Skip to content

New Detector: Solana Keypair File #4887

@janlegner

Description

@janlegner

Please review the Community Note before submitting

Description

Solana CLI keypair files store a raw Ed25519 keypair as a JSON array of exactly 64 unsigned bytes (32-byte secret key + 32-byte public key). This is the standard format produced by solana-keygen new and used throughout the Solana ecosystem.

Example (~/.config/solana/id.json):

[174,47,154,16,202,193,206,113,199,190,53,133,169,175,31,56,222,53,138,189,224,216,117,173,10,149,53,45,73,251,237,246,15,185,186,82,177,240,148,69,241,227,167,80,141,89,240,121,121,35,172,247,68,251,226,218,48,63,176,109,168,89,238,135]

Public key: 24PNhTaNtomHhoy3fTRaMhAFCRj4uHqhZEEoWrKDbR5p

Possession of this file grants full control over the associated wallet and all on-chain assets. TruffleHog does not cover Solana file wallet format. This also can't be solved with the custom regex detector framework — the file has no distinctive keyword to trigger on, just numbers and commas.

Preferred Solution

A native detector that parses rather than regexes. Find [ in the chunk, extract to matching ], parse with encoding/json, accept only arrays of exactly 64 integers where every value is in [0, 255]. False positive risk is very low — this is an extremely specific fingerprint.

Verification is possible: derive the Solana address from the public key (bytes 32–63), base58-encode it, and call getAccountInfo on Solana mainnet RPC. Account exists with non-zero lamports → verified. Account doesn't exist → unverified.

Additional Context

Solana is the only major blockchain ecosystem that stores keypairs as bare JSON byte arrays. Ethereum uses hex strings or encrypted keystores, NEAR uses base58 with named JSON fields. So this detector is Solana-specific, though it would also catch any raw Ed25519 keypair dumped to a 64-element JSON array.

References

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions