A privacy-first cross-chain
lending protocol on Solana.

Veil is an over-collateralised lending protocol on Solana. It accepts SPL tokens as collateral natively and is designed to extend, without bridging, to native Bitcoin and Ethereum via Ika MPC dWallets, and to physical gold via Oro's GRAIL settlement layer. Each position can opt into amount-private accounting backed by Encrypt's REFHE construction; plaintext health checks remain the authoritative solvency rule.

The on-chain program is implemented in Pinocchio 0.11.1. A two-slope kink interest-rate model, index-based share accounting, and an Aave-style liquidation engine (50 % close factor, 5 % liquidation bonus, 10 % protocol fee) provide the economic backbone. An off-chain allowlist on Neon Postgres curates which wallets are permitted to act as pool administrators for new markets; on-chain administrative authority is independently bound to LendingPool.authority.

1.1Two structural blockers in DeFi lending

Two forces keep institutional and high-net-worth capital out of on-chain credit markets. Liquidity fragmentation across chains: the largest pools of value sit in native Bitcoin, native Ethereum, and physical gold. Bringing any of these into a Solana lending market today requires bridging or wrapping — introducing custody risk, smart-contract risk, and trusted multi-sigs. Position transparency: Aave and Compound disclose every user's collateral, debt, liquidation price, and strategy on a public ledger. For market makers, treasuries, and funds, this leaks inventory and invites front-running.

1.2Veil's response

3.1Components

┌──────────────────────────────────────────────────────────────────────┐
│                            Veil Program                              │
│                       (Pinocchio 0.11.1, no_std)                     │
│                                                                      │
│   LendingPool ←─→ UserPosition         EncryptedPosition (optional)  │
│   (1 / mint)      (1 / user / pool)    (1 / user / pool)             │
│         │                                                            │
│         │  oracle_price, oracle_conf cached on every UpdateOracle    │
│         ▼                                                            │
│   Pyth legacy push-oracle account (per pool, address-anchored)       │
│                                                                      │
│   Cross-chain collateral                                             │
│   IkaDwalletPosition ───CPI──→ Ika dWallet program                   │
└──────────────────────────────────────────────────────────────────────┘
              ▲                                  ▲
              │ tx submission (web3.js)          │ permissionless reads
              │                                  │
   Next.js dApp + admin panel ────────────→  Neon Postgres
   (/dapp, /dapp/admin, /dapp/liquidate)    (allowlist · tx_log · cache
                                             positions · auth_nonces)

3.2Roles

All accounts are #[repr(C)]zero-copy structs. They are read by direct raw pointer cast (Pinocchio idiom). The first eight bytes are an ASCII discriminator; subsequent fields are little-endian on Solana's BPF target.

4.1LendingPool — 416 bytes

One per token market. PDA seeds: [b"pool", token_mint]. Source: programs/src/state/lending_pool.rs; SIZE = 416 at line 114.

4.2UserPosition — 144 bytes

One per (user, pool). PDA seeds: [b"position", pool, user]. Source: programs/src/instructions/deposit.rs:82,94.

4.3EncryptedPosition — 144 bytes

Optional, created by EnablePrivacy. Seeds: [b"enc_pos", owner, pool]. Holds two ciphertext-account pubkeys (enc_deposit, enc_debt) on the Encrypt program.

4.4IkaDwalletPosition — 128 bytes

Tracks a registered Ika dWallet pledged as collateral. Seeds: [b"ika_pos", pool, user]. Status field tracks ACTIVE | RELEASED | LIQUIDATED.

All rates and indices live in WAD space, where WAD = 10¹⁸ = 1.0. Token amounts are u64 in their native units; they are widened to u128 only inside arithmetic and narrowed back at the boundary. All formulas appear verbatim in programs/src/math.rs.

5.1Constants

WAD               = 1_000_000_000_000_000_000      // line 16
SECONDS_PER_YEAR  = 31_536_000                     // line 19

BASE_RATE         = WAD / 100         ≈  1 % apr   // line 23
OPTIMAL_UTIL      = WAD * 80 / 100    =  80 %      // line 24
SLOPE1            = WAD *  4 / 100    =   4 % apr  // line 25
SLOPE2            = WAD * 75 / 100    =  75 % apr  // line 26
RESERVE_FACTOR    = WAD / 10          =  10 %      // line 27
LTV               = WAD * 75 / 100    =  75 %      // line 28
LIQ_THRESHOLD     = WAD * 80 / 100    =  80 %      // line 29
LIQ_BONUS         = WAD *  5 / 100    =   5 %      // line 30
PROTOCOL_LIQ_FEE  = WAD / 10          =  10 % of bonus
CLOSE_FACTOR      = WAD / 2           =  50 %
FLASH_FEE_BPS     = 9                 ≈ 0.09 %     // line 35
FLASH_PROTOCOL_SHARE_BPS = 10                     // line 37
FLASH_LP_SHARE_BPS       = 90                     // line 39

5.2Borrow rate (two-slope kink)

             ⎧ R₀ + (U / U_opt) × S₁                          if U ≤ U_opt
borrow_rate =⎨
             ⎩ R₀ + S₁ + ((U − U_opt) / (1 − U_opt)) × S₂      if U > U_opt

Verified by tests borrow_rate_at_kink, borrow_rate_above_kink_full, borrow_rate_monotonically_increasing (math.rs:374-417).

