Defyne Private Program
Lineagei
Frameworki
What's Anchor?
Batteries-included Rust framework. Ships account-validation codegen, 8-byte instruction discriminators, and an on-chain IDL — the program describes itself.
Bigger binary and higher rent in exchange for safety rails, introspection, and dev speed. The choice of a team optimizing for correctness over on-chain footprint.
Originally Coral (Armani Ferrante); now community-maintained.
What it is
The de facto standard. Rust macros (#[program], #[derive(Accounts)]) eliminate boilerplate: it auto-generates 8-byte account and instruction discriminators — SHA256("account:<Name>")[..8] and SHA256("global:<ix>")[..8] — handles Borsh (de)serialization, enforces account constraints declaratively (mut, has_one, seeds, init), and emits a JSON IDL that client libraries consume directly. The cost: Borsh copies data on every deserialize (not zero-copy), and the macro machinery adds binary bloat and compute overhead — irrelevant for ~99% of programs.
When to pick it
Building a new protocol, moving fast, or wanting maximum ecosystem compatibility. It's the beginner default and stays the right call for most production programs.
How it looks on-chain
The most recognizable framework. Every account it owns begins with an 8-byte discriminator, and the IDL is often published on-chain at a PDA derived from the program id. Both are strong, reliable fingerprints — this is the only framework we can label with confidence.
Others in the wild: Steel (Ore team — near-native performance on solana-program), Seahorse (Python → Anchor), and Poseidon & Quasar (TypeScript → Rust). Transpilers inherit their lowering target's fingerprint: a Quasar or Poseidon program that compiles down to Anchor will look like Anchor on-chain — discriminators and all.
Anchor docsFootprinti
Recovered architecturei
Reachi
Controli
What's upgrade authority?
The upgrade authority is the account allowed to replace a program's code after it's deployed.
If it's set (mutable), that key can push new bytecode at any time — including malicious code, the classic "rug" vector. If it's null (immutable / frozen), the code can never change; what 's on-chain is final. A Squads multisig sits in between — upgrades are possible but need M-of-N signers, not one hot wallet. So mutable + single hot-wallet = highest risk; immutable or multisig = stronger guarantees.
What's a verified build?
A verified build proves the program running on-chain was compiled from the public source you can read — nothing hidden.
Someone re-compiles the source in a deterministic (Docker) environment and checks the resulting bytecode is byte-for-byte identical to what's deployed; tools like solana-verify do this and record it with a verification service. "Not verified" isn't a red flag by itself — most programs simply never submit one. It just means you're trusting the deployed bytecode as-is, with no source cross-check.
Security.txti
What's a security.txt?
A block of contact info a developer embeds directly in the program binary — the Neodyme convention — so whitehats know how to report a vulnerability.
It carries contacts, a disclosure policy, auditors, and a source link. It's self-declared, so treat it as a claim, not proof — but its presence signals a team that expects scrutiny and wants to be reachable.
Convictioni
Interface — the on-chain IDLi
3 of 30 instructions used · 27 never called in this window
Instructions 30
cancel_private_transfer_sol
Lets the original sender reclaim their own escrowed SOL deposit instead of letting it relay (e.g. they made a mistake, or the relay is paused). Signed by the original sender; funds can only ever return to them.
- depositorsignerwritable
- vaultwritable
- transfer_id[u8; 16]
cancel_private_transfer_spl
Lets the original sender reclaim their own escrowed SPL token deposit instead of letting it relay. Signed by the original sender; funds can only ever return to them.
- depositorsignerwritable
- vaultwritable
- mint
- vault_authority
- vault_token_accountwritable
- depositor_token_accountwritable
- token_program
- associated_token_program
- system_program
- transfer_id[u8; 16]
deposit_pool_sol
Deposits exactly `denomination` lamports into the SOL pool, recording only a commitment hash on-chain (not the secret behind it). Signed by the depositor.
