The Solana program becomes the single authority users trust — not ShardKeep the company, not node operators, not any server. Every critical state transition is enforced by immutable on-chain logic. · April 2026
Capabilities are split across programs based on upgrade cadence and complexity. The core program handles operations that touch every user interaction. Extension programs handle specialized features.
| Program | Capabilities | Phase |
|---|---|---|
shardkeep_core |
Shard map authority, subscription management, access control + 2FA, rotation scheduling, fee collection, audit trail | Phase 1 |
shardkeep_nodes |
Node registration, bond staking, uptime tracking, slashing | Phase 2 |
shardkeep_rewards |
Emission distribution, Merkle-based reward claims, reward multipliers | Phase 2 |
shardkeep_estate |
Dead man's switch, beneficiary transfer, key escrow | Phase 3 |
| SPL Governance (Realms) | Protocol parameter governance, upgrade authority | Phase 3 |
The program stores encrypted shard location maps in PDAs. All on-chain data is AES-256-GCM ciphertext — publicly readable but useless without the user's wallet key.
Seeds: ["shard_map", user_pubkey, vault_id (u64)] Fields: owner: Pubkey vault_id: u64 version: u32 // incremented on each rotation encrypted_map: Vec<u8> // AES-256-GCM ciphertext (~300-500 bytes) nonce: [u8; 12] // encryption nonce map_hash: [u8; 32] // SHA-256 of plaintext (integrity check) status: u8 // Active=0, Locked=1, Rotating=2, Deleted=3 created_at: i64 updated_at: i64
| Instruction | Signer | Effect |
|---|---|---|
store_shard_map | User wallet | Creates/updates ShardMap PDA with encrypted data |
rotate_shard_map | User wallet OR rotation delegate | Writes new encrypted map, increments version |
delete_shard_map | User wallet | Sets status=Deleted, reclaims rent |
lock_shard_map | User OR backup wallet | Sets status=Locked (emergency freeze) |
Tier status managed on-chain. Users deposit payment into program-controlled escrow. Verifiable by anyone — no trusting ShardKeep's server to report tier correctly.
Seeds: ["subscription", user_pubkey] Fields: owner: Pubkey tier: u8 // Free=0, Guardian=1, Sentinel=2, Fortress=3 payment_mint: Pubkey // USDC or SHARDKEEP mint address paid_through: i64 // subscription valid until auto_renew: bool escrow_balance: u64 // pre-deposited for auto-renewal
| Instruction | Signer | Effect |
|---|---|---|
subscribe | User wallet | Transfer payment to escrow, set tier + expiry |
renew | User OR permissionless crank | Debit escrow, extend paid_through |
upgrade_tier | User wallet | Pay difference, upgrade tier |
cancel | User wallet | Stop auto-renew, refund remaining escrow |
check_expiry | Permissionless crank | If expired + no funds → downgrade to Free |
Why on-chain? If ShardKeep's server says "you're not subscribed," the user can prove otherwise by pointing to the Subscription PDA. Third-party apps can verify tier without calling our API (see Auth-as-a-Service). The blockchain IS the receipt.
The kill switch. Primary wallet and backup wallet registered on-chain. Backup can freeze everything. Social recovery via guardians.
Seeds: ["access_control", user_pubkey] Fields: primary_wallet: Pubkey backup_wallet: Option<Pubkey> guardian_wallets: Vec<Pubkey> // max 5, for social recovery guardian_threshold: u8 // how many guardians needed lockdown_active: bool lockdown_initiated_by: Option<Pubkey> recovery_cooldown: i64 // e.g., 48 hours last_primary_action: i64
| Instruction | Signer | Effect |
|---|---|---|
set_backup_wallet | Primary | Register backup pubkey |
set_guardians | Primary | Set guardian wallets + threshold |
emergency_lockdown | Backup OR primary | Freeze ALL shard maps for this user |
lift_lockdown | Primary only | Unfreeze after cooldown |
initiate_recovery | Backup OR N guardians | Begin wallet migration (48h cooldown) |
complete_recovery | New wallet | Transfer all PDA ownership |
cancel_recovery | Primary | Cancel if user returns during cooldown |
store_shard_map, rotate_shard_map, and delete_shard_map instructions MUST check lockdown_active from the AccessControl PDA. If locked, those instructions FAIL. This is enforced by the smart contract — no server can override it. Not even ShardKeep.
