Solana ProgramToken Wrap
A program for wrapping SPL tokens to enable interoperability between token standards. If you are building an app with a mint/token and find yourself wishing you could take advantage of some of the latest features of a specific token program, this might be for you!
Features
- Bidirectional Wrapping: Convert tokens between SPL Token and SPL Token 2022 standards in either direction, including conversions between different SPL Token 2022 mints.
- Extensible Mint Creation: The
CreateMintinstruction is designed to be extensible through theMintCustomizertrait. By forking the program and implementing this trait, developers can add custom logic to:- Include any SPL Token 2022 extensions on the new wrapped mint.
- Modify default properties like the
freeze_authorityanddecimals.
- Confidential Transfers by Default: All wrapped tokens created under the Token-2022 standard automatically include
the
ConfidentialTransferMintextension, enabling the option for privacy-preserving transactions. This feature is immutable and requires no additional configuration. - Transfer Hook Compatibility: Integrates with tokens that implement the SPL Transfer Hook interface, enabling custom logic on token transfers.
- Multisignature Support: Compatible with multisig signers for both wrapping and unwrapping operations.
- Metadata Synchronization: Syncs metadata from unwrapped tokens (both Metaplex and Token-2022 standards) to their wrapped counterparts.
How It Works
It supports the following primary operations:
-
CreateMint: This operation initializes a new wrapped token mint and its associated backpointer account. Note, the caller must pre-fund this account with lamports. This is to avoid requiring writer+signer privileges on this instruction.- Wrapped Mint: An SPL Token or SPL Token 2022 mint account is created. The address of this mint is a PDA derived from the unwrapped token's mint address and the wrapped token program ID. This ensures a unique, deterministic relationship between the wrapped and unwrapped tokens. The wrapped mint's authority is also a PDA, controlled by the Token Wrap program.
- Backpointer: An account (also a PDA, derived from the wrapped mint address) is created to store the address of the original unwrapped token mint. This allows anyone to easily determine the unwrapped token corresponding to a wrapped token, facilitating unwrapping.
-
Wrap: This operation accepts deposits of unwrapped tokens and mints wrapped tokens.- Unwrapped tokens are transferred from the user's account to a specific escrow Associated Token Account (ATA). This ATA is for the unwrapped mint, and its authority is a Program Derived Address (PDA) controlled by the Token Wrap program (unique for each wrapped mint).
- An equivalent amount of wrapped tokens is minted to the user's wrapped token account.
-
Unwrap: This operation burns wrapped tokens and releases unwrapped token deposits.- Wrapped tokens are burned from the user's wrapped token account.
- An equivalent amount of unwrapped tokens is transferred from the escrow account to the user's unwrapped token account.
-
CloseStuckEscrow: This operation handles an edge case with re-creating a mint with the MintCloseAuthority extension.- The escrow ATA can get "stuck" when an unwrapped mint with a close authority is closed and then a new mint is created at the same address but with different extensions, leaving the escrow ATA (Associated Token Account) in an incompatible state.
- The instruction closes the old escrow ATA and returns the lamports to a specified destination account.
- This operation will only succeed if the current escrow has zero balance and has different extensions than the mint.
- After closing the stuck escrow, the client is responsible for recreating the ATA with the correct extensions.
-
SyncMetadataToToken2022: This operation copies metadata from an unwrapped mint to its wrapped Token-2022 mint'sTokenMetadataextension.- It initializes the
TokenMetadataextension on the wrapped mint if it doesn't already exist. - The caller is responsible for pre-funding the wrapped mint account with enough lamports to cover the rent for the added space.
- Supports:
SPL Token -> Token-2022andToken-2022 -> Token-2022.
- It initializes the
-
SyncMetadataToSplToken: This operation copies metadata from an unwrapped mint to the Metaplex metadata account of its wrapped SPL Token mint.- It can create the Metaplex metadata account if it doesn't exist or update an existing one.
- The
wrapped_mint_authorityPDA acts as the payer for the Metaplex program CPI and must be pre-funded with sufficient lamports to cover rent for the Metaplex account. - Supports:
Token-2022 -> SPL TokenandSPL Token -> SPL Token.
The 1:1 relationship between wrapped and unwrapped tokens is maintained through the escrow mechanism, ensuring that wrapped tokens are always fully backed by their unwrapped counterparts.
Permissionless design
The SPL Token Wrap program is designed to be permissionless. This means:
- Anyone can create a wrapped mint: No special permissions or whitelisting is required to create a wrapped
version of an existing mint. The
CreateMintinstruction is open to all users, provided they can pay the required rent for the new accounts. - Anyone can wrap and unwrap tokens: Once a wrapped mint has been created, any user holding the underlying
unwrapped tokens can use the
WrapandUnwrapinstructions. All transfers are controlled by PDAs owned by the Token Wrap program itself. However, it is important to note that if the unwrapped token has a freeze authority, that freeze authority is preserved in the wrapped token.
Confidential Transfer extension
The ConfidentialTransferMint extension is added to every Token-2022 wrapped mint and initialized with the following
config:
- No Authority: The confidential transfer authority is set to
None, making the configuration immutable. This ensures that the privacy features cannot be disabled or altered after the wrapped mint is created. - No Auditor: The wrapped mints are created without a confidential transfer auditor. This means that there is no third party that can view the details of confidential transactions.
- Automatic Account Approval: New token accounts are approved for confidential transfers by default. This allows users to make private transactions permissionlessly.
