Tech & security

Nine Anchor programs. Seven frontend verticals. One fee rail. Every upgrade path, pause switch, and chat message is signed on-chain or in a wallet.

This page is for VCs doing technical DD and developers skimming scope. Snapshots show devnet state. Mainnet architecture is the same minus: audited programs, Squads multisig signers on hardware keys, and staged position caps.

—

Creators

—

Plans

—

Events (legacy)

—

Events (cNFT)

—

Licenced issuers

—

RWA assets

—

Listings

—

OTC deals

—

Auctions

Live on-chain counts — refresh on page load. Full activity feed at /stats.

Programs

On-chain — nine Anchor programs

All nine compile on Anchor 1.0 with Solana 2.x tooling. 110+ LiteSVM tests pass locally; every program publishes a security.txt metadata section for contact on disclosure. Seven handle value flows and carry a global paused kill-switch admin instruction.

tip_jarCreator tips

CreatorProfile PDA + Token-2022 vault. ElGamal pubkey slot reserved for V2 confidential transfers. Paused instructions: send_tip.

subscriptionRecurring billing

SPL token delegate pre-approves N cycles — subscriber one-click signs once for ~12 months. Plans + subscriptions + permissionless charge crank. Paused: subscribe, charge.

eventsLegacy PDA tickets

Original non-transferable ticket PDA. Superseded by event_tickets (cNFT). Retained for existing deployments. Paused: buy_ticket.

event_ticketsCompressed NFT tickets

Metaplex Bubblegum cNFT leaves. Tier + seat + shareable deep-links. Atomic resale with royalty split. Private-price resale via keccak256 commit/reveal. Paused: buy_ticket (×2), buy_tier_ticket, buy_ticket_resale, buy_ticket_resale_private.

rwa_registryLicenced issuer list

State machine: Pending → Active ↔ Suspended → Revoked. Per-issuer jurisdiction tags (max 8 × ISO codes) + asset class bitmap (Commodity, RealEstate, Debt, Equity, Ticket, Carbon, Other).

rwa_mintAsset tokenisation

Token-2022 fixed supply. Mint authority revoked on tokenize (set_authority → None). Cross-program issuer verification via seeds::program — only Active issuers for the category can mint.

marketplacePublic listings

Escrow vault pattern. Atomic buy with fee split. Admin-configurable fee (capped 10%), default 2.5%. update_listing_price + cancel_listing. Paused: buy_listing.

otc_dealsBilateral escrow

Counter-party-specific proposal, dual-party escrow, 1-min to 30-day expiry window. memo_hash slot for Supabase chat thread reference. Permissionless expire crank. Paused: accept_deal.

auctionsSealed-bid auctions

Commit phase (keccak256 of bid + nonce) → reveal phase → permissionless settle. USDC escrow with fee split. Refund path for losing bidders. Paused: settle_auction.

Architecture

Shared on-chain patterns

Config PDA per program

Single authority-gated admin surface: initialize_config, update_fee_bps, update_treasury, update_config_authority, update_pause. Treasury is a USDC ATA; authority will be a Squads multisig on mainnet. Backward-compat layout — new paused flag slots into reserved bytes.

Fee split on every value flow

fee = amount × fee_bps / 10_000. Stats track creator-share (not gross) so analytics stay accurate. Fee cap 1000 bps (10%) enforced on-chain.

Escrow vault PDA

Used by marketplace, otc_deals, auctions, event_tickets resale. Tokens park in a program-owned ATA. Settlement is a single transaction — no custodian window. Programmatic signer seeds prevent any path to drain-by-authority.

Permissionless cranks

Subscription charges, auction settlement, OTC deal expiry, and tier-seat GC (pg_cron) all crank on demand from any wallet. No central scheduler.

Keccak256 commit / reveal

Used by private-price ticket resale and sealed-bid auctions. Hides price / bid until reveal. Bonus: MEV-resistant for auctions.

Emergency pause (new)

Every fund-moving instruction gated on config.paused. Squads multisig can pause a program in one transaction while a patch rolls out. Withdraw-type instructions stay open so creators can drain their vaults.

Product

Frontend — seven marketplace surfaces

/marketplaceRWA tile browse

Category + delivery + jurisdiction filters. Sort by price / newest / supply. Live counts from getProgramAccounts. Listing cards show issuer jurisdictions as compliance-at-a-glance chips.

/marketplace/assets/[mint]Asset detail

Full metadata (gallery, video, location with polygon overlay, attributes). All active + closed listings. OTC activity history. Self-list flow with modal. Edit price + cancel for own listings. Contact owner DM.

/marketplace/eventsEvent browse

Live selling + upcoming events. cNFT ticket with seat picker for venues with a floor plan. Per-event dashboard for creators.

/marketplace/auctionsSealed-bid auctions

Phase-aware UI (commit / reveal / settle-ready / terminal). Your bid envelope cached locally so you never lose the reveal. Permissionless settle + refund buttons.

