This article delves into the account structure, token mechanism, transaction process of Solana, and provides guidance on how to ensure asset security in the Solana ecosystem.
Table of Contents:
Solana Accounts
Solana Tokens
Solana Transactions
SOL Transfer Transactions
Token Transfer Transactions
Swap Transactions
Multiple Instruction Transactions
Asset Security
Private Key and Mnemonic Phrase Leakage
Using Wallets
Summary
Solana is a fast and highly scalable blockchain protocol that provides a powerful infrastructure for decentralized applications (DApps). The recent recovery of the Solana ecosystem has attracted widespread attention. This article will introduce Solana accounts, tokens, transactions, and how to ensure asset security in this ecosystem.
Understanding accounts is the first step in ensuring asset security. Unlike Ethereum, where accounts play a different role, in Solana, the primary function of an account is to store data.
Solana accounts can be divided into three main types:
– Data accounts: used to store data.
– Program accounts: used to store executable programs.
– Native accounts: refer to native programs on Solana, such as System, Stake, and Vote.
Data accounts can be further divided into two categories:
– System owned accounts: accounts generated by native programs on Solana.
– Program derived accounts (PDA): accounts that have the signature permission of a program and are not controlled by private keys like other accounts.
Each account has an address (generally a public key) and an owner (the address of the program that created the account). The former is similar to Ethereum, while the latter can be understood as the program that created the account.
Accounts generated by regular users through wallets belong to the system-owned accounts in the data accounts category. The default account owner is the system program. In simple terms, users generate a system-owned account through a system program, which stores the user’s basic information and assets. This account has an address (public key).
For example, in Solana Explorer, the account used by regular users, which is the system-owned account, is displayed in the browser as follows:
Assigned Program Id represents the owner of the account, Allocated Data Size indicates the size of the data stored in the account, and Executable indicates whether the account is executable. Usually, only program accounts can be executed. Regular users only need to pay attention to the account address.
With the above information, we have gained a preliminary understanding of Solana accounts. Next, let’s get to know Solana Tokens.
SPL-Token represents all non-native tokens on the Solana network, including fungible tokens and non-fungible tokens (NFTs).
Similar to ERC20 and ERC721 tokens, SPL tokens are issued and traded on Solana. However, the difference from Ethereum is that:
In Solana, the issuer of a token creates a mint account through the native program token-program on Solana and stores the basic information of the token in this account. For example, the mint account address of USDC on Solana Explorer is EPjFWdd5AufqSSqeM2qN1xzybapC8G4wEGGkZwyTDt1v. The browser displays detailed information about the USDC Token Mint, including the current token supply, addresses with minting and freezing permissions, and the token’s decimal precision.
Next, let’s understand what a token account is.
On Solana, every token holder has a specific token account that records the balance and related information of that particular token. For example, if Alice holds both USDT and USDC tokens, she will have two token accounts, one recording the balance of USDT and the other recording the balance of USDC.
So how can we view our token accounts?
We can use the Solana Beach browser, enter the address of the data account, and click on Portfolio to clearly see each token account, with each account recording the balance of a specific token.
Through the Solana Beach browser, we can also view detailed information about each account’s tokens, authorization status, and other details.
On Solana, each transaction contains the following key information:
– Instructions: one or more instructions that define the operations in the transaction, such as transfers, program interactions, token transfers, etc.
– Blockhash: contains the latest block hash value, used to ensure that the transaction is executed on the correct block.
– Signatures: one or more signatures representing the authorization of the transaction. Each signature corresponds to a signing account in the transaction, ensuring that only authorized accounts can execute the transaction.
A transaction on Solana can contain multiple instructions, which means multiple different operations can be executed in the same transaction. For example, a user can bundle multiple transfer instructions into one transaction, and these instructions will be executed sequentially. If any of the instructions in the transaction fail, the entire transaction will fail.
The transaction records on Solana are slightly different from Ethereum. Let’s see how to read transaction records on Solana effectively.
