惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

aimingoo的专栏
aimingoo的专栏
人人都是产品经理
人人都是产品经理
M
MIT News - Artificial intelligence
C
Cybersecurity and Infrastructure Security Agency CISA
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
爱范儿
爱范儿
Spread Privacy
Spread Privacy
P
Palo Alto Networks Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
T
The Blog of Author Tim Ferriss
The Cloudflare Blog
WordPress大学
WordPress大学
小众软件
小众软件
H
Help Net Security
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Blog — PlanetScale
Blog — PlanetScale
V2EX - 技术
V2EX - 技术
H
Hacker News: Front Page
Last Week in AI
Last Week in AI
D
DataBreaches.Net
V
V2EX
S
Securelist
C
CXSECURITY Database RSS Feed - CXSecurity.com
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
Tenable Blog
Cloudbric
Cloudbric
月光博客
月光博客
Y
Y Combinator Blog
博客园 - 三生石上(FineUI控件)
N
News and Events Feed by Topic
K
Kaspersky official blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
S
Secure Thoughts
S
Security Affairs
W
WeLiveSecurity
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
The Last Watchdog
The Last Watchdog
AI
AI
有赞技术团队
有赞技术团队
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
博客园 - 【当耐特】
罗磊的独立博客
Google DeepMind News
Google DeepMind News
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
N
Netflix TechBlog - Medium
PCI Perspectives
PCI Perspectives
SecWiki News
SecWiki News
IT之家
IT之家
Microsoft Azure Blog
Microsoft Azure Blog
V
Visual Studio Blog

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
Three Token-2022 Mints in One Week: Fees, Yield, and Soulbound
Lymah · 2026-06-14 · via DEV Community

If you come from Web2, you probably think of a token as a number in a database that moves around when people transact. On Solana, the original SPL Token program is exactly that. Token-2022 is the upgrade — and it lets you bolt behaviors directly onto the mint itself, the way you would add middleware to a payment pipeline, except the middleware lives inside the asset and cannot be bypassed.

This week I shipped three different mints on Solana devnet, each
demonstrating a different Token-2022 extension. Here's what I built, the exact commands I ran, and when you'd actually reach for each one.


Mint 1: Transfer Fee (Days 50–51)

Mint address: ACvRnk4m9fDji76fq74n7Nzwo6tUcPyajmgi3jX9BY1Q
View on Solana Explorer

Extension: TransferFeeConfig

spl-token create-token \
  --program-id TokenzQdBNbLqP5VEhdkAS6EPFLC1PHnBqCXEpPxuEb \
  --decimals 6 \
  --transfer-fee-basis-points 100 \
  --transfer-fee-maximum-fee 1000000

This creates a mint where every transfer automatically withholds 1%
(100 basis points) into the recipient's account. The recipient can't spend the withheld amount — only the withdraw authority (whoever created the mint) can sweep it out.

When you'd use this: Protocol treasury fees, creator royalties on
a community token, or a skim on every transaction in a marketplace.
The fee logic is enforced by the Token-2022 program itself. No wallet, no dApp, no smart contract can route around it.

After creating the mint, I transferred 1,000 tokens to a second wallet:

spl-token transfer \
  --expected-fee 10 \
  $MINT 1000 $RECIPIENT \
  --allow-unfunded-recipient

The --expected-fee 10 flag is a safety check — the transfer aborts if the calculated fee doesn't match. Out of 1,000 tokens sent, the recipient received 990. Ten tokens sat withheld in their account until I swept them:

spl-token withdraw-withheld-tokens $MY_TOKEN_ACCOUNT $RECIPIENT_TOKEN_ACCOUNT

My final balance: 1,000,010 tokens. That extra 10 is the fee I collected.


