IT Insights

If you are thinking about starting to develop your own code on Solana, you might feel some anxiety and resistance at first. The safety net that other platforms have in case of a mistake, like a rollback of a SQL transaction on a relational database, is missing and money might be lost permanently. But as long as you are aware of this, the main prize is that you are in full control of your assets, you and you alone. Consider anxiety as a good advisor in the background that helps building your system with security and resilience.

In this post I share some insights I gained during my building activities on the Solana platform. These could be quite helpful in avoiding beginner mistakes and getting off to a good start.

What programming language to use

Rust

Rust on Solana is the primary programming language used to write on-chain programs (smart contracts) for the Solana blockchain. Rust’s strict compile-time memory management (without a garbage collector) is notoriously difficult to master. Apart from that, in this low-level specialist language you must implement all security checks and serializing/deserializing yourself. Unless you want to create complex programs for smart contracts, I would advise to use an SDK built on the Rust programs in a higher-level language like Python or TypeScript.

Python

I love Python for its syntax readability and very extensive software library. It would therefore be my preference, but if you seriously want to create tokens expanded with Solana innovations like the metadata extension in Python, you will soon enough notice that the Python SDK (solana.py) is not sufficiently supporting the underlying Rust programs in the fast-moving Solana ecosystem. Despite moving low level by manually serializing/deserializing instructions and account data using for instance the borsh parser, my personal experience was that I ran into the same error messages over and over again.

TypeScript (or JavaScript?)

I would instantly advise TypeScript from a security and data accuracy perspective. JavaScript is the leading choice in web development frameworks, however, don’t use it if you consider yourself a serious blockchain programmer. Solana interactions require strict handling of complex data types, such as 32-byte Pubkeys (addresses), u64 numbers (for token amounts), and binary instruction data. Unlike JavaScript, TypeScript allows you to explicitly define the types for all variables and function arguments. In JavaScript, type errors would only appear during runtime, while in TypeScript they are already detected during compilation, which prevents potentially costly errors in production.

And most important: Unlike with the Python SDK, the latest innovations in Solana are supported for TypeScript, like the @solana/kit library (also built in TypeScript).

What security measures to take

• Always perform proper testing. Use the solana-test-validator for initial integration tests, making use of a localhost implementation of the Solana blockchain. After that you can further deploy on Devnet and Testnet, and finally on the Solana Mainnet.

• Validate everything in your code, the environment URL you are running on, the addresses you use, the SOL calculations from Lamports, etcetera.

• NEVER hardcode any program IDs or addresses, but extract them from a secure location.

• Define a freeze authority and/or a close authority to be able to quickly block or delete a token account in case of emergency.

• When on the Solana Mainnet, always sign from your wallet on a hardware ledger, like the Ledger Nano S Plus. Here the signing happens inside your hardware device where your private key is located. For production, NEVER use a wallet extension in your browser, it will be detected and taken over by search bots in a flash.

• On Mainnet, NEVER create a new signer account (like a mint authority) on the fly in your code, especially not from a web-application wrapper. There is a good chance that its key pair will be sniffed out and stolen. Create the signer securely in advance and when you want to use it in your code, extract it from a secure location.

• NEVER reuse a retrieved recent blockhash, for instance by storing it in a variable. Always rerun the getLatestBlockhash function immediately before signing a transaction. Old blockhashes may stay valid for enough time to risk double spending.

• It goes without saying, but I’ll say it anyway: be aware of the potential security issues on your local machine.

Futher considerations

• Keep notice of possible rent exemption on your accounts. They might be closed unexpectedly because of that.

• Build a proper error (exception) handling/logging into your code. These will prove to be of infinite use when transactions fail with obscure errors.

• Define an upgrade authority. You might want to adjust your token data for whatever reason.

• Use the new @solana/kit library in your code as much as possible over the old @solana/web3.js. Even better is to make use of the Gill library, built on top of @solana/kit. Gill is very useful in abstracting away a lot of code syntax required for @solana/kit.

In conclusion: good programming and have fun!