Customizing mint
If the current wrapped mint config does not suit your needs, please fork! A few places you are going to want to update:
- Add a new struct that implements
MintCustomizerinprogram/src/mint_customizer - Replace the current one in use within the processor:
program/src/processor.rs - Re-run tests (see
package.json) and update/remove assertions to accommodate new config - If wanting to make use of clients:
- CLI: Update mint customizer type in
clients/cli/src/create_mint.rs - JS: Update mint size in
clients/js/src/create-mint.ts
- CLI: Update mint customizer type in
Deployments
- Program ID:
TwRapQCDhWkZRrDaHfZGuHxkZ91gHDRkyuzNqeU5MgR - Mainnet: (not yet deployed)
- Testnet: (not yet deployed)
Source
The Token Wrap Program's source is available on GitHub.
Security Audits
SDK
- Rust Crate: The program is written in Rust and available as the
spl-token-wrapcrate on crates.io and docs.rs. - JavaScript bindings for web development: @solana-program/token-wrap (source).
- Command-Line Interface (CLI): The
spl-token-wrap-cliutility allows direct interaction with the program via the command line for testing, scripting, or manual operations.
Reference Guide
Setup
The spl-token-wrap command-line utility can be used to interact with the Token Wrap program.
Install from crates.io
or, build the CLI from source:
Run spl-token-wrap --help for a full description of available commands.
The spl-token-wrap configuration is shared with the solana command-line tool.
Create a wrapped token mint
To create a new wrapped token mint, first you need to identify the unwrapped token mint address you want to wrap and the to/from token programs.
Find PDAs for a wrapped token
To interact with wrapped tokens, you need to know the PDAs (Program Derived Addresses) associated with them:
Create escrow account
Before wrapping tokens, if you are the first to do so for this wrapped mint, you may need to initialize the escrow account to custody the unwrapped tokens.
The account must be an ATA whose owner is the mint authority PDA (see find-pdas command above). There is also a helper to initialize this account:
Wrap tokens (single signer)
Escrows unwrapped tokens and mints wrapped tokens to recipient account.
You can specify a recipient token account with the --recipient-token-account option. If not provided, the associated token account of the fee payer will be used or created if it doesn't exist.
Wrap tokens (SPL Token Multisig)
An example wrapping tokens whose origin is a token account owned by an SPL Token multisig.
There are two parts to this. The first is having the multisig members sign the message independently. The second is the broadcaster collecting those signatures and sending the transaction to the network.
Let's pretend we have a 2 of 3 multisig and the broadcaster will be the fee payer. Here's what that would look like:
Get a recent blockhash. This will need to be the same for all signers.
First signer runs this command with their keypair:
Second signer uses their own keypair (note the change at the top):
Now the broadcaster (and in this case, the fee payer as well) sends the last message with the Pubkey=Signature they have collected from Signer 1 and Signer 2:
Note all three needed signers in final broadcasted message.
Unwrap tokens (single signer)
Burns wrapped tokens and releases unwrapped tokens from escrow.
Unwrap tokens (SPL Token Multisig)
An example unwrapping tokens whose origin is a token account owned by an SPL Token multisig.
There are two parts to this. The first is having the multisig members sign the message independently. The second is the broadcaster collecting those signatures and sending the transaction to the network.
Let's pretend we have a 2 of 3 multisig and the broadcaster will be the fee payer. Here's what that would look like:
Get a recent blockhash. This will need to be the same for all signers.
First signer runs this command with their keypair:
Second signer uses their own keypair (note the change at the top):
Now the broadcaster (and in this case, the fee payer as well) sends the last message with the Pubkey=Signature they have collected from Signer 1 and Signer 2:
Note all three needed signers in final broadcasted message.
Sync metadata to a wrapped Token-2022 mint
This instruction copies metadata from an unwrapped mint to its corresponding wrapped Token-2022 mint. This is useful when you want the wrapped version of your token to have on-chain metadata via the TokenMetadata extension.
This operation supports two main pathways:
- Syncing from a standard SPL Token with Metaplex metadata to a wrapped Token-2022 mint.
- Syncing from one Token-2022 mint to another wrapped Token-2022 mint.
Prerequisite: The wrapped Token-2022 mint account must be funded with enough lamports to cover the rent for the additional space required by the TokenMetadata extension.
When syncing from a standard SPL Token, the CLI can automatically derive the source Metaplex metadata PDA using the --metaplex flag.
Sync metadata to a wrapped SPL Token mint
This instruction copies metadata from an unwrapped mint to the Metaplex metadata account of its corresponding wrapped standard SPL Token mint.
This operation supports two main pathways:
- Syncing from a Token-2022 mint (with a
MetadataPointerextension) to a wrapped SPL Token mint. - Syncing from one standard SPL Token mint to another wrapped SPL Token mint.
Prerequisite: The wrapped_mint_authority PDA must be funded with enough lamports to pay the rent for creating or updating the Metaplex metadata account via a CPI.
When the unwrapped mint is a Token-2022 mint, the CLI will automatically resolve its metadata pointer.
Close a stuck escrow account
This is an advanced recovery instruction for a specific edge case involving Token-2022 mints with the MintCloseAuthority extension.
If such a mint is closed and then recreated at the same address but with different extensions (e.g., adding TransferFeeConfig), the original escrow Associated Token Account (ATA) becomes "stuck" because its extensions no longer match the new mint's requirements. This instruction allows you to close that incompatible escrow ATA and reclaim its lamports.
Prerequisites:
- The unwrapped mint must be a Token-2022 mint.
- The stuck escrow account must have a balance of zero tokens.
- The extensions on the escrow account must be different from those now required by the new mint.
After closing the stuck escrow, you will need to re-create it using the create-escrow-account command.