Account Extensions — Building Fort Knox on Solana

or why a Trilemma may actually be a Pyramid

Lessons learned from History

Which was the first war the young United States of America was fighting? Well, they battled the Pascha of Tripoli between 1801 und 1805. Wait a minute, the Pascha of Tripoli and what on earth does this have to do with blockchain?

More than you might think. The absence of the European powers entangled in the Napolean wars let the pirates of the north African coast do their business. Everyone relying on the freedom of trade had to bribe the protecting Paschas and Paschas did what they are known for, they wanted more. This eventually made the young, fragile nation send their ships across the Atlantic to fight for the freedom of trade in the Mediterranean.

This is just one of the weirder examples of a pattern we see in history over and over again. The absence of a central power securing trade routes allows pirates to the sea and highwaymen on the roads to extort their tolls on the merchants and thus strangle trade.

The so-called Roman Peace was a period of some 500 years, where the empire secured the trade routes and trade was followed by science and skills. When the empire fell apart, the dark age of the medieval followed and European societies needed many centuries to reach again the level of Roman art, building, writing, sports and other cultural disciplines. In the meantime the united societies on the southern side of the Mediteranean thrived and Cordoba as their stronghold on the European continent had more inhabitants than London and Paris combined and provided advanced public schools and health care for their citizens.

Pirates in the Blockchain space

The absence of a central power is a problem? Yes, it is. In Web3, it cannot be overlooked. Scammers are the pirates of the virtual sea. The fact that they get shelter from malicious powers is nothing new, either. Just think of the buccaneers in the Caribbean Waters being protected by the British, French and Dutch Crown to weaken the dominant powers of Spain in the 17th century, until the pirates started to direct their weapons against their protectors. Nowadays the powers of Web2 such as Twitter (aka X) and Google fill their pockets sending advertisements for scammers to our screens more than for any other business sector.

Security in the Blockchain Trilemma

When we talk about the security part of the blockchain trilemma, consisting of scalability, decentralization and security, the main focus is on the security of block production. The security of user accounts is badly neglected, overlooking the reasons why banks or tradfi started to exist: First and foremost, it was all about protecting their customers’ nuggets.

Now blockchain exponents talk about onboarding a billion users without anything like the walls, bars, safes, keys, alarm systems, police and courts of the real world. One of the obvious outcomes is seen after the release of the spot ETFs: People move their assets off-chain and put them into ETFs. On chain remain the select few, who know how to navigate the threatened waters. The cost of security in Web3 is higher than the fees of tradfi or the various threats of central exchanges.

On-Chain User Account Security Measures on the Solana Blockchain

What do we have?

1. Account .sol names are great to make sure, you send funds to a correct account.
2. Multi-signature wallets support the signing of contracts by groups of people
3. Hardware wallets protect the private keys.
4. Decentralized efforts of wallet developers protect their users from malicious contracts.

That’s about it, please do your own research, take care when signing a transaction and don’t mind those 300 spam NFTs, thank you.

What would we need?

Instead of a trilemma, we may find another pattern about the evolutionary needs of a blockchain and refer to the Maslow Pyramid of human needs. (https://en.wikipedia.org/wiki/Maslow's_hierarchy_of_needs).

With every level fulfilled, we move up to the next level. So, we can adapt this and call it the Pyramid of Blockchain Evolution.

Pyramid of Blockchain Evolution

The key word we want to focus here is Standards. Standards are widely underestimated in their importance, because they tend to be boring. But it wasn‘t the maximal power transmission that enabled the billion lamps, it was plugs and sockets. Things get easier when we look at security from that angle: security is not about preventing things, but enabling safe use cases people would not adopt without trust. Security enables trust, the most valuable currency in human interactions. I trust my ability to plug in a lamp, but I would not trust my ability to wire some new device. The perfect trustless environment creates the most trustful experience.

In a decentralized world, we replace the firepower of an empire by the on-chain standards of a protocol. To define the standards, we need the current empire consisting of Solana Labs and Foundation. They have shown their ability to tackle standardization issues, token extension being the latest. Now they need a step of awareness, since they are builders and builders enable things and are not made to prevent things. As a result, the cNFT spam finds its equivalent in the so called I love you virus of early Outlook in May 2000, which immediately enforced a complete change of security culture within Microsoft. That’s exactly what we need for Solana, too.