Mint 2: Transfer Fee + Interest (Day 52)

Mint address: A2qxipYpyY4gs1BAwv45U88Uj9RuuseEwCiB3s76ZB2J
View on Solana Explorer

Extensions: TransferFeeConfig + InterestBearingConfig

spl-token create-token \
  --program-id TokenzQdBNbLqP5VEhdkAS6EPFLC1PHnBqCXEpPxuEb \
  --decimals 6 \
  --transfer-fee-basis-points 100 \
  --transfer-fee-maximum-fee 1000000 \
  --interest-rate 5000

One command. Two extensions. Both baked into the same mint account.

What the interest extension actually does — and doesn't do:
This is the part I wish someone had told me upfront. The
InterestBearingConfig extension does not mint new tokens over
time. Your raw on-chain balance never changes. What changes is the displayed (UI) amount — a formula applied on the fly using the stored rate and the network's clock:
UI Amount = raw_balance × e^(rate × elapsed_years)

It's a view, not a balance update. No transaction runs. No new tokens appear. The number you see in a wallet grows because the display formula grows — not because your account data changed.

To make the effect visible quickly I used 50% APR (5,000 basis
points). Two snapshots 30 seconds apart:

Snapshot 1: 1,000,000.069191 tokens
Snapshot 2: 1,000,000.544703 tokens
Growth:     +0.475512 tokens in 30s

No transaction ran between those two reads.

When you'd use this: Yield-bearing stablecoins, savings-style
tokens, or any token where you want the displayed value to grow as a function of time without actually minting supply on a schedule.


Mint 3: Non-Transferable / Soulbound (Day 54)

Mint address: 39eGRkFWbb52icCEdoaqSRtjH257KGHhhssZ2J3b2RdA
View on Solana Explorer

Extension: NonTransferable

spl-token create-token \
  --program-id TokenzQdBNbLqP5VEhdkAS6EPFLC1PHnBqCXEpPxuEb \
  --enable-non-transferable

This mint produces tokens that cannot be sent anywhere. Once a token lands in a wallet, it stays there. The holder is the holder forever.

I minted one token to myself, created a recipient wallet, then tried to transfer:

spl-token transfer $MINT 1 $RECIPIENT --allow-unfunded-recipient

The response:

Error 0x25: NonTransferable — token program rejected transfer
Transaction simulation failed: Error processing instruction

That error didn't come from my code. It didn't come from a smart
contract I wrote. It came from the Token-2022 program refusing the instruction. My balance was unchanged. The token was still with me.

When you'd use this: Course completion badges, KYC verification tokens, DAO membership credentials, employee IDs. Anything where the value comes from who holds it, not from being tradeable.

In Web2, you'd enforce this at the application layer — a database
constraint, an API check. Someone who talks to the database directly can bypass that. On Solana the rule is inside the program that owns the asset. There is no around.


What the Audit Taught Me

On Day 53 I ran the Solana equivalent of DESCRIBE against all three mints — reading every extension the protocol sees on each account:

spl-token display $MINT_ADDRESS

The output confirmed everything I had configured was actually there.
But the more interesting thing was the account sizes:

Mint Extensions Size
Day 50 TransferFeeConfig 278 bytes
Day 52 TransferFeeConfig + InterestBearingConfig 334 bytes

56 bytes more for the second extension. Those bytes cost SOL in
rent-exempt deposits. Extensions are not free. You choose them
deliberately at mint creation time — and you can't add them later.
That constraint forces upfront design in a way I actually appreciate.


What Surprised Me

The thing I expected least: extensions are completely independent.
The transfer fee operates on the raw token amount. The interest
display formula also operates on the raw amount. They don't interfere with each other at all. I kept expecting some interaction, some edge case where they'd conflict. There isn't one. Two different TLV entries in the same byte buffer, each doing its own thing, neither knowing the other exists.

The thing I'd reach for in a real product: NonTransferable +
metadata on a single mint. A credential system where the badge is
self-describing (name, issuer, URI) and permanently bound to the
wallet that earned it. No backend. No revocation list. Just a token with rules baked in.


Resources


This post is part of *#100DaysOfSolana*. Building on devnet every day — follow along or jump in any time.