惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Application and Cybersecurity Blog
Application and Cybersecurity Blog
A
About on SuperTechFans
S
SegmentFault 最新的问题
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Help Net Security
Help Net Security
有赞技术团队
有赞技术团队
博客园 - 【当耐特】
O
OpenAI News
美团技术团队
月光博客
月光博客
Apple Machine Learning Research
Apple Machine Learning Research
Schneier on Security
Schneier on Security
Webroot Blog
Webroot Blog
Cyberwarzone
Cyberwarzone
Hacker News - Newest:
Hacker News - Newest: "LLM"
Google Online Security Blog
Google Online Security Blog
T
Tenable Blog
S
Security Affairs
博客园_首页
S
Schneier on Security
Security Latest
Security Latest
T
Threat Research - Cisco Blogs
T
Tailwind CSS Blog
大猫的无限游戏
大猫的无限游戏
Spread Privacy
Spread Privacy
量子位
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
K
Kaspersky official blog
Hugging Face - Blog
Hugging Face - Blog
TaoSecurity Blog
TaoSecurity Blog
博客园 - 聂微东
Vercel News
Vercel News
M
MIT News - Artificial intelligence
T
Troy Hunt's Blog
B
Blog
MongoDB | Blog
MongoDB | Blog
Martin Fowler
Martin Fowler
Attack and Defense Labs
Attack and Defense Labs
L
LINUX DO - 最新话题
D
DataBreaches.Net
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Stack Overflow Blog
Stack Overflow Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
博客园 - Franky
W
WeLiveSecurity
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
F
Fortinet All Blogs
www.infosecurity-magazine.com
www.infosecurity-magazine.com
C
Check Point Blog
H
Hacker News: Front Page

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
The Solana Account Model Explained: Everything is an Account
Lymah · 2026-05-17 · via DEV Community

The Aha Moment

During Epoch 1 of #100DaysOfSolana, I hit a wall. I'd built wallets, sent transactions, decoded data — but nothing clicked until I stopped thinking about Solana like traditional programming and started thinking about it as a system where everything is an account.

When I started learning Solana, I kept hearing this phrase: "everything is an account." It sounded like philosophy. But then it hit me: there are literally no users, no wallets, no programs in Solana — only accounts. Your wallet is an account. The Token Program is an account. The system clock is an account. Even your SOL balance is just data in an account.

This single concept unlocks everything else on Solana.

What Is an Account? The Five-Field Structure

Every account on Solana has exactly five fields:

{
  lamports: 5000000,           // Balance (1 SOL = 1 billion lamports)
  data: [0x00, 0x01, ...],     // Binary data (up to 10 MB)
  owner: "11111111111...",     // Program that can modify this account
  executable: false,            // Is this a program (true) or data (false)?
  rent_epoch: 18446744073709... // Rent exemption status
}

Enter fullscreen mode Exit fullscreen mode

That's it. Five fields. Everything on Solana fits into this model.
System Program account showing all 5 fields in Solana Explorer This is a real account (System Program) showing all five fields. You'll see this exact structure for every account on Solana.

Understanding Each Field

lamports - The account's balance in the smallest unit. Accounts must hold enough SOL (lamports) to be "rent-exempt" (roughly $0.02-$2 depending on data size). This prevents network spam. I built a rent calculator and went deeper on storage costs in my Week 2 post if you want the full breakdown.

data - Where the actual information lives. For a wallet, this is empty (0 bytes). For a program, this is bytecode. For a token mint, this is token metadata (supply, decimals, authorities). For a sysvar, this is cluster state.

owner - The program that has permission to modify this account's data. Your wallet is owned by the System Program (11111111111...), so only the System Program can transfer your SOL. A token mint is owned by the Token Program, so only it can mint new tokens.

executable - A boolean flag. If true, this account contains program code and can execute instructions. If false, it's just a data account.

rent_epoch - A legacy field from when Solana charged rent monthly. Now mostly ignored, but technically tracks when rent was last collected.

Three Account Types: Wallets, Programs, and Sysvars

Let me show you how the same five-field structure represents completely different things:
Comparison view showing Wallet vs Program vs SysvarSame five fields, three completely different meanings. This is the power of the account model.

Type 1: Your Wallet (A Data Account)

Owner:      11111111111111111111111111111111  ← System Program
Executable: false                              ← Stores data, not code
Data:       (empty, 0 bytes)
Lamports:   5000000000                         ← Your SOL balance
Rent Epoch: 18446744073709551615 (max)         ← Rent exempt

Enter fullscreen mode Exit fullscreen mode

A typical wallet account - System Program owned, no dataThis is what your wallet looks like on-chain: owned by System Program, no data, just lamports.

