Firstance — pump.fun Automated Vault
Lineagei
Frameworki
What's Anchor?
Batteries-included Rust framework. Ships account-validation codegen, 8-byte instruction discriminators, and an on-chain IDL — the program describes itself.
Bigger binary and higher rent in exchange for safety rails, introspection, and dev speed. The choice of a team optimizing for correctness over on-chain footprint.
Originally Coral (Armani Ferrante); now community-maintained.
What it is
The de facto standard. Rust macros (#[program], #[derive(Accounts)]) eliminate boilerplate: it auto-generates 8-byte account and instruction discriminators — SHA256("account:<Name>")[..8] and SHA256("global:<ix>")[..8] — handles Borsh (de)serialization, enforces account constraints declaratively (mut, has_one, seeds, init), and emits a JSON IDL that client libraries consume directly. The cost: Borsh copies data on every deserialize (not zero-copy), and the macro machinery adds binary bloat and compute overhead — irrelevant for ~99% of programs.
When to pick it
Building a new protocol, moving fast, or wanting maximum ecosystem compatibility. It's the beginner default and stays the right call for most production programs.
How it looks on-chain
The most recognizable framework. Every account it owns begins with an 8-byte discriminator, and the IDL is often published on-chain at a PDA derived from the program id. Both are strong, reliable fingerprints — this is the only framework we can label with confidence.
Others in the wild: Steel (Ore team — near-native performance on solana-program), Seahorse (Python → Anchor), and Poseidon & Quasar (TypeScript → Rust). Transpilers inherit their lowering target's fingerprint: a Quasar or Poseidon program that compiles down to Anchor will look like Anchor on-chain — discriminators and all.
Anchor docsFootprinti
Recovered architecturei
Reachi
Controli
What's upgrade authority?
The upgrade authority is the account allowed to replace a program's code after it's deployed.
If it's set (mutable), that key can push new bytecode at any time — including malicious code, the classic "rug" vector. If it's null (immutable / frozen), the code can never change; what 's on-chain is final. A Squads multisig sits in between — upgrades are possible but need M-of-N signers, not one hot wallet. So mutable + single hot-wallet = highest risk; immutable or multisig = stronger guarantees.
What's a verified build?
A verified build proves the program running on-chain was compiled from the public source you can read — nothing hidden.
Someone re-compiles the source in a deterministic (Docker) environment and checks the resulting bytecode is byte-for-byte identical to what's deployed; tools like solana-verify do this and record it with a verification service. "Not verified" isn't a red flag by itself — most programs simply never submit one. It just means you're trusting the deployed bytecode as-is, with no source cross-check.
Security.txti
What's a security.txt?
A block of contact info a developer embeds directly in the program binary — the Neodyme convention — so whitehats know how to report a vulnerability.
It carries contacts, a disclosure policy, auditors, and a source link. It's self-declared, so treat it as a claim, not proof — but its presence signals a team that expects scrutiny and wants to be reachable.
Convictioni
Interface — the on-chain IDLi
pump.fun automated vault + rule engine
Instructions 9
evaluate_and_execute
Daily evaluation + tiered sale (permissionless). `slippage_bps`: the keeper's adaptive slippage (0..400 = 4%; the program enforces the upper bound).
- callersigner
- vaultwritable
- bonding_curve
- pyth_sol_usd
- slippage_bpsu16
finalize_burn
Burn all remaining tokens (permissionless).
- callersigner
- vaultwritable
- vault_signer
- token_mintwritable
- vault_token_accountwritable
- token_program
initialize
Initialize the vault, deposit the allocation, lock in the rules.
- authoritysignerwritable
- token_mint
- bonding_curve
- pyth_sol_usd
- vaultwritable
- vault_signerwritable
- vault_token_accountwritable
- source_token_accountwritable
- token_program
- associated_token_program
- system_program
- allocationu64
- total_supplyu64
- proceeds_recipientpubkey
set_paused
- authoritysigner
- vaultwritable
- pausedbool
withdraw_proceeds
- callersigner
- vault
- vault_signerwritable
- wsol_mint
- wsol_atawritable
- proceeds_recipientwritable
- token_program
- system_program
decommission
Fully close the vault: all rent + fee reserve + remaining proceeds to proceeds_recipient.
- authoritysigner
- vaultwritable
- vault_signerwritable
- token_mintwritable
- vault_token_accountwritable
- wsol_mint
- wsol_atawritableoptional
- proceeds_recipientwritable
- token_program
- wsol_token_program
- system_program
sweep_native
Sweep the vault's native SOL (non-WSOL), except the fee reserve, to the FIXED proceeds_recipient.
- callersigner
- vault
- vault_signerwritable
- proceeds_recipientwritable
- system_program
forward_stablecoin
Forward stray USDC/USDT in the vault to the FIXED proceeds_recipient (any phase).