The four main vectors of action are

1. Economies of cheating and security, consisting of raising the cost of cheating and lowering the cost of protection through the creation of a decentralized security marketplace
2. Technical protection using account extensions and security fees
3. Community measures
4. Set the institutional framework for security

Economies of cheating

Cheating is obviously a lucrative business and Solana a particularly rewarding place. Cheating must become more expensive and the rewards smaller up to the point where the pirates give up on Solana and move to more rewarding spots or return to grow vegetables and sheep and their supporters lose their grip on the evolving space. We have a competition on security among chains and only the safest ones will gain mass adoption. Insecure spaces will see mass exodus. We all have seen how savers reacted to security doubts about their funds in 2023, finishing Silicon Valley Bank and Credit Suisse. We will see more of the same in the blockchains space.

Raising the cost of cheating

Validators need to deposit their stake for block production security. Malicious actors get slashed. We lack a similar concept for

• Scammers sending tokens and NFTs
• Smart contracts

Well known Toly supported on several occasions a scam solution where it is ok to send him mails, if the sender would pay a certain fee for it. We could adapt this solution. To send large amounts of NFTs to wallets, you need to deposit a certain fund, like a stake. If certain thresholds of burns happen, this stake gets slashed and distributed to the burners.

If I publish a smart contract, I can deposit a guarantee fund with it. If the contracts breaks rules discussed further down, that guarantee fund gets slashed in favor of the user account. In the new account extensions we define the minimal guarantee fund we expect from a smart contract to be eligible to interact with my account.

Lowering the cost of security and creating a security marketplace

An interesting solution I came across on Twitter by user Slorg: Lighthouse Protocol. Check out https://github.com/Jac0xb/lighthouse

The idea is to inject a security step on the wallet level. The wallet executes the contract simulation and out of it’s results, it produces a set of assertions which are checked after the smart contract execution, causing a transaction failure, if not as the result of the transaction is not as announced in the simulation.

Lighthouse Protocol is an unfunded community effort, thus depending on the initiative of some enthusiasts. These people need to be rewarded generously, lowering their cost to provide us with the best of security: A security fee on the Solana protocol level. As a result, I could opt into security programs like Lighthouse Protocol and pay them that fee. Depending on the type and value of my account I will possibly add several such programs to go through my transactions before final execution. With the fees from a wide community, theses security providers can sustain themselves and flourish. Since we can opt into a variety of such security programs, a lively marketplace for security will be created.

That fee could be extended further: Some of the fee or a guarantee fund of the security provider might serve as an insurance fund. Since every hack once happens for the first time, at least one individual suffers a loss. So that insurance fund might serve to provide cover for the victims of a hack before the security providers close the hole.

Technical protection

Standards for Account Metadata

The token extensions have laid the path to follow. By defining those extensions on chain, every program can rely on their existence and only the Solana system programs manipulate them. We follow this path for account extensions here, opening up a set of new properties on the user accounts. In addition, we probably need some kind of publish-subscribe model for opting into security schemes, whitelists, audits and so on. We might call them account subscriptions. So a user account can have a set of such subscriptions each with a security program counterparty and set of subscription parameters including the fee for each transaction or transaction type. Typically, a user opts in into these by signing a subscription transaction which adds it to the account.

Since blockchain space costs rent, more secure accounts will be more expensive, which economically makes sense and is a source of revenue for the protocol itself as well as the publishers.

Let’s get the wording straight:

• Account rules is to concept of protecting accounts through a set of rules.
• Account extensions provide the implementation framework for those rules.
• Account subscriptions is a type of rule that connects accounts and security providers.

