Skip to content

jerrygeorge360/SolRescue

Repository files navigation

SolRescue

SolRescue is a self-hosted token rescue service for compromised Solana wallets.

It uses native fee-payer delegation, meaning the compromised wallet never receives SOL, preventing sweep bots from triggering.


Overview

When a Solana wallet is compromised, rescuing tokens normally fails:

  1. You send SOL to pay transaction fees
  2. A sweep bot instantly steals the SOL
  3. The token transfer never executes

SolRescue Solution

SolRescue solves this by:

  • The server pays all transaction fees
  • The compromised wallet only signs the token transfer

Since no SOL enters the compromised wallet, sweep bots have nothing to steal.


Architecture

System Flow

Client                    Server                      Solana Network
  │                          │                              │
  │  1. POST /api/tokens     │                              │
  │─────────────────────────>│                              │
  │                          │   Query token accounts       │
  │                          │─────────────────────────────>│
  │                          │<─────────────────────────────│
  │  Return balances         │                              │
  │<─────────────────────────│                              │
  │                          │                              │
  │  2. POST /api/simulate   │                              │
  │─────────────────────────>│                              │
  │                          │   Check ATAs, calculate fees │
  │                          │─────────────────────────────>│
  │  Return preview          │                              │
  │<─────────────────────────│                              │
  │                          │                              │
  │  3. Generate proof       │                              │
  │  (sign message)          │                              │
  │                          │                              │
  │  4. POST /api/execute    │                              │
  │  (key + proof + params)  │                              │
  │─────────────────────────>│                              │
  │                          │   Verify ownership proof     │
  │                          │   Build transaction:         │
  │                          │   - Fee payer: server wallet │
  │                          │   - Signer: compromised key  │
  │                          │                              │
  │                          │   Send atomic transaction    │
  │                          │─────────────────────────────>│
  │                          │                              │
  │                          │   Confirm transaction        │
  │                          │<─────────────────────────────│
  │  Return signature        │                              │
  │<─────────────────────────│                              │

Token Program Support

SolRescue supports both:

  • Classic SPL Token
  • Token-2022
Detect mint program
        │
        ├── TOKEN_PROGRAM_ID (classic)
        │      └── Standard ATA creation
        │
        └── TOKEN_2022_PROGRAM_ID
               │
               ├── Check PermanentDelegate
               │
               ├── If present:
               │      └── Two-transaction flow
               │
               └── Otherwise:
                      └── Standard single transaction

PermanentDelegate Handling

Token-2022 mints with PermanentDelegate require special handling.

Two-Transaction Flow

Transaction 1 — ATA_SETUP

Fee payer: Server wallet

Instructions:

  1. Transfer SOL → Destination wallet
  2. Transfer SOL → Fee collection wallet
  3. Transfer SOL → Compromised wallet (exact ATA rent amount)
  4. Create destination ATA (payer = compromised)
  5. Create fee collection ATA (payer = compromised)

Transaction 2 — TRANSFER

Fee payer: Server wallet

Instructions:

  1. Transfer tokens → Destination (95%)
  2. Transfer tokens → Fee collection (5%)

Result

Net cost to compromised wallet: 0 SOL

The server covers all expenses.


Security Model

1. Ownership Proof

Before executing a rescue, the client must:

  1. Sign a known message
  2. Using the compromised wallet private key

Verification uses:

nacl.sign.detached.verify

This proves the caller controls the wallet.


2. Private Key Handling

Keys are handled with strict rules:

  • HTTPS only (TLS required)
  • Used in memory only
  • Never logged
  • Never stored
  • Cleared from memory immediately

3. Rate Limiting

Endpoint Limit
General API 30 requests / 15 minutes
Rescue execution 5 rescues / hour

Prevents automated abuse.