- depositorsignerwritable
- protocol
- pool
- pool_vaultwritable
- depositwritable
- system_program
- denominationu64
- commitment[u8; 32]
deposit_pool_spl
Deposits exactly `denomination` tokens into an SPL pool, recording only a commitment hash on-chain. Signed by the depositor.
- depositorsignerwritable
- protocol
- mint
- pool
- pool_vault_authority
- pool_vault_token_accountwritable
- depositor_token_accountwritable
- depositwritable
- token_program
- associated_token_program
- system_program
- denominationu64
- commitment[u8; 32]
deposit_private_transfer_sol
Step 1: sender deposits native SOL into a per-transfer escrow account, tagged with a caller-chosen transfer_id. Signed by the sender.
- depositorsignerwritable
- protocol
- recipient
- vaultwritable
- system_program
- transfer_id[u8; 16]
- amountu64
deposit_private_transfer_spl
Step 1: sender deposits SPL tokens into a per-transfer escrow token account, tagged with a caller-chosen transfer_id. Signed by the sender.
- depositorsignerwritable
- protocol
- recipient
- mint
- depositor_token_accountwritable
- vault_authority
- vault_token_accountwritable
- vaultwritable
- token_program
- associated_token_program
- system_program
- transfer_id[u8; 16]
- amountu64
fund_relayer
Moves lamports from any signer to any destination account through the program, instead of a bare wallet-to-wallet System transfer -- used by the off-chain orchestrator to seed a disposable single-use withdrawal-relayer keypair from the platform's funding wallet. Permissionless: only ever moves the signer's own lamports, same trust boundary as a plain transfer.
- fundersignerwritable
- relayerwritable
- system_program
- amountu64
initialize_protocol
One-time setup. Creates the singleton protocol config account and sets the fee-collection destination. Can only ever be called once per deployment (the config account cannot be re-initialized).
- payersignerwritable
- adminsigner
- protocolwritable
- system_program
- fee_accountpubkey
pause_protocol
Emergency stop: halts all protocol instructions except unpause and existing users' ability to cancel a pending private transfer and reclaim their own deposit. Signed by the pause authority.
- protocolwritable
- pause_authoritysigner
pause_relay
Narrower emergency stop that only blocks the relay leg of a private transfer (deposits and self-service cancellations still work). Signed by the pause authority.
- protocolwritable
- pause_authoritysigner
register_denomination_pool
Creates a new fixed-denomination pool for a given mint (or native SOL) and deposit size. Signed by the protocol admin. Only defines the pool parameters — moves no funds.
- payersignerwritable
- protocol
- adminsigner
- poolwritable
- system_program
- mintpubkey
- denominationu64
register_identity
Registers a user's X (Twitter) identity, mapping a hash of their handle to the Solana wallet that should receive funds sent to them by @-mention. Signed by the registry attestor after off-chain identity verification.
- payersignerwritable
- protocol
- registry_attestorsigner
- identitywritable
- system_program
- identity_hash[u8; 32]
- owner_walletpubkey
relay_private_transfer_sol
Step 2: releases an escrowed SOL deposit to its intended recipient, completing the private transfer. Signed by the relay authority.
- relayersigner
- protocol
- vaultwritable
- recipientwritable
- fee_accountwritable
- transfer_id[u8; 16]
relay_private_transfer_spl
Step 2: releases an escrowed SPL token deposit to its intended recipient, completing the private transfer. Signed by the relay authority.
- relayersignerwritable
- protocol
- vaultwritable
- mint
- vault_authority
- vault_token_accountwritable
- recipientwritable
- recipient_token_accountwritable
- fee_accountwritable
- fee_token_accountwritable
- token_program
- associated_token_program
- system_program
- transfer_id[u8; 16]
revoke_delegate
Removes a previously authorized delegate from an identity. Signed by the registry attestor.
- protocol
- identitywritable
- owner_walletsigner
- identity_hash[u8; 32]
revoke_identity
Removes an identity mapping from the registry, e.g. if a user disconnects their account. Does not touch the wallet's balance. Signed by the registry attestor.