The program defines rotation rules per tier. A permissionless crank checks if rotation is due. The user or a delegated agent executes.
Seeds: ["rotation_delegate", user_pubkey] Fields: owner: Pubkey delegate: Pubkey // authorized agent's key permissions: u8 // bitfield: can_rotate=1 authorized_at: i64 expires_at: i64 // delegation expiry
The delegation model solves "user must be online": User pre-authorizes a rotation agent (keypair held by ShardKeep's infrastructure or community-operated). The agent can execute rotations on schedule but CANNOT delete, lock, or transfer — only rotate. User revokes at any time.
| Tier | Rotation | Trigger |
|---|---|---|
| Shield (Pawn) | Manual only | User-initiated |
| Guardian (Knight) | Weekly | Crank + delegate or client |
| Sentinel (Bishop/Rook) | Daily | Crank + delegate or client |
| Fortress (Queen) | Daily | Crank + delegate or client |
Every shard operation collects a micro-fee into the program-controlled treasury PDA. Fees fund operator rewards, protocol development, and insurance.
Seeds: ["fee_config"] Fields: authority: Pubkey // governance multisig store_fee: u64 // per shard_map store rotate_fee: u64 // per rotation operator_share_bps: u16 // % to operator reward pool treasury_share_bps: u16 // % to protocol insurance_share_bps: u16 // % to insurance pool
Fee distribution is transparent: anyone can read FeeConfig and verify where fees go. No hidden margins.
Every shard operation is a Solana transaction → immutable audit log by default. The program emits structured events for indexing.
AuditEvent (via Anchor emit!()): user: Pubkey operation: u8 // Store=0, Rotate=1, Delete=2, Lock=3, Unlock=4 vault_id: u64 timestamp: i64 metadata_hash: [u8; 32]
Enterprise users (Fortress) can enable log_access for read-level audit trails. Individual users get it free via transaction history.
Operators register on-chain, stake bonds, earn based on performance. Currently tracked in MySQL — moving on-chain makes it trustless.
Seeds: ["node", operator_pubkey] Fields: operator: Pubkey node_id: [u8; 32] stake_amount: u64 status: u8 // Pending=0, Active=1, Jailed=2, Deregistered=3 last_heartbeat: i64 shards_held: u32 shard_capacity: u32 uptime_score: u16 // basis points (0-10000) slash_count: u8 region: u8 // geographic region code
| Violation | Penalty |
|---|---|
| Serving corrupt data | 100% bond slash |
| Extended downtime (>72h) | 25% bond slash |
| Failed heartbeats (>50% in 30 days) | 10% bond slash |
| Collusion (proven) | 100% bond slash |
What operators gain: Their stake is safe from arbitrary seizure. They can verify their bond balance on-chain. They can join permissionlessly (no ShardKeep gatekeeping). New operators register, stake, and start earning — all via transactions.
Emissions distributed via Merkle tree. Off-chain indexer computes reward tree each epoch, publishes root on-chain. Operators submit Merkle proofs to claim. Program verifies and prevents double-claims.