For Solana transaction records, let’s take SOLSCAN browser as an example and focus on the following main information:
– Signature: similar to the transaction hash, the first signature of the transaction serves as the index of the transaction in the transaction records.
– Result: the execution result of the transaction, indicating whether the transaction was successful.
– Signer: the account address that executed the transaction, i.e., the signer’s address.
– Main Actions: the main operation instructions included in the transaction, which can be transfers, program calls, etc.
– Instruction Details: the specific operation instructions executed in the transaction.
In the Main Actions, we can see the account addresses of both sides of the transfer.
In the Instruction Details, we can see that the main instruction of the SOL transfer transaction is SOL Transfer, which is used for SOL transfers. By examining the details of this instruction, we can obtain information about the program called by this instruction and the account addresses involved in the transfer.
The following transaction is a USDT transfer, similar to the SOL transaction.
In the Instruction Details section, token transactions usually start by calling the Create Associated Account instruction to create a token account for the recipient (if the recipient doesn’t already have a corresponding account) to store the USDT balance and other data.
Then, the Token Transfer instruction is executed to complete the USDT transfer. It’s worth noting that, unlike the SOL Transfer instruction, the Source and Destination in the Token Transfer instruction do not represent the direct account addresses of the transfer parties but their token accounts (PDA accounts). This point needs to be noted specifically.
Below is a Swap transaction where the user exchanges USDT for USDC.
In Solana transactions that contain multiple instructions, there are multiple operations involving SOL transfers, Swap transactions, and token transfers.
Even with multiple instructions, we can still view the detailed instructions executed in the transaction through Instruction Details and understand the specific operations of each step.
As the saying goes, “Know yourself, know your enemy, and you shall not be defeated in a hundred battles.” We have gained a preliminary understanding of Solana accounts, tokens, and transactions. To avoid the risk of asset theft, we need to have a deep understanding of the risks that may be faced when using Solana wallets.
According to SlowMist Blockchain Security’s hacker database statistics, security incidents caused by private key leakage have resulted in losses of up to $84.75 million as of September 2023. In the theft cases handled by SlowMist’s AML team, incidents of asset theft due to private key and mnemonic phrase leakage accounted for a considerable proportion. Therefore, to ensure the security of assets on Solana wallets, the most important thing is to manage the private keys and mnemonic phrases properly.
In the process of using wallets, signature is one of the most important security risks to pay attention to, especially when signing information on Solana with projects.
Furthermore, Solana allows multiple transfers to be bundled into one transaction, which means that all assets in a wallet can be transferred with just one signature.
Let’s look at a real-life case:
A victim mistakenly clicked on a confirmation on a phishing website, resulting in all assets in the wallet being transferred at once. What operation allowed the hacker to transfer all assets with just one signature?
Yes, the hacker exploited the mechanism and a feature of the wallet mentioned earlier:
The victim used the Phantom Wallet, which can bundle multiple transfer instructions into one transaction, completing the entire process with just one signature. It is precisely this feature that became the breakthrough point exploited by the hacker, causing the victim to lose all assets with one signature. When using wallets, users must carefully confirm each signature operation to avoid losses.
This critical feature is explicitly introduced in the official documentation of the Phantom Wallet:
In this issue of the Solana educational article, we first learned about the basics of Solana accounts, then delved into the fundamental concepts of Solana tokens, and then discussed the relevant content of transactions on Solana. In terms of ensuring the security of wallet assets, we emphasized the secure storage of private keys and mnemonic phrases and recommended that users read SlowMist’s “Dark Forest Survival Guide” for more security advice. When using wallets, it is essential for users to carefully confirm each signature operation and remain vigilant at all times, as this is the key to ensuring asset security.
Related Reports:
What is Solana’s new protocol Analysoor? Creating a fair trading platform for NFTs and Ordinals
Understanding Solana’s consensus mechanism: Delegated Proof of Stake (DPoS) and Proof of History (PoH)
What is the real advantage of Solana that makes it claim to be the Ethereum killer?