- protocol
- identitywritable
- authoritysigner
- identity_hash[u8; 32]
set_decoy_enabled
Turns the protocol's decoy-transaction generator on or off. Decoy transactions are harmless no-op-value transfers the off-chain orchestrator submits alongside real private transfers purely to make on-chain traffic patterns harder to correlate with real activity — this flag never moves user funds. Signed by the decoy authority.
- protocolwritable
- decoy_authoritysigner
- enabledbool
set_delegate
Authorizes a delegate key to act on behalf of a registered identity (used by the off-chain execution engine to build/submit transactions for a user's X-triggered commands). Signed by the registry attestor.
- protocol
- identitywritable
- owner_walletsigner
- identity_hash[u8; 32]
- delegatepubkey
set_pool_enabled
Enables or disables new deposits into a pool (existing deposits can always still be withdrawn by whoever holds the matching secret). Signed by the protocol admin.
- protocol
- adminsigner
- poolwritable
- enabledbool
transfer_admin
Hands off the protocol admin role to a new authority pubkey. Must be signed by the *current* admin. Admin can pause/unpause the protocol, rotate the other authorities below, and manage denomination pools — it cannot move user funds directly.
- protocolwritable
- current_authoritysigner
- new_authoritypubkey
transfer_decoy_authority
Hands off the decoy authority (the key allowed to toggle decoy-traffic generation via set_decoy_enabled) to a new pubkey. Signed by the current decoy authority.
- protocolwritable
- current_authoritysigner
- new_authoritypubkey
transfer_fee_authority
Hands off the fee authority (the key allowed to change where protocol fees are sent, via update_fee_account) to a new pubkey. Signed by the current fee authority.
- protocolwritable
- current_authoritysigner
- new_authoritypubkey
transfer_pause_authority
Hands off the pause authority (the key allowed to call pause_protocol/unpause_protocol) to a new pubkey. Signed by the current pause authority.
- protocolwritable
- current_authoritysigner
- new_authoritypubkey
transfer_registry_attestor
Hands off the registry attestor role (the key allowed to attest/verify identity registrations) to a new pubkey. Signed by the current attestor.
- protocolwritable
- current_authoritysigner
- new_authoritypubkey
unpause_protocol
Reverses pause_protocol, resuming normal operation. Signed by the pause authority.
- protocolwritable
- pause_authoritysigner
unpause_relay
Reverses pause_relay. Signed by the pause authority.
- protocolwritable
- pause_authoritysigner
update_fee_account
Updates the account that protocol fees are paid into. Does not touch any user deposit, escrow, or pool balance. Signed by the fee authority.
- protocolwritable
- fee_authoritysigner
- new_fee_accountpubkey
update_receiving_wallet
Updates the receiving wallet a registered identity resolves to (e.g. after a user rotates their wallet). Signed by the registry attestor.
- protocol
- identitywritable
- authoritysigner
- identity_hash[u8; 32]
- new_walletpubkey
withdraw_pool_sol
Withdraws `denomination` lamports from the SOL pool to the caller. Requires revealing the `secret` that hashes to a commitment previously deposited — proves the right to withdraw without revealing which deposit transaction it came from. Each commitment can only be withdrawn once.
- relayersignerwritable
- protocol
- pool
- pool_vaultwritable
- depositwritable
- recipientwritable
- fee_accountwritable
- system_program
- denominationu64
- commitment[u8; 32]
- secret[u8; 32]
withdraw_pool_spl
Withdraws `denomination` tokens from an SPL pool to the caller by revealing the `secret` behind a previously deposited commitment. Each commitment can only be withdrawn once.