Account extensions

1. Parent-child relation between accounts: On creation of an account, a parent-child relation between accounts can be added. The parent account controls the metadata of the child account, allowing a separation of power and functionality between accounts.
2. Security extensions like the Lighthouse Protocol: As described above they can be opted into, and the assertions ought to be executed after all state changes and without any chance to perform a state change themselves.
3. Send and receive only accounts: By setting an on-chain property for an account, this can’t do any other action than sending and receiving tokens and NFTs. An optional property would be to assign another wallet where it only can send and receive. Thus, I can build a chain of protection. Even if one wallet gets hacked, I still control the one before and after.
4. Account delegation for harvesting rewards: Holding NFTs, LPs, staking and other things qualify wallets for rewards. Sometimes this gets sent to wallets, but sometimes we need tovisit a page we have never been to before and sign a transaction. That’s the risky bit which probably gets exploited the most. So, what we need is the ability to assign a courier wallet, that is allowed to collect rewards on behalf of the rewarded account. That courier wallet will be a burner wallet.
5. Time & amount limits: Set properties for an account that not more than a value of x over time y can the withdrawn. This should be combined with some parent-child relation between two accounts, thus giving the parents the ability to distribute their kids pocket money. Or for an insurance to pay a pension at once, or in yearly chunks and many more use cases.
6. Restricted signature account: There are several possible restrictions like minimal whitelist rating, audit requirements, open source, minimal number of transactions since last program update or minimal guarantee fund.
7. Receive restriction: An account can only receive a token or NFT when a placeholder for the sending program is in the wallet. That placeholder is transferred earlier on when actively interacting with the providing program.
8. Pass through account:A transaction sends items from both parties to an intermediate account and the result needs to be executed again by both parties else it gets reversed after a predefined number of epochs.
9. Untransferable account -ownership of A property defines that a wallet’s ownership can‘t move. This is a response one of the latest hacks, where a smart contract could change the ownership of a wallet.

Aligning Community Efforts

These account extensions lay the technical ground for improved community efforts. Marketplaces start to exist for security programs, whitelist activities and auditing activities, which all can be sustained through the subscription fees.

So here are a few ideas where the community could contribute:

1. Human wallet recognizer: To include community members and separate them from spammers and bots we need a way to separate the good from the bad. For things like whitelisting, only long-time widely experienced human wallets qualify. With the help of on-chain data and some smart algorithms and AI this should be possible.
2. Whitelisted contracts: There are several ways to qualify a certain contract, like the number of successful executions, value of funds moved through it, time and number of transactions since last program update. I suggest that such online stats should be maintained on the protocol level as a state of the program. The wallet providers could add a user feedback such as a qualification after the execution of a transaction with a value of -2 to +2 with some nice little icons. That qualification gets stored online as a state of the program, subscriptions can build on.
3. Whitelist NFTs — valuable NFTs get whitelisted by the community and on the wallet level there could be a burn protection — prevent users from accidentally burning their valuable NFTs like the Orca Whirlpool NFT or a Tensorian.
4. Contract insurance fund: A program can offer an insurance fund for incidents where people run into undetected bugs or exploits. Here would be a role for the security council explained further down.
5. KYS: Know your supplier. Program declaration with a delegation mechanism to a selection of KYC platforms, thus some kind of KYC as a service can exist as another marketplace.

The Solana Security Council

For all measures that can’t be solved by technical measures or community initiatives we need an institution overlooking the action, filling the gaps and coordinating the actors. Not every incident that happens for the first time can be resolved immediately by perfectly fixing code, so humans are still needed. There should be some DAO of DAOs of the Solana space with some of the brightest minds and lots of experience taking care of the security aspect of the above standards.

The should be some kind of police or court on the Solana space, helping those who were damaged get refunded, overlooking correct use of insurance funds and so on.

Final words

A great thanks to the reader that made it until here for following my thoughts. I hope you have enjoyed some of it and maybe it even inspired you to read some good history book. Let me recommend you a unique reading experience like

Howard W. French’s Born in Blackness: Africa, Africans, and the Making of the Modern World, 1471 to the Second World War or

David Abulafia The Mediterranean in History

The two books inspired my historian’s thoughts above the most. My low technical understanding was mostly inspired by texts and interviews from Herlius’ Mert, GenesysGo’s Frank, the Solana Breakpoint sessions and one or the other documentation combined with context provided by Google’s Gemini.

About the author

The author is a professional software developer, an economist, a hobby historian and a happy early investor living in the central alps of Europe. In this region of Europe there is a different level of security than in most parts of the world. Governments take care of everyone in trouble, health care and unemployment insurance are normal, and policemen talk.

The author follows Twitter and participates in Discord unter the Pseudonym EmuLuzern.