Why Merkle? On-chain computation for thousands of operators would exceed Solana's compute limits. Merkle proofs shift computation off-chain while maintaining on-chain verifiability. Same pattern used by Jupiter, Marinade, and most major Solana protocols.
claim_rewards with their Merkle proofDead man's switch on-chain. No ShardKeep involvement required for execution.
last_activity (updated on ANY shard operation)initiate_transfercomplete_transfer → all PDA ownership transfersThird-party dApps verify ShardKeep identity by reading on-chain PDAs. No API call to ShardKeep required.
shardkeep_core ├── VaultIndex ["vault_index", user] per-user metadata ├── ShardMap ["shard_map", user, vault_id] encrypted shard locations ├── Subscription ["subscription", user] tier + payment state ├── SubscriptionEscrow ["sub_escrow", user] token account (USDC/SHARDKEEP) ├── AccessControl ["access_control", user] wallets, guardians, lockdown ├── RotationDelegate ["rotation_delegate", user] authorized rotation agent ├── FeeConfig ["fee_config"] global fee parameters ├── Treasury ["treasury"] fee collection account └── ProgramConfig ["program_config"] global config + authority shardkeep_nodes ├── GlobalNodeConfig ["node_config"] staking params, totals ├── NodeRegistry ["node", operator] per-operator registration └── NodeStakeVault ["node_stake", operator] staked token account shardkeep_rewards ├── RewardPool ["reward_pool"] emission config + pool ├── OperatorRewards ["operator_rewards", operator] accrued rewards └── MerkleDistributor ["merkle_dist", epoch] root per epoch shardkeep_estate ├── EstatePlan ["estate", user] beneficiary + timeout └── EscrowedKey ["escrowed_key", user] encrypted master key
| Accounts | Data Size | Rent-Exempt | USD |
|---|---|---|---|
| VaultIndex + AccessControl + Subscription | ~576 bytes | ~0.004 SOL | $0.80 |
| Per ShardMap (50 vaults) | ~25 KB | ~0.18 SOL | $36 |
| RotationDelegate | ~128 bytes | ~0.001 SOL | $0.20 |
| Total (50 vaults) | ~0.19 SOL | $37 |
Rent is recoverable when accounts are closed. Protocol can subsidize rent from subscription fees so users never handle SOL directly.
| Capability | Survives without ShardKeep? |
|---|---|
| Shard maps accessible | YES — on-chain, anyone can read PDAs |
| Subscription state verifiable | YES — on-chain |
| Node operators continue | YES — staked, incentivized by rewards |
| Emergency lockdown | YES — program enforces, no server needed |
| Estate/inheritance | YES — dead man's switch is on-chain |
| Fee collection + rewards | YES — program handles automatically |
| Audit trail | YES — Solana transaction history is permanent |
| Client applications (extension, mobile) | NEEDS community — open-source enables this |
| Rotation agent | NEEDS community — anyone can run one |
| Node heartbeat oracle | NEEDS community — decentralized attestation |
Design decision: NO blocklist, NO pause instruction, NO admin override.
The program processes any valid instruction from any wallet. There is no geographic restriction, no KYC gate, no way for ShardKeep (or anyone) to prevent a wallet from using the program. This is a deliberate and permanent design choice.
ShardKeep's client applications (browser extension, website) could theoretically geo-block users. But the program is permissionless — alternative clients, CLI tools, or direct RPC calls bypass any client-level restriction.
anchor verify)Progressive lockdown: ship fast early, decentralize authority as the protocol matures, lock it permanently when stable.
Users trust the program, not the company.
Operators trust the program, not manual payouts.
Third parties trust the program, not an API.
The program is the authority — everything else is interface.
No centralized password manager can replicate this without abandoning their entire architecture. No existing crypto vault has a Solana program managing shard maps, subscriptions, access control, node staking, rewards, and estate planning in a single trustless protocol. This is a multi-year head start.
Supersedes v1 and v2. References: vault-security-v3, tokenomics-v3.1, addendum-revenue-streams-v1, shardkeep-branding-proposal.
Existing Anchor program 4hfvirYMHxW4nZSuTreWRQQD45Hfc4LKmUyy3hFYcZVP (vault CRUD) remains unchanged — the new programs are separate deployments.
All development begins on Solana DevNet. MainNet deployment after security audit.