5.3Supply rate

supply_rate = borrow_rate × U × (1 − reserve_factor)

5.4Index accrual

Simple interest within a single accrual call; calls compose into compound interest across blocks. Per call, with elapsed Δt seconds:

borrow_index_new = borrow_index × (1 + borrow_rate × Δt / SECONDS_PER_YEAR)
supply_index_new = supply_index × (1 + supply_rate × Δt / SECONDS_PER_YEAR)

5.5Health factor

HF = (deposit_balance × liquidation_threshold) / debt_balance     (WAD)
HF = u128::MAX                if debt_balance == 0

A position is liquidatable iff HF < WAD. The boundary is exact: HF == WAD is not liquidatable.

5.6Liquidation

repay_amount      = current_debt × close_factor                ≤ 50 %
seized_collateral = repay_amount × (1 + liquidation_bonus)     +5 % bonus
protocol_fee      = seized_collateral × protocol_liq_fee       10 % cut
liquidator_gets   = seized_collateral − protocol_fee

5.7Flash-loan economics

fee = amount × flash_fee_bps / 10_000
(lp_portion, protocol_portion) = (fee − fee/10,  fee/10)

The 10 % protocol cut is integer-divided first; the LP portion takes the remainder. total_deposits grows by lp_portion; accumulated_fees grows by protocol_portion.

The dispatcher is a single-byte switch on data[0]: programs/src/entrypoint.rs:28-50. There is no Anchor 8-byte hash. All u64 fields are little-endian; all u128 fields are little-endian (low 8 bytes followed by high 8 bytes).

Veil splits authorization into two independent layers that must both be satisfied to administer a canonical pool through the curated UI.

7.1Signed-nonce handshake

1.  UI POSTs /api/auth/nonce {pubkey, action}
    Server returns a 16-byte hex nonce + canonical message:
       "Veil admin auth\nAction: <action>\nNonce: <nonce>"
    TTL: 5 minutes. Stored in auth_nonces.
2.  Wallet signs the exact bytes (ed25519 detached signature).
3.  UI POSTs the protected endpoint with {actor, nonce, signature, …}.
4.  Server, in this order:
    a. verifies ed25519 signature over canonical message     (TweetNaCl)
    b. atomically DELETE … RETURNING the nonce row          (single use)
    c. checks pool_admins membership and revoked_at         (registry)
    d. if requireRole == 'super_admin', enforces role       (privilege)
5.  On any failure, returns 401 with redacted reason. Nonce
    consumption is idempotent; replay produces "nonce invalid".

Veil reads Pyth legacy push-oracle accounts directly without the Pyth SDK. The per-call validation pipeline:

1. data.len() ≥ 228         → else OracleInvalid       (6024)
2. magic == 0xa1b2c3d4      → else OracleInvalid
3. atype == 3 (Price)       → else OracleInvalid
4. agg.price > 0            → else OracleInvalid
5. agg.status == 1          → else OraclePriceStale   (6025)
6. agg.conf ≤ price / 50    → else OracleConfTooWide  (6027)

After the first successful update, pool.pyth_price_feed records the feed account address; subsequent calls with a different feed return OraclePriceFeedMismatch (6026). The 2 % confidence cap is the load-bearing defence against flash-loan-driven oracle manipulation: during such an attack Pyth's aggregation widens the confidence interval before the aggregate price is fully deflected.

Privacy is opt-in per (user, pool). EnablePrivacy creates an EncryptedPosition PDA and two ciphertext accounts on the Encrypt program, seeded with the user's current plaintext deposit and debt. The four Private* instructions (0x09-0x0C) replicate the plaintext flow and emit Encrypt CPIs that update ciphertexts homomorphically.

Solvency under FHE. Health checks run homomorphically. The Encrypt evaluator returns a plaintext boolean (healthy?) to Veil, which decides whether to allow the borrow or withdraw. Underlying balances are never decrypted on-chain.

An Ika dWallet is a programmable signing primitive: an MPC-managed key governed by a programmable authority address. Veil registers a dWallet by verifying that its on-chain authority field equals Veil's CPI authority PDA ([b"__ika_cpi_authority"] on Veil's program ID, programs/src/ika/mod.rs:67). While registered, the dWallet can only sign when Veil approves the message via IkaSign.

IkaRelease returns the dWallet to the user iff the position is ACTIVE (not LIQUIDATED). A liquidated dWallet remains under Veil's control for recovery.

11.1Web stack

11.2Postgres tables (Neon)

Eleven endpoints, all in veil-landing/app/api/**/route.ts, running on the Node runtime. The Neon HTTP driver is used for DB access; no per-request WebSocket pool. Numeric on-chain quantities are returned as strings to preserve u64/u128 fidelity.

