fillrfillrdocs
Launch app

The on-chain program is ~600 LOC of Anchor. The off-chain side is a TanStack-React app + a Fastify indexer + a Node keeper. All the load-bearing logic lives on-chain.

The program

Anchor 0.32 program, four instructions. Token-2022 aware viaanchor-spl's InterfaceAccount. Hardcoded constants (treasury multisig, Jupiter program id, payment mint allowlist, protocol fee rate, expiry caps, bounty bounds) — no admin functions, no upgrade path post-renounce.

PDAs

  • Commitment: seeds ["commitment", owner, nonce]. The nonce makes each (owner, nonce) pair a fresh address; combined with init (not init_if_needed) this eliminates reinit attack surface entirely.
  • Vault authority: seeds ["vault", commitment]. Used as the signer for token transfers + the Jupiter CPI. Canonical bumps are stored on the Commitment account so subsequent ixs verify via create_program_address (cheaper than find_program_address).
PDA derivation
"commitment"ASCII seedownerPubkey (32B)noncei64 LE bytessha256seeds ++ program_id++ "ProgramDerived"Commitment PDAoff-curveno private keybump: u8
The nonce is set client-side (typically Date.now()) so the same owner can keep many open orders without seed collision.

The Jupiter CPI

This is the load-bearing path. The keeper passes Jupiter's sharedAccountsRoute instruction payload as a byte array; the program validates the discriminator + program id, reconstructs the 13-account fixed prefix from typed/constrained accounts (so the keeper can't swap in a malicious source ATA or output mint), and forwards the per-AMM tail with signer flags force-stripped.

Then:

  1. Skim 20 bps to treasury (signed by vault authority).
  2. Snapshot owner_target_ata.amount.
  3. invoke_signed Jupiter with the vault authority as signer.
  4. Reload both accounts post-CPI (Anchor does NOT auto-refresh — this is mandatory).
  5. Compute tokens_out = post - pre; require ≥ min_fill AND vault.amount == 0 (full-fill enforcement).
  6. Compute effective_price = ceil_div(spent × 1e18, tokens_out); require ≤ max_price.
  7. Pay bounty, close accounts.
execute_commitment · atomic instruction
1. Validate Commitment stateActive · not expired · routable012. CPI sharedAccountsRouteJupiter V6 swap, vault PDA signs023. Reload destination ATApost-CPI balance check034. Enforce boundsmin_fill ≤ received · effective_price ≤ max04↩ any failure → entire tx reverts · no partial state
A single instruction. If any check fails or the Jupiter CPI doesn't yield ≥ min_fill at ≤ max_price, the entire tx reverts — no partial states possible.
Why ceiling division?
Buyer-favorable rounding. The on-chain price comparison is effective_price ≤ max_price — rounding the computed price up means any imprecision lands in the buyer's favor.

Token-2022 extension rejection

Target mints with these extensions are rejected via TLV walk: TransferFeeConfig, TransferHook, PermanentDelegate, NonTransferable, DefaultAccountState, ConfidentialTransferMint, ConfidentialTransferFeeConfig, MintCloseAuthority, InterestBearingConfig, Pausable.

The check runs at both create_commitment and execute_commitment — some extensions (TransferHook, InterestBearingConfig) can be added after init by a malicious mint authority, so we re-verify on every execute.

Off-chain components

  • App — Next.js 14, Privy auth, TanStack Query, sonner. Reads chain state directly via getProgramAccounts; falls back to the indexer for history (closed accounts).
  • Indexer — Fastify v5 + Postgres. Polls the chain every 15s, upserts commitments, exposes REST endpoints. Helius LaserStream gRPC subscription is a planned upgrade.
  • Keeper — Node + @solana/web3.js. Polls active commitments, fetches Jupiter quote + swap-instructions, simulates, submits. Bounded concurrency + per-route revert cooldown.

Immutability

Pre-mainnet, the upgrade authority is the deploy wallet. After audit, the authority will be set to --final via solana program set-upgrade-authority --final, which is irreversible. There is no admin function in the program; the only mutability vector before that step is the upgrade authority itself, and after renounce there is none.