By: do
Solana is a fast and highly scalable blockchain protocol that provides powerful infrastructure for decentralized applications (DApps). The recent recovery of the Solana ecosystem has attracted widespread attention. This article will introduce Solana accounts, tokens, transactions, and how to ensure asset security in this ecosystem.
Solana Account
Understanding your account is the first step to protecting your assets. Unlike accounts in Ethereum, the primary role of accounts in Solana is to store data.
There are three main types of accounts in Solana:
Data account: used to store data.
Program account: used to store executable programs.
Native account: refers to the native programs on Solana, such as System, Stake and Vote.
Among them, data accounts can be further divided into two categories:
System-owned accounts: Accounts generated by native programs on Solana.
Program Derived Account (PDA): The signing authority is the program's account and therefore is not controlled by a private key like other accounts.
Each account has an address (usually a public key) and an owner (the address of the program account). The former is similar to that on Ethereum, and the latter can be simply understood as the program to create the account.
The accounts generated by ordinary users through wallets belong to all the system accounts in the data account, and the default account owner is the system program. We can simply understand it as: the user generates a system-wide account through the system program. This account stores the user's basic information and assets and other data, and this account has an address (that is, a public key).
Taking Solana Explorer as an example, the accounts used by ordinary users, that is, all accounts in the system, are displayed on the browser as shown below:
Assigned Program Id represents the owner of the account, Allocated Data Size represents the size of data stored in the account, and Executable represents whether the account is executable. Usually only program accounts are executable. Ordinary users only need to pay attention to the address of the account.
Through the above content, we have a preliminary understanding of Solana accounts. Next, let’s get to know Solana Token.
Solana Token
SPL-Token represents all non-native tokens on the Solana network, including fungible tokens and non-fungible tokens (NFTs).
Similar to ERC20 and ERC721 tokens, SPL tokens are issued and traded on Solana, but their differences from Ethereum are:
In Solana, the Token issuer creates a mint-account through the native program token-program on Solana and stores the basic information of the Token in this account. For example, the mint-account address for USDC on Solana Explorer is EPjFWdd5AufqSSqeM2qN1xzybapC8G4wEGGkZwyTDt1v. Detailed information about USDC Token Mint is displayed in the browser, including the current token supply, addresses with minting and freezing authority, and the decimal precision of the token.
Next, let’s understand what token-account is.
On Solana, each Token holder has a specific token-account, which records the balance and related information of the holder's specific Token. For example, if Alice owns both USDT and USDC Tokens, she will have two token-accounts respectively, one of which records the balance of USDT and the other records the balance of USDC.
So how to check your token-account?
We can use the Solana Beach browser to clearly see each token-account by entering the address of the data account and clicking Portfolio. Each account records the balance of a specific Token.
Through the Solana Beach browser, you can also view the Token information recorded for each account, authorization status and other detailed information.
Solana Trading
On Solana, every transaction includes the following key information:
Instructions: One or more instructions that define operations in a transaction, such as transfers, program interactions, Token transfers, etc.
Blockhash: Contains the latest block hash value, used to ensure that transactions are executed on the correct block.
Signatures: One or more signatures that represent authorization of a transaction. Each signature corresponds to a signing account in the transaction, ensuring that only authorized accounts can execute the transaction.
A transaction on Solana can contain multiple instructions, which means that multiple different operations can be performed in the same transaction. For example, users can package multiple transfer instructions into the same transaction, and these instructions will be executed sequentially. If any one instruction in the transaction fails, the entire transaction will fail.
Solana’s transaction records are slightly different from Ethereum’s. Let’s take a look at how to effectively read transaction records on Solana.
SOL transfer transaction
For transaction records on Solana, we take the SOLSCAN browser as an example and focus on the following main information:
Signature: Similar to the transaction hash, the first signature of the transaction is used as the index of the transaction in the transaction record.
Result: The execution result of the transaction, indicating whether the transaction was successful.