/marketplace/rentalsRental plans

Monthly / custom-period rental subscriptions on the subscription program. Landlord dashboard for withdrawal. Tenant My Rentals page with next-charge countdown.

/marketplace/otcBilateral deals

Propose / accept / cancel with per-deal Supabase chat. Private-price envelope mode. Expiry presets (1h → 30d) with SHA-256 memo linking to chat thread.

/marketplace/portfolioWallet-aware dashboard

Unified view: RWA holdings (ATA balances joined with Asset PDAs), event tickets (Helius DAS), active listings. One page to see everything your wallet owns.

Community

Chat — signed, persisted, rate-limited

In-app chat runs on Supabase with strict RLS gated by wallet-signed JWTs. Nothing mutates on the server without a valid wallet signature. Three thread kinds cover every conversation surface:

otc_deal

Per on-chain OTC deal. Seller and buyer only. memo_hash is the on-chain deal key.

listing_dm

Private 1:1 between any buyer and any listing's seller. memo_hash = sha256(listing:<kind>:<pda>:<min>:<max>) — server re-derives and rejects mismatches.

group

Seven seeded public channels (#general, #tickets, #rentals, #auctions, #rwa, #showcase, #deals). Turnstile anti-spam + per-sender rate limit.

Writes go through an Edge Function that verifies an ed25519 signature over a challenge tied to the thread and a ~15-minute timestamp. Reads use a short-lived JWT (15 min TTL) minted after a separate signed challenge. Both artefacts cache in localStorage per-wallet so one wallet interaction bootstraps an hour of browsing without further popups.

Ops

Security posture

Upgrade authority

All nine programs' upgrade authority live on a Squads 2-of-3 multisig. Every deploy is a proposal that needs two independent signatures. Single-key compromise no longer hijacks programs. Runbook at docs/SECURITY_RUNBOOK.md.

Emergency pause

Authority-gated update_pause instruction on seven programs freezes all fund-moving entry points in a single Squads proposal. Withdraw / close paths stay open so users can still drain vaults. No custodian flag-flip.

Signed chat auth

Every chat write is an ed25519 signature over a thread-bound, time-bound challenge. Reads are gated by a Supabase JWT minted only after a separate signature. JWT is rotatable in minutes.

Turnstile + rate limit

Group chat writes gate on Cloudflare Turnstile (managed mode; invisible for trusted traffic) plus a per-wallet 30-messages-per-5-minutes cap. Sybil requires funded wallets — not free.

Security event telemetry

security_events table logs sig_verify_fail, challenge_expired, rate_limit_hit, turnstile_fail, jwt_issued. Two convenience views for hot-wallet burst detection and 24h abuse triage. Service-role only.

security.txt

All nine programs embed the Squads security.txt format with disclosure contact (security@nodosol.com). Lets researchers reach us without guessing.

Pending, in order of priority: external audit (OtterSec / Neodyme / Zellic, 4-8 week wait list), mainnet multisig with hardware signers, staged rollout with position caps. Bug bounty program post-audit.

Tech stack

Stack & infrastructure

ProgramsAnchor 1.0, Solana program SDK 2.x, Rust 1.89

TokensToken-2022 (fixed supply, confidential-ready)

cNFTMetaplex Bubblegum + SPL Account Compression

IndexerHelius DAS API for wallet-owned cNFT lookups

FrontendNext.js 15 + React 19 + TypeScript (strict)

Wallets@solana/wallet-adapter (Phantom, Backpack) + Privy embedded

RPCDevnet default; Helius / Triton on mainnet

Off-chainSupabase: Postgres + RLS, Edge Functions (Deno), Storage for media

MapsGoogle Maps JS API + Places + Drawing (for polygons)

TestsLiteSVM (program tests), Vitest (TS)

CIGitHub Actions: anchor build + cargo test + web typecheck/lint/build

HostingVercel (web), Supabase (backend)

Monitoringsecurity_events Supabase table + queries; console telemetry

Changelog · 2026-04-24

What shipped since last update

In-app chat: OTC threads, per-listing DMs, and seven public channels. Signed ed25519 writes, JWT-gated reads, localStorage persistence.
Asset detail page: gallery + video + location + attributes + OTC activity + self-list flow + edit/cancel for own listings + Contact owner DM.
Marketplace jurisdictions filter: joins issuer PDAs into the listing index, filters by ISO code, compliance chips on cards.
Emergency pause across 7 programs: update_pause admin ix gated on Config authority (Squads multisig).
Squads multisig migration: upgrade authority of all 9 programs moved to 2-of-3 Squads vault on devnet.
Security event log: security_events table + Edge Function writes + hot-wallet views.
UX hardening: toast system + friendly error decoder, unified dark theme, responsive stat grids, search + chat in sidebar nav, 65+ alerts migrated to toasts.
Chat session persistence: JWT + per-thread sig cached per-wallet in localStorage — one wallet popup per hour of active chat instead of per page load.