- relayersignerwritable
- protocol
- mint
- pool
- pool_vault_authority
- pool_vault_token_accountwritable
- depositwritable
- recipient
- recipient_token_accountwritable
- fee_accountwritable
- fee_token_accountwritable
- token_program
- associated_token_program
- system_program
- denominationu64
- commitment[u8; 32]
- secret[u8; 32]
Accounts 5
DenominationPool
no fields
Identity
no fields
PoolDeposit
no fields
PrivateTransferVault
no fields
ProtocolState
no fields
Types 5
DenominationPoolstruct
- mintOption<pubkey>None = native SOL, Some(mint) = an SPL token pool.
- denominationu64
- enabledbool
- bumpu8
Identitystruct
- identity_hash[u8; 32]
- owner_walletpubkey
- delegateOption<pubkey>
- revokedbool
- attestorpubkey
- created_ati64
- updated_ati64
- bumpu8
PoolDepositstruct
- commitment[u8; 32]
- mintOption<pubkey>
- denominationu64
- depositorpubkey
- deposited_ati64
- bumpu8
PrivateTransferVaultstruct
- transfer_id[u8; 16]
- depositorpubkey
- recipientpubkey
- mintOption<pubkey>None = native SOL, Some(mint) = an SPL token vault.
- amountu64
- depositedbool
- relayedbool
- bumpu8
ProtocolStatestruct
- adminpubkey
- pause_authoritypubkey
- registry_attestorpubkey
- fee_authoritypubkey
- fee_accountpubkey
- decoy_authoritypubkey
- registry_pausedbool
- relay_pausedbool
- decoy_enabledboolIndependent of `relay_paused` so decoy traffic can be switched off (e.g. once organic volume is sufficient) without halting real sends.
- bumpu8
Errors 20
- 6000RegistryPausedThe identity registry is currently paused
- 6001RelayPausedThe private-relay vault flow is currently paused
- 6002IdentityRevokedThis identity has been revoked and can no longer be used
- 6003UnauthorizedThe signer is not authorized to perform this action
- 6004InvalidAmountAmount must be greater than zero
- 6005InvalidRecipientRecipient cannot be the same account as the depositor
- 6006MathOverflowArithmetic overflow or underflow
- 6007AlreadyDepositedThis transfer has already been deposited
- 6008NotDepositedThis transfer has not been deposited yet
- 6009AlreadyRelayedThis transfer has already been relayed
- 6010MintMismatchThe provided mint does not match the vault's recorded mint
- 6011RecipientAccountMismatchThe provided recipient token account does not belong to the vault's recipient
- 6012FeeAccountMismatchThe provided fee token account does not belong to the protocol fee account
- 6013NotDepositorOnly the original depositor can cancel an un-relayed transfer
- 6014PoolDisabledThis denomination pool is not enabled
- 6015PoolMintMismatchThe provided mint does not match the pool's mint
- 6016PoolDenominationMismatchThe provided denomination does not match the pool's denomination
- 6017WithdrawTooEarlyThis deposit is not old enough to withdraw yet
- 6018DecoyDisabledDecoy traffic is currently disabled
- 6019InvalidSecretThe provided secret does not match the deposit's commitment
What's an IDL?
An IDL — Interface Description Language — is a JSON spec that describes how to talk to a program: its instructions, the accounts each one needs, argument and account types, events, and errors.
Anchor auto-generates it at build time. A program can publish it on-chain at a PDA derived from its id, so any client or explorer can decode the program's transactions without its source code.
Why it's often missing
Publishing is opt-in — a courtesy, not a requirement. Many programs never do, and non-Anchor frameworks (Pinocchio, native, Steel) don't produce one at all; their interface lives in an off-chain Shank/Codama artifact, or nowhere public. Absence means you can't auto-decode it — not that anything is wrong.
3 of 30 instructions used · 27 never called in this window
Tractioni
Code familyi
The recordi
| Event | When | Detail | Receipt |
|---|---|---|---|
| UPGRADE | 8h ago | slot 432,641,056 | poll…1056 |
| DEPLOY | 13h ago | slot 432,596,455 | poll…6455 |
| SIBLING DEPLOY | 14h ago | Defyne Private Program closed | same code, fresh id |