Please review the Community Note before submitting
Description
Solana CLI keypair files store a raw Ed25519 keypair as a JSON array of exactly 64 unsigned bytes (32-byte secret key + 32-byte public key). This is the standard format produced by solana-keygen new and used throughout the Solana ecosystem.
Example (~/.config/solana/id.json):
[174,47,154,16,202,193,206,113,199,190,53,133,169,175,31,56,222,53,138,189,224,216,117,173,10,149,53,45,73,251,237,246,15,185,186,82,177,240,148,69,241,227,167,80,141,89,240,121,121,35,172,247,68,251,226,218,48,63,176,109,168,89,238,135]
Public key: 24PNhTaNtomHhoy3fTRaMhAFCRj4uHqhZEEoWrKDbR5p
Possession of this file grants full control over the associated wallet and all on-chain assets. TruffleHog does not cover Solana file wallet format. This also can't be solved with the custom regex detector framework — the file has no distinctive keyword to trigger on, just numbers and commas.
Preferred Solution
A native detector that parses rather than regexes. Find [ in the chunk, extract to matching ], parse with encoding/json, accept only arrays of exactly 64 integers where every value is in [0, 255]. False positive risk is very low — this is an extremely specific fingerprint.
Verification is possible: derive the Solana address from the public key (bytes 32–63), base58-encode it, and call getAccountInfo on Solana mainnet RPC. Account exists with non-zero lamports → verified. Account doesn't exist → unverified.
Additional Context
Solana is the only major blockchain ecosystem that stores keypairs as bare JSON byte arrays. Ethereum uses hex strings or encrypted keystores, NEAR uses base58 with named JSON fields. So this detector is Solana-specific, though it would also catch any raw Ed25519 keypair dumped to a 64-element JSON array.
References
Please review the Community Note before submitting
Description
Solana CLI keypair files store a raw Ed25519 keypair as a JSON array of exactly 64 unsigned bytes (32-byte secret key + 32-byte public key). This is the standard format produced by
solana-keygen newand used throughout the Solana ecosystem.Example (
~/.config/solana/id.json):Public key:
24PNhTaNtomHhoy3fTRaMhAFCRj4uHqhZEEoWrKDbR5pPossession of this file grants full control over the associated wallet and all on-chain assets. TruffleHog does not cover Solana file wallet format. This also can't be solved with the custom regex detector framework — the file has no distinctive keyword to trigger on, just numbers and commas.
Preferred Solution
A native detector that parses rather than regexes. Find
[in the chunk, extract to matching], parse withencoding/json, accept only arrays of exactly 64 integers where every value is in [0, 255]. False positive risk is very low — this is an extremely specific fingerprint.Verification is possible: derive the Solana address from the public key (bytes 32–63), base58-encode it, and call
getAccountInfoon Solana mainnet RPC. Account exists with non-zero lamports → verified. Account doesn't exist → unverified.Additional Context
Solana is the only major blockchain ecosystem that stores keypairs as bare JSON byte arrays. Ethereum uses hex strings or encrypted keystores, NEAR uses base58 with named JSON fields. So this detector is Solana-specific, though it would also catch any raw Ed25519 keypair dumped to a 64-element JSON array.
References