Signer: The account address that executes the transaction, that is, the address of the signer.
Main Actions: The main operation instructions included in the transaction, which can be transfers, program calls, etc.
Instruction Details: The specific operation instructions performed in the transaction.
We can see the account addresses of both parties to the transfer in Main Actions.
In Instruction Details, we can see that the main instruction of the SOL transfer transaction is SOL Transfer, which is designed to transfer SOL. By viewing the details of the instruction in detail, we can obtain information about the program called by the instruction, as well as the account addresses of the parties involved in the transfer.
Token transfer transaction
The following transaction is a transfer of USDT, similar to the SOL transaction.
In the Instruction Details section, Token transactions usually first call the Create Associated Account instruction to create a Token account for the recipient (if the recipient does not already have a corresponding account), which is used to store data such as USDT balance.
Then execute the Token Transfer command to complete the transfer of USDT. It is worth noting that, unlike the SOL Transfer instruction, the Source and Destination in the Token Transfer instruction do not represent the direct account addresses of the transfer parties, but their Token accounts (PDA accounts), which requires special attention.
Swap transaction
下面是一笔 Swap 交易,用户将 USDT 兑换为 USDC。
Multiple order trading
In a Solana transaction that contains multiple instructions, multiple operations such as SOL transfer, Swap transaction, and Token transfer are involved.
Even if there are multiple instructions, we can still view the detailed instructions for transaction execution through Instruction Details and understand the specific operations of each step.
Asset security
As the saying goes, if you know yourself and the enemy, you can fight a hundred battles without danger. We’ve taken a first look at accounts, tokens, and transactions on Solana. To avoid the risk of asset theft, we need to have a deeper understanding of the risks we may face when using the Solana wallet.
Private key and mnemonic phrase leaked
According to statistics from the Slowmist Blockchain Hacked Archive (https://hacked.slowmist.io), nine private key leak security incidents in 2023 resulted in losses as high as US$84.75 million. Among the theft cases handled by the SlowMist AML team, incidents in which private keys and mnemonic phrases were leaked resulting in asset theft accounted for a large proportion. Therefore, to ensure the security of assets on the Solana wallet, the most important thing is to manage the wallet private key and mnemonic phrase.
Use wallet
Signatures are one of the most concerning security risks when using a wallet, and special attention needs to be paid to the information signed when interacting with projects on Solana.
Moreover, Solana allows multiple transfers to be packaged into one transaction, which means that all assets in the wallet can be transferred at once with just one signature.
Let’s look at a practical case below:
A victim made a mistake on a phishing website and only clicked once to confirm, causing all the assets in the wallet to be transferred away at once. What kind of operation allows the victim to just sign once and let the hacker transfer all the assets?
Yes, the hacker exploited the mechanism mentioned above and a feature of the wallet:
The victim used Phantom Wallet, which is able to package multiple transfer instructions into a single transaction, requiring only one signature to complete the entire process. It is precisely this feature that has become a breakthrough for hackers to exploit, causing victims to lose all their assets in one signature. When using the wallet, users must carefully confirm each signature operation to avoid losses.
This key feature is also clearly introduced in the official documentation of Phantom Wallet:
Summarize
In this Solana popular science article, we first learned about the basics of Solana accounts; then we delved into the basic concepts of Solana Token; and then discussed the relevant content of trading on Solana. In terms of ensuring the security of wallet assets, we emphasize the safe storage of private keys and mnemonic phrases. We recommend that users read the "Blockchain Dark Forest Self-Rescue Manual" produced by Slow Mist: https://github.com/slowmist/Blockchain- dark-forest-selfguard-handbook/blob/main/README_CN.md for more security suggestions; when using the wallet, users must carefully confirm each signature operation to avoid losses. In addition, it is crucial to read the security tips in the wallet documentation, and staying vigilant at all times is the key to ensuring the safety of your assets.
