saying goes, ‘Know yourself and know your enemy, and you will never be in peril.’ We have already gained a basic understanding of accounts, Tokens, and transactions on Solana. To avoid the risk of asset theft, it is crucial to understand the potential risks when using a Solana wallet.
Private Key and Mnemonic Phrase Leakage
According to the SlowMist Blockchain Hacked Archive, in 2023, nine incidents of private key leaks led to losses amounting to $84.75 million. In the cases of theft investigation by the SlowMist AML team, a significant proportion were due to the leakage of private keys and mnemonic phrases. Therefore, the most important aspect of ensuring the security of assets on a Solana wallet is the proper management of the wallet’s private key and mnemonic phrase.
In the process of using wallets, signing is one of the most critical security risks to pay attention to, especially when interacting with projects on Solana and signing information.
Moreover, Solana allows bundling multiple transfers into one transaction, meaning that all assets in a wallet can be transferred in a single signature.
Let’s look at an actual case:
A victim accidentally executed an operation on a phishing website, and with just one confirmation click, all the assets in the wallet were transferred out in one go. What was the operation that allowed the hacker to transfer all assets with just one signature by the victim?
Yes, the hacker took advantage of the mechanism mentioned above and a specific feature of the wallet:
The victim was using Phantom Wallet, which has the capability to bundle multiple transfer instructions into a single transaction that requires only one signature to complete the entire process. It was this very feature that the hacker exploited, resulting in the victim losing all their assets with just one signature. Users are urged to be extremely cautious and confirm every signature operation when using wallets to avoid such losses.
The official documentation of Phantom Wallet also clearly describes this key feature:
In this Solana educational article, we first delved into the basic knowledge of Solana accounts. Then, we explored the fundamental concepts of Solana Tokens. Following that, we discussed the relevant aspects of conducting transactions on Solana. In the section on ensuring wallet asset security, we emphasized the secure storage of private keys and mnemonic phrases. We recommend users to read the ‘Blockchain Dark Forest Selfguard Manual’ for additional security advice. Additionally, when using wallets, it is crucial for users to carefully confirm each signature operation to avoid losses. Furthermore, reading the security tips in the wallet documentation is vital and staying vigilant at all times is key to protecting your assets.
At SlowMist, we pride ourselves on being a frontrunner in blockchain security, dedicating years to mastering threat intelligence. Our expertise is grounded in providing comprehensive security audits and advanced anti-money laundering tracking to a diverse clientele. We’ve established a robust network for threat intelligence collaboration, positioning ourselves as a key player in the global blockchain security landscape. We offer tailor-made security solutions that span from identifying threats to implementing effective defense mechanisms. This holistic approach has garnered the trust of numerous leading and recognized projects worldwide, including names like Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, and Cheers UP. Our mission is to ensure the blockchain ecosystem is not only innovative but also secure and reliable.
SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. They offer AML (Anti-money laundering) software, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. They have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.
By delivering a comprehensive security solution customized to individual projects, they can identify risks and prevent them from occurring. Their team was able to find and publish several high-risk blockchain security flaws. By doing so, they could spread awareness and raise the security standards in the blockchain ecosystem.