12.1Endpoint surface

12.2Authenticated request envelope

Authenticated endpoints take a common preamble plus an action-specific payload:

POST /api/admin/allowlist
Content-Type: application/json

{
  "actor":     "<base58 super-admin pubkey>",
  "nonce":     "<32-hex-char nonce from /api/auth/nonce>",
  "signature": "<base58 ed25519 sig over the canonical message>",
  "pubkey":    "<wallet to add>",
  "role":      "pool_admin" | "super_admin",
  "label":     "<optional human label>"
}

The canonical message the wallet signs:

Veil admin auth
Action: add_admin:<pubkey>:<role>
Nonce: <nonce>

Wire format: UTF-8 bytes, two LF separators. The signature must be valid ed25519 detached over those exact bytes.

12.3Response shape · /api/pools

{
  "pools": [
    {
      "pool_address": "...",
      "token_mint":   "...",
      "symbol":       "USDC" | null,
      "authority":    "...",
      "vault":        "...",
      "pool_bump":    254,
      "authority_bump": 255,
      "vault_bump":   0,
      "paused":       false,
      "total_deposits":   "0",
      "total_borrows":    "0",
      "accumulated_fees": "0",
      "ltv_wad":                    "750000000000000000",
      "liquidation_threshold_wad":  "800000000000000000",
      "liquidation_bonus_wad":      "50000000000000000",
      "protocol_liq_fee_wad":       "100000000000000000",
      "reserve_factor_wad":         "100000000000000000",
      "close_factor_wad":           "500000000000000000",
      "base_rate_wad":              "10000000000000000",
      "optimal_util_wad":           "800000000000000000",
      "slope1_wad":                 "40000000000000000",
      "slope2_wad":                 "750000000000000000",
      "flash_fee_bps":              9,
      "oracle_price":               null,
      "oracle_conf":                null,
      "oracle_expo":                null,
      "pyth_price_feed":            null,
      "created_by":     "...",
      "init_signature": "...",
      "last_synced_at": "...",
      "created_at":     "..."
    }
  ]
}

12.4Error code mapping

API errors map to short, redacted strings to avoid leaking implementation detail. The set is closed:

A defence-in-depth survey of the protocol's attack surface. Each finding is tagged with a status: SAFE (mitigated by current code), DEFENSE (recommended hardening before mainnet), or OPEN (a known gap that must be addressed). Findings cite source where applicable.

13.1On-chain · economic vectors

13.2On-chain · cross-program vectors

13.3Off-chain · API and database vectors

13.4Cryptographic / privacy vectors

13.5Hardening checklist before mainnet

[ ]  pool.authority is a Squads multisig vault PDA
[ ]  Squads is fronted by a governance program with timelock
[ ]  UpdatePool deltas capped per block at the program level
[ ]  Initialize takes expected-pyth-feed in data (closes A-04, A-09)
[ ]  IkaLiquidate / dWallet ownership-transfer instruction shipped (X-01)
[ ]  Per-IP and per-pubkey rate limit on /api/auth/nonce (O-05)
[ ]  Origin baked into canonical signed message (O-03)
[ ]  Postgres least-privilege roles for read / write / super-admin (O-04)
[ ]  Signature redaction in server logs (O-09)
[ ]  CI guard rejecting NEXT_PUBLIC_*postgres* variables (O-10)
[ ]  Atomic role check + nonce consume in one SQL statement (O-06)
[ ]  Token-program-id explicit assertion in every transfer instruction (A-12)
[ ]  user_token != vault assertion in deposit/withdraw/borrow/repay (A-13)
[ ]  Oracle keeper: refresh atomically with sensitive ix (A-07)
[ ]  Audit (third-party, scope: full program + API)

Two structural differences are worth highlighting. Single-asset positions: a Veil UserPosition is bound to one pool — you can deposit USDC and borrow USDC against it, but not deposit BTC and borrow USDC. Cross-asset positions are a v1 design item. Native vs wrapped cross-chain: Aave-on-Solana via wrapped BTC requires a bridge custody assumption. Veil-via-Ika requires an MPC committee honesty assumption with the user as a co-signer. The trust profile is different in kind, not just degree.

All 28 error variants. Source: programs/src/errors.rs:5-62.

1. [01]Aave V3 — Whitepaper. Two-slope kink interest model, close-factor and liquidation-bonus design.
2. [02]Compound V2 — Earliest production deployment of the index-based share-accounting model.
3. [03]Pinocchio — Solana zero-copy program framework. github.com/febo/pinocchio
4. [04]Pyth Network — Push-oracle aggregation across publishers. pyth.network
5. [05]Ika dWallet protocol — Programmable MPC signing for cross-chain assets. github.com/dwallet-labs/ika
6. [06]Encrypt FHE / REFHE — Fully-homomorphic-encryption construction used for amount privacy. docs.encrypt.xyz
7. [07]Oro / GRAIL — Physical-gold settlement layer. docs.grail.oro.finance
8. [08]EIP-4361 (SIWE) — Sign-In with Ethereum — domain-bound canonical message format. Referenced as model for O-03.
9. [09]Veil program source — programs/src/
10. [10]Veil dApp + API — veil-landing/
11. [11]Veil docs site — docs/content/