Your wallet is a System Program-owned account with empty data. The "balance" is just the lamports field. That's it.

Your wallet is a System Program-owned account with empty data. The "balance" is just the lamports field. That's it.

Key insight: You don't own your wallet — the System Program does. The System Program enforces the rules that only the private key owner can transfer SOL. Your keypair is the authorization mechanism, not the owner — if this distinction feels fuzzy, I covered how Solana identity and keypairs actually work in my Week 1 post. This is what "custody" means on Solana: the program is the enforcer.

Type 2: The Token Program (An Executable Account)

Owner:      BPFLoaderUpgradeab1e...          ← BPF Loader (manages programs)
Executable: true                              ← Contains program code
Data:       (36 bytes of bytecode)            ← The actual program logic
Lamports:   ~11 SOL                           ← Program's retained SOL
Rent Epoch: 18446744073709551615              ← Rent exempt

Enter fullscreen mode Exit fullscreen mode

Address: TokenkegQfeZyiNwAJbNbGKPFXCWuBvf9Ss623VQ5DA
Token Program showing executable=true, much larger balance👆 Notice: executable=true, balance is 11+ SOL, owned by BPF Loader. This is a program account.

The Token Program is an executable account. Its data field contains the program bytecode that defines how tokens work. When you interact with a token (mint, transfer, burn), you're actually calling instructions in this program.

Key insight: Programs are just data stored in accounts. The Solana runtime reads the executable: true flag and knows to execute that account's code. This is why upgrading programs is so clean on Solana — you're just swapping the data in an account.

Type 3: Clock Sysvar (A System Data Account)

Owner: Sysvar1111111111111... ← Sysvar program
Executable: false ← Stores data, not code
Data: (40 bytes of binary time data) ← Current slot, epoch, timestamp
Lamports: ~1 SOL ← Enough for rent exemption
Rent Epoch: 18446744073709551615 ← Rent exempt
Address: SysvarC1ock11111111111111111111111111111111

Clock Sysvar showing executable=false, owned by Sysvar programThis sysvar is readable by every program but not executable. It contains cluster time state.

Why This Matters: Three Real-World Scenarios

The Clock sysvar is a read-only data account containing cluster-wide state. Every program can read the current slot, epoch, and Unix timestamp from this account. It's like /proc/uptime in Linux — a public system file anyone can read.

Key insight: Sysvars are how programs access external state without making RPC calls. The Solana runtime updates them every slot.

Scenario 1: Sending SOL to a Friend

When you send 1 SOL to a friend:

  1. Your wallet account (owned by System Program) loses 1 billion lamports
  2. Your friend's account gains 1 billion lamports
  3. The System Program enforces that only your keypair can authorize this

Both accounts follow the same five-field structure. The only difference is the keypair that can sign for them.

Scenario 2: Creating a Token

When someone creates a USDC token:

  1. They invoke the Token Program (an executable account)
  2. The Token Program creates a new account for the token mint
  3. That new account has the Token Program as its owner
  4. The Token Program stores token metadata in the mint account's data field

Same five-field structure. Different owner (Token Program instead of System Program).

Scenario 3: Reading the Network Time

Inside a program, you might read the current slot:

const clockSysvar = await connection.getAccountInfo(CLOCK_ADDRESS);
const decodedClock = parseClockData(clockSysvar.data);
console.log(`Current slot: ${decodedClock.slot}`);

Enter fullscreen mode Exit fullscreen mode

You're just reading the data field of an account. Solana's runtime automatically updates that account every slot.

The Permission Model: Who Can Modify What?

Here's the crucial rule: Only the account's owner program can modify its data.

  • If owner === SystemProgram, only the System Program can change this account
  • If owner === TokenProgram, only the Token Program can change this account
  • If owner === YourProgram, only your program can change this account

This is Solana's security model. You can't hack someone else's account because you don't own it. You can't create tokens because you don't own the token program. You can only modify accounts your program owns.

Exception: Anyone can send SOL to any wallet. The System Program allows this because receiving SOL doesn't modify the wallet's data field — it only changes lamports. Specifically, the System Program says: "Any keypair can increase another account's lamports, but only the keypair owning an account can decrease it."

That's a Solana transaction at its core — accounts changing state, programs enforcing the rules. If you want to understand how that transaction lifecycle actually works and how it differs from a REST API call, I went deep on it in my Week 3 post.