4. Security Headers

Using:

  • Helmet
  • CSP
  • HSTS
  • X-Frame-Options

Additional protections:

  • JSON body limited to 10KB
  • CORS restricted in production

5. Audit Logging

Logging is handled with:

  • Winston

Features:

  • Request IDs
  • IP logging
  • Transaction signatures
  • Automatic rotation

Private keys never appear in logs.


Installation

git clone https://github.com/yourusername/solrescue.git
cd solrescue
npm install

Configuration

cp .env.production.example .env

Edit .env.

NODE_ENV=production
RPC_URL=https://mainnet.helius-rpc.com/?api-key=YOUR_KEY

FEE_PAYER_PRIVATE_KEY=<server_wallet_base58>
FEE_COLLECTION_ADDRESS=<fee_wallet>

SERVICE_FEE_PERCENT=5
MIN_RESCUE_AMOUNT=1000

ALLOWED_ORIGIN=https://your-domain.com

PROOF_MESSAGE=I authorize Solana Rescue to recover my tokens

Environment Variables

Variable Description
NODE_ENV Environment mode
RPC_URL Solana RPC endpoint
FEE_PAYER_PRIVATE_KEY Wallet paying transaction fees
FEE_COLLECTION_ADDRESS Fee wallet
SERVICE_FEE_PERCENT Service fee percentage
MIN_RESCUE_AMOUNT Minimum rescue amount
ALLOWED_ORIGIN Allowed CORS domain
PROOF_MESSAGE Message users sign

Deployment

Vercel (Recommended)

  1. Push repository to GitHub
  2. Import repository into Vercel
  3. Add environment variables
  4. Deploy

Traditional Server

Use:

  • PM2
  • Nginx
  • SSL via Let's Encrypt

Example:

pm2 start server.js --name solrescue

API Reference

GET /api/health

Returns server status.

{
  "status": "ok",
  "feePayerBalanceSOL": 0.0432,
  "serviceFeePercent": 5
}

GET /api/proof-message

Returns the message users must sign.

{
  "message": "I authorize Solana Rescue to recover my tokens"
}

POST /api/tokens

Fetch token balances.

Request

{
  "walletAddress": "7xKX..."
}

POST /api/rescue/execute

Execute token rescue.

Request

{
  "compromisedWalletPrivateKey": "base58_private_key_here",
  "ownershipProof": "base58_signature_here",
  "tokenMint": "...",
  "tokenAccount": "...",
  "destinationAddress": "..."
}

Response

{
  "success": true,
  "signature": "...",
  "total": "15000000",
  "userReceived": "14250000",
  "serviceFee": "750000"
}

Generating Ownership Proof

Example:

import { Keypair } from "@solana/web3.js";
import bs58 from "bs58";
import nacl from "tweetnacl";

const response = await fetch("/api/proof-message");
const { message } = await response.json();

const keypair = Keypair.fromSecretKey(bs58.decode(privateKey));

const messageBytes = new TextEncoder().encode(message);

const signature = nacl.sign.detached(messageBytes, keypair.secretKey);

const ownershipProof = bs58.encode(signature);

Project Structure

solrescue/
├── server.js
├── src/
│   ├── rescue.js
│   └── logger.js
├── public/
│   └── index.html
├── logs/
│   ├── rescue.log
│   └── error.log
├── .env.production.example
├── vercel.json
├── DEPLOYMENT.md
├── PRODUCTION.md
└── package.json

Technology Stack

Layer Technology
Backend Node.js + Express
Blockchain Solana Web3 SDK
Token handling SPL Token
Security Helmet + Rate Limit
Logging Winston
Frontend Vanilla JavaScript

Important Notes

HTTPS is mandatory

Private keys are transmitted to the server.

Deploy only behind TLS.


Fee payer maintenance

Monitor:

/api/health

Ensure the server wallet always has SOL balance.


Advanced protection

For high-value rescues, combine with:

  • Jito Labs bundles

This reduces MEV risk.


License

MIT

About

Rescue tokens from compromised Solana wallets without triggering sweep bots.

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors