Lineagei
Frameworki
What's Anchor?
Batteries-included Rust framework. Ships account-validation codegen, 8-byte instruction discriminators, and an on-chain IDL — the program describes itself.
Bigger binary and higher rent in exchange for safety rails, introspection, and dev speed. The choice of a team optimizing for correctness over on-chain footprint.
Originally Coral (Armani Ferrante); now community-maintained.
What it is
The de facto standard. Rust macros (#[program], #[derive(Accounts)]) eliminate boilerplate: it auto-generates 8-byte account and instruction discriminators — SHA256("account:<Name>")[..8] and SHA256("global:<ix>")[..8] — handles Borsh (de)serialization, enforces account constraints declaratively (mut, has_one, seeds, init), and emits a JSON IDL that client libraries consume directly. The cost: Borsh copies data on every deserialize (not zero-copy), and the macro machinery adds binary bloat and compute overhead — irrelevant for ~99% of programs.
When to pick it
Building a new protocol, moving fast, or wanting maximum ecosystem compatibility. It's the beginner default and stays the right call for most production programs.
How it looks on-chain
The most recognizable framework. Every account it owns begins with an 8-byte discriminator, and the IDL is often published on-chain at a PDA derived from the program id. Both are strong, reliable fingerprints — this is the only framework we can label with confidence.
Others in the wild: Steel (Ore team — near-native performance on solana-program), Seahorse (Python → Anchor), and Poseidon & Quasar (TypeScript → Rust). Transpilers inherit their lowering target's fingerprint: a Quasar or Poseidon program that compiles down to Anchor will look like Anchor on-chain — discriminators and all.
Anchor docsFootprinti
Recovered architecturei
Reachi
Controli
What's upgrade authority?
The upgrade authority is the account allowed to replace a program's code after it's deployed.
If it's set (mutable), that key can push new bytecode at any time — including malicious code, the classic "rug" vector. If it's null (immutable / frozen), the code can never change; what 's on-chain is final. A Squads multisig sits in between — upgrades are possible but need M-of-N signers, not one hot wallet. So mutable + single hot-wallet = highest risk; immutable or multisig = stronger guarantees.
What's a verified build?
A verified build proves the program running on-chain was compiled from the public source you can read — nothing hidden.
Someone re-compiles the source in a deterministic (Docker) environment and checks the resulting bytecode is byte-for-byte identical to what's deployed; tools like solana-verify do this and record it with a verification service. "Not verified" isn't a red flag by itself — most programs simply never submit one. It just means you're trusting the deployed bytecode as-is, with no source cross-check.
Convictioni
Interface — the on-chain IDLi
4 of 10 instructions used · 6 never called in this window
Moonr referral campaign escrow program
Instructions 10
close_campaign_and_refund
- creatorsignerwritable
- campaignwritable
- vaultwritable
- system_program
create_campaign
- creatorsignerwritable
- config
- campaignwritable
- vaultwritable
- token_mint
- system_program
- campaign_idu64
- payout_per_referral_lamportsu64
- min_buy_lamportsu64
- start_tsi64
- end_tsi64
credit_referral
Verifier-signed only. See `instructions::credit_referral` for the full trust-boundary rationale.
- verifiersignerwritable
- config
- campaignwritable
- affiliate_balancewritable
- affiliate
- processed_swapwritable
- system_program
- swap_tx_sig_hash[u8; 32]
- affiliatepubkey
deposit
- creatorsignerwritable
- config
- campaignwritable
- vaultwritable
- system_program
- amount_lamportsu64
expire_campaign
- campaignwritable
initialize_config
- adminsignerwritable
- configwritable
- system_program
- verifier_authoritypubkey
- min_withdrawal_lamportsu64
request_withdrawal
Affiliate-signed only. The sole instruction that can move funds to an external wallet. See `instructions::request_withdrawal`.
- affiliatesignerwritable
- config
- campaign
- vaultwritable
- affiliate_balancewritable
- system_program
- amount_lamportsu64
set_paused
- adminsigner
- configwritable
- pausedbool
update_min_withdrawal
- adminsigner
- configwritable
- new_min_lamportsu64
update_verifier_authority
- adminsigner
- configwritable
- new_verifierpubkey
Accounts 4
AffiliateBalance
no fields
CampaignPool
no fields
Config
no fields
ProcessedSwap
no fields
Types 5
AffiliateBalancestruct
- campaignpubkey
- affiliatepubkey
- accrued_lamportsu64
- withdrawn_lamportsu64
- bumpu8
CampaignPoolstruct
- creatorpubkey
- campaign_idu64Creator-chosen nonce, allows one creator to run multiple campaigns.
- token_mintpubkeyThe memecoin mint being promoted; used to cross-check verified swaps.
- total_budget_lamportsu64
- remaining_budget_lamportsu64
- payout_per_referral_lamportsu64Fixed SOL reward per qualifying referred buy.
- min_buy_lamportsu64Minimum swap size (in lamports of SOL spent) to qualify for a payout.
- start_tsi64
- end_tsi64
- stateCampaignState
- bumpu8
- vault_bumpu8
CampaignStateenum
- Active
- Expired
- Closed
Configstruct
- adminpubkeyCan rotate the verifier authority and pause/unpause the program.
- verifier_authoritypubkeyBackend keypair authorized to submit `credit_referral`.
- min_withdrawal_lamportsu64Conservative on-chain floor for `request_withdrawal`, periodically resynced off-chain against live SOL/USD price to approximate $20.
- pausedboolEmergency kill-switch: blocks `credit_referral`, `create_campaign`, and `deposit` when true. Withdrawals and refunds always remain available so funds are never frozen for legitimate claims.
- bumpu8
ProcessedSwapstruct
- campaignpubkey
- affiliatepubkey
- amount_creditedu64
- verified_ati64
- bumpu8
Errors 17
- 6000ProgramPausedProgram is paused
- 6001UnauthorizedVerifierSigner is not the configured verifier authority
- 6002UnauthorizedCreatorSigner is not the campaign creator
- 6003CampaignNotActiveCampaign is not in the Active state
- 6004CampaignNotExpiredCampaign is not in the Expired state
- 6005CampaignNotEndedCampaign has not reached its end time yet
- 6006InvalidCampaignWindowCampaign end time must be after start time
- 6007InvalidPayoutAmountPayout per referral must be greater than zero
- 6008PayoutMismatchCredited amount does not match campaign's fixed payout per referral
- 6009BudgetExhaustedCampaign has insufficient remaining budget for this credit
- 6010SelfReferralNotAllowedAn affiliate cannot refer their own campaign
- 6011InvalidDepositAmountDeposit amount must be greater than zero
- 6012InsufficientClaimableBalanceWithdrawal amount exceeds claimable balance
- 6013BelowMinimumWithdrawalWithdrawal amount is below the minimum withdrawal threshold
- 6014VaultUnderfundedVault has insufficient lamports to cover this transfer
- 6015ArithmeticOverflowArithmetic overflow
- 6016AccountingUnderflowArithmetic underflow in balance accounting
What's an IDL?
An IDL — Interface Description Language — is a JSON spec that describes how to talk to a program: its instructions, the accounts each one needs, argument and account types, events, and errors.
Anchor auto-generates it at build time. A program can publish it on-chain at a PDA derived from its id, so any client or explorer can decode the program's transactions without its source code.
Why it's often missing
Publishing is opt-in — a courtesy, not a requirement. Many programs never do, and non-Anchor frameworks (Pinocchio, native, Steel) don't produce one at all; their interface lives in an off-chain Shank/Codama artifact, or nowhere public. Absence means you can't auto-decode it — not that anything is wrong.
4 of 10 instructions used · 6 never called in this window · +1 more