The Account Model in Action: Building an Explorer

To prove this, I built a simple account explorer that queries any address and shows all five fields:

// solana-account-explorer/explorer.mjs
import { createSolanaRpc, address } from "@solana/kit";

const rpc = createSolanaRpc("https://api.devnet.solana.com");

async function inspectAccount(addressString) {
  const acct = address(addressString);

  const [balance, accountInfo] = await Promise.all([
    rpc.getBalance(acct).send(),
    rpc.getAccountInfo(acct).send()
  ]);

  console.log(`Address: ${addressString}`);
  console.log(`Lamports (Balance): ${Number(balance.value)}`);
  console.log(`Owner: ${accountInfo.value?.owner}`);
  console.log(`Executable: ${accountInfo.value?.executable}`);
  console.log(`Data Length: ${accountInfo.value?.data.length} bytes`);
  console.log(`Rent Epoch: ${accountInfo.value?.rentEpoch}`);
}

// Try it:
// node explorer.mjs 11111111111111111111111111111111

Enter fullscreen mode Exit fullscreen mode

Account explorer terminal output showing all 5 fields for 3 different accounts
Account explorer terminal output showing all 5 fields for 3 different accounts
Account explorer terminal output showing all 5 fields for 3 different accounts
This tool runs the exact same query on System Program, Token Program, and a wallet. Same structure, different values.

Run this on any Solana address, and you'll see those five fields. Every account. Always the same structure.

Common Misconceptions

❌ "Wallets are real objects"

✅ Wallets are just accounts with the System Program as owner and empty data. The "wallet" concept is a UI abstraction.

❌ "I own my wallet"

✅ The System Program owns your wallet. Your keypair is the authorization mechanism, not the owner. This is actually safer — you can't accidentally delete your wallet.

❌ "Programs can access any account"

✅ Programs can read any account (it's all public data), but they can only modify accounts they own. This is enforced by the Solana runtime.

❌ "The blockchain stores all your data"

✅ The blockchain stores account states. Your actual data lives in those accounts. Different mental model!

Everything Else Is Just Accounts (Seriously)

Once the five-field structure clicks, everything else becomes obvious:

  • Transactions - Signed instructions that modify accounts. A transaction is just a request to change the lamports or data field.
  • Programs - Executable accounts that enforce the rules for modification. They're the gatekeepers.
  • Tokens - Just accounts owned by the Token Program. The token's supply, decimals, authorities? All in the account's data field.
  • NFTs - Same structure. Metadata lives in the account's data. The blockchain isn't storing the image; it's storing a pointer in an account.
  • Wallets - Accounts owned by System Program with no data.
  • DeFi - Programs managing accounts representing liquidity pools, positions, swaps. Every protocol is just accounts + programs enforcing rules.
  • AMMs - Programs that maintain accounts for token reserves and user positions.

All of it. Accounts and the programs that manage them.

What to Do Next

  1. Explore it yourself

  2. Try the inspector

   solana account 11111111111111111111111111111111

Enter fullscreen mode Exit fullscreen mode

This shows you a real System Program account.

  1. Build your own reader
   const connection = new Connection("https://api.devnet.solana.com");
   const accountInfo = await connection.getAccountInfo(publicKey);
   // Now you have: lamports, data, owner, executable, rentEpoch

Enter fullscreen mode Exit fullscreen mode

  1. Understand ownership When building a program, remember: you own accounts your program creates. You can modify them. Users' wallets you can't modify (only System Program can). This shapes how you architect everything.

## The Takeaway

The Solana Account Model is deceptively simple: five fields, one permission rule. That's the entire foundation.

Everything on Solana — wallets, programs, tokens, NFTs, liquidity pools, governance, system clocks, rent — fits perfectly into this structure. There's no special case for "smart contracts" or "user accounts." No complexity hidden in different data structures. Just five fields, repeated across millions of accounts, with one rule controlling who can modify them.

Master this concept, and you've unlocked the mental model for understanding not just Solana, but why Solana is architecturally different from every other blockchain.

Next time someone says "everything is an account," you'll understand exactly why they're right — and why that matters.


Series: The Account Model Foundation

  • Part 1: The Account Model Explained (this post)
  • Part 2: Building an Account Explorer (coming May 17)
  • Part 3: Decoding Account Data (coming May 19)
  • Part 4: System Program Deep Dive (coming May 21)

What aspect of the account model confused you most? Let me know in the comments — I'll update this post with clarifications!

Part of the 100 Days of Solana Epoch 1 challenge.