PDAs as Authorities
PDAs commonly act as mint authorities, freeze authorities, vault owners, and escrow custodians. The program enforces when the PDA may sign via business logic.
Recipe
// Mint authority PDA seeds: [b"mint_auth", mint.key.as_ref()]When to reach for this:
- Launching tokens with program-controlled mint.
- Holding user funds in escrow until conditions met.
- Treasury accounts for protocol fees.
Working Example
// Conceptual: program verifies escrow conditions then signs token transfer from escrow PDA
pub fn release_escrow(bump: u8, /* accounts */) -> ProgramResult {
// validate expiry, signatures, state machine
// token::transfer CPI with invoke_signed seeds [b"escrow", &[bump]]
Ok(())
}What this demonstrates:
- Business rules gate PDA signature.
- Escrow PDA holds SPL tokens.
- State machine checked before CPI.
Deep Dive
Patterns
| Role | Typical seeds |
|---|---|
| Vault | [b"vault", user] |
| Mint auth | [b"mint", mint] |
| Escrow | [b"escrow", order_id] |
Risk
Program bug = full authority compromise.
Rust Notes
// Never expose arbitrary invoke_signed wrapper without checks.Gotchas
- Arbitrary CPI wrapper - Anyone triggers PDA sign.. Fix: Bind to instruction handlers.
- Escrow without expiry - Funds locked forever.. Fix: Time or cancel paths.
- Shared authority PDA - One breach hits all users.. Fix: Per-user seed isolation.
- Mint authority not revoked - Infinite mint risk.. Fix: Revoke after setup.
- Token account owner mismatch - PDA must own token account.. Fix: Validate ATA.
Alternatives
| Alternative | Use When | Don't Use When |
|---|---|---|
| Multisig authority | Human ops | Full automation |
| Wallet-owned vault | User custody | Protocol escrow |
| NFT escrow programs | Specialized | SPL token only |
FAQs
Who controls PDA?
Program code at program id.
Transfer mint authority to PDA?
CPI set_authority.
Revoke mint?
Recommended after fixed supply.
SOL vault?
PDA holds lamports; program signs transfers.
NFT escrow?
Same patterns with metadata checks.
Upgrade risk?
Malicious upgrade steals authority.
Governance timelock?
Off-chain ops pattern.
ATA for PDA?
Derive associated token address.
Freeze authority PDA?
Possible with token program.
Close escrow?
Return rent; zero state.
Audit?
Critical tier finding target.
Anchor init mint?
Supports PDA authorities.
Related
- Vault & Escrow - Patterns
- CPI to SPL Token - Token ops
- Access Control & Authorities - Roles
Stack versions: This page was written for Agave 4.1.1, Solana CLI 3.0.10, Anchor 0.32.1, anchor-lang 0.32.1, Rust 1.91.1, @solana/kit 7.0.0, Surfpool 0.12.0, and LiteSVM 0.6.x.