- callersigner
- vault
- vault_signerwritable
- stray_mint
- stray_atawritable
- recipient_atawritable
- token_program
burn_stray_token
Burn a junk stray token (only after $100M/Terminal).
- callersigner
- vault
- vault_signerwritable
- stray_mintwritable
- stray_atawritable
- token_program
Accounts 1
VaultState
no fields
Types 2
Phaseenum
- Day1Watch
- Active
- Terminal
- Burned
- LiquidatedAll
VaultStatestruct
- authoritypubkeyAuthority: only initialize / emergency stop. CANNOT change the rules.
- proceeds_recipientpubkey
- token_mintpubkeyTarget SPL token mint.
- bonding_curvepubkeypump.fun bonding curve account (reserves are read from here).
- pyth_sol_usdpubkeyPyth SOL/USD price account.
- initial_allocationu64Amount received at launch. FIXED base - all daily percentages are based on this.
- tokens_remainingu64Current balance remaining in the vault.
- cumulative_soldu64Total sold so far.
- launch_tsi64Launch time (unix).
- last_sale_tsi64The time today's tier-sale DAY started (24h window lock). New day: now - last_sale_ts >= ONE_DAY -> the intra-day slice counter resets.
- daily_slices_doneu16Number of intra-day tier slices executed today (0..DAILY_SLICES). For slippage the daily amount is split into 5 slices; resets every day.
- last_intraday_slice_tsi64Time of the last intra-day tier slice (min interval lock between slices).
- total_supplyu64Total token supply (for the marketcap calculation).
- phasePhaseCurrent phase.
- pausedbool
- bumpu8vault_state PDA bump (seeds ["vault", mint]).
- signer_bumpu8vault_signer PDA bump (seeds ["signer", mint]). The sale authority + token/WSOL ATA owner. NEVER initialized -> stays System-owned + 0 data; pump SellV2 can pull native SOL fees from it. See HANDOFF "SECOND CRITICAL FINDING".
Errors 22
- 6000AlreadySoldTodayAlready sold today (1-per-day limit)
- 6001SliceTooSoonToo soon since the last intra-day slice (interval not elapsed)
- 6002InvalidPhaseVault is in an invalid/finished phase
- 6003StaleOracleOracle price is stale or the confidence interval is too wide
- 6004NothingToSellNo tokens to sell
- 6005MathOverflowMath overflow
- 6006InvalidOracleAccountInvalid oracle/curve/pool account (owner, discriminator, or layout)
- 6007WrongPriceFeedPyth account is not the expected SOL/USD feed
- 6008UnverifiedOraclePyth price is not fully verified (not VerificationLevel::Full)
- 6009PoolRequiredCurve has graduated: the canonical PumpSwap pool accounts (3) are required
- 6010InvalidSellAccountsInvalid sell account list (order/address mismatch)
- 6011UnsupportedQuoteMintUnsupported quote mint: the vault only supports WSOL-quote tokens (not USDC, etc.)
- 6012MayhemNotSupportedMayhem coin is not supported: the vault cannot be set up on a mayhem-mode coin
- 6013PausedVault is in emergency-stop (pause) mode: sales are halted
- 6014UnauthorizedUnauthorized: only the vault authority may perform this operation
- 6015NoProceedsNo proceeds to withdraw (WSOL ATA is empty)
- 6016WrongRecipientProceeds recipient does not match proceeds_recipient in state
- 6017VaultNotEmptyVault still holds tokens: for decommission all tokens must be sold/burned
- 6018StrayIsMainTokenThis operation cannot be applied to the main vault token (it is handled by the normal rules)
- 6019NotAStablecoinforward_stablecoin is only for USDC/USDT; this mint is not a stablecoin
- 6020CannotBurnStablecoinStablecoins (USDC/USDT) cannot be burned - use forward_stablecoin to send them to your recipient
- 6021StrayBurnBeforeTerminalStray token burns can only be done after the vault reaches Terminal ($100M)
What's an IDL?
An IDL — Interface Description Language — is a JSON spec that describes how to talk to a program: its instructions, the accounts each one needs, argument and account types, events, and errors.
Anchor auto-generates it at build time. A program can publish it on-chain at a PDA derived from its id, so any client or explorer can decode the program's transactions without its source code.
Why it's often missing
Publishing is opt-in — a courtesy, not a requirement. Many programs never do, and non-Anchor frameworks (Pinocchio, native, Steel) don't produce one at all; their interface lives in an off-chain Shank/Codama artifact, or nowhere public. Absence means you can't auto-decode it — not that anything is wrong.
Tractioni
The recordi
| Event | When | Detail | Receipt |
|---|---|---|---|
| DEPLOY | 3d ago | slot 431,979,938 | poll…9938 |