brainblast v0.7.6 — Protocol Pack Library

The distribution play. Every Solana app is built on some combination of Jupiter, Raydium, Pyth, Meteora, Jito, … — each with its own silent footguns. A pack per protocol means you opt into research + enforcement for the exact stack you build on, before a line is written:

brainblast --packs jupiter,pyth .

Three new protocol packs (opt-in, pure-data, proven RED → GREEN)

• pyth-price-unchecked-staleness — getPriceUnchecked() (ignores staleness) → getPriceNoOlderThan(maxAge). Pairs with the live brainblast oracle check.
• meteora-dlmm-zero-min-out — DLMM swap({ minOutAmount: new BN(0) }) removes the slippage floor (sandwich exposure).
• jito-bundle-zero-tip — a Jito bundle sent with a 0 tip is deprioritized and never lands, while the send call still returns a bundle id.

Joins the existing Jupiter, Raydium, Metaplex, Solana-sendtx, and SPL packs — 8 bundled protocol packs.

Distribution UX

• brainblast --packs <name> resolves a protocol name ("jupiter", "pyth") to its bundled pack, not just a path. brainblast packs lists the library. Packs ship inside the npm package, so npx brainblast --packs jupiter,pyth works with no checkout.
• object-arg-property-forbidden-literal is now BN(0)-aware — flags the idiomatic new BN(0) / BN("0") / anchor.BN(0), not just bare 0.
• A CI guard validates every bundled pack RED → GREEN. 439 tests green.

Also in this release

• Rename (corrects v0.7.5): brainblast economics → brainblast fee-configs; checker economic-value-zero-or-missing → fee-configs-zero-or-missing; the feature is the Fee Config Validator. The metaplex-seller-fee-zero rule id is unchanged.

---

npx brainblast@0.7.6 packs

The brainblast CLI publishes to npm automatically via the brainblast-v0.7.6 tag (publish-cli workflow).

brainblast v0.7.5 — Token Economics Validator

The Bags exploit, generalized. The Bags trap (a creator wallet silently omitted from a fee split, earning $0 forever) was one instance of a class:

A revenue-bearing field that, if omitted or zeroed, silently defaults to no value. The call succeeds, nothing reverts, and a fee / royalty / reward is never collected — permanently.

New checker: economic-value-zero-or-missing

Validates a revenue field on a setup/config call: FAIL when omitted (defaults to zero) or a literal 0; PASS when a non-zero literal or a non-literal expression (intentionally set). Robust to as any casts.

New bundled rule: metaplex-seller-fee-zero (HIGH)

A Metaplex token minted with sellerFeeBasisPoints omitted or zero earns creators no royalties on secondary sales, permanently. Vulnerable/fixed fixtures (RED→GREEN). Bundled rule set: 17 → 18.

brainblast economics [id]

A curated catalog of the silent zero-revenue class across fees, royalties, and rewards:

Category	SDK	Field	Status
Royalties	Metaplex	sellerFeeBasisPoints	✅ enforced
Fees	Bags	feeClaimers[].userBps	✅ enforced
Fees	Token-2022	transferFeeBasisPoints	⚠️ advisory
Rewards	staking/LP (generic)	rewardRate	⚠️ advisory

An integrity test guarantees every entry maps to a rule that actually exists, and ties the original Bags trap back into the generalized class. 20 new tests (427 total green). New /brainblast-economics slash command.

---

npx brainblast@0.7.5 economics

The brainblast CLI publishes to npm automatically via the brainblast-v0.7.5 tag (publish-cli workflow).

brainblast v0.7.4 — Live On-Chain Intelligence

Answers, from live RPC, two questions Solana devs otherwise work out by hand on Solscan.

Is the upgrade authority a multisig? (extends trust-graph)

The RPC probe already resolved the authority address but could only mark it unknown. It now reads the authority account's owner program to classify it:

Owner program	Verdict
System Program	⚠️ single-key (one key can replace the program)
Squads	🔐 multisig
SPL Governance (Realms)	🏛 dao
anything else	❓ unknown — owner recorded, never a false single-key

The renderer shows the classifying owner and an at-a-glance Trust line per program: authority · verified build · audited.

Is the oracle fresh? (brainblast oracle <account>)

A provider-agnostic freshness gate — instead of parsing each oracle's binary layout, it measures the universal signal: the slot of the most recent transaction touching the account vs. the current slot.

• Reports FRESH / STALE / NO_HISTORY with slots/seconds behind.
• --max-staleness-slots N / --max-staleness-seconds N (default 150 slots ≈ 60s).
• Exit 1 on STALE or NO_HISTORY — drop it in front of any pricing path. --json for agents.

Works for Pyth, Switchboard, Chainlink, or any account whose freshness means "written recently."

Also

• Classification fails safe: a wrong/missing owner id degrades to unknown, never a false single-key.
• New /brainblast-oracle slash command; programmatic exports (classifyUpgradeAuthority, checkOracleFreshness, …). 20 new tests (407 total green).

---

npx brainblast@0.7.4 oracle <account>

The brainblast CLI publishes to npm automatically via the brainblast-v0.7.4 tag (publish-cli workflow).

brainblast v0.7.3 — Exploit Pattern Database

Research-to-enforcement on real on-chain incidents. A curated catalog maps public post-mortems to the bundled brainblast rule that statically detects each one's root-cause pattern — the code that lost the funds is the exact code these rules fail on. $381.8M catalogued across 4 patterns.

Flagship: the Wormhole pattern

New rule cpi-target-program-unverified (CRITICAL) answers the provable question behind the Wormhole bridge exploit ($325M, Feb 2022): does this CPI verify its target program ID?

• FAIL — an Anchor handler performs a CPI (invoke / invoke_signed / CpiContext) against a program-named account typed as raw AccountInfo / UncheckedAccount with no address= constraint and no in-body key check.
• PASS — the program account is Program<'info, T>, has an address= constraint, or its .key() is verified in the body.

brainblast exploits [id] [--json]

Lists the catalog or explains one entry:

Incident	Loss	Detecting rule
Wormhole	$325M	cpi-target-program-unverified (new)
Cashio	$48M	anchor-unchecked-account-type
Crema Finance	$8.8M	anchor-unchecked-account-type
SPL mint impersonation	—	solana-token-impersonation

Integrity, not vibes

• An integrity test guarantees every catalog entry's ruleId resolves to a real bundled rule — the database can never claim to catch something it can't.
• Rules carry an inline exploit: provenance block, cross-checked against the catalog in tests to prevent drift.
• Programmatic exports (EXPLOIT_PATTERNS, getExploitPattern, renderers) for AI-agent frameworks.

Also

• 16 → 17 bundled rules. 387 tests green. New /brainblast-exploits slash command.

---

npx brainblast@0.7.3 exploits

The brainblast CLI publishes to npm automatically via the brainblast-v0.7.3 tag (publish-cli workflow).

brainblast v0.7.2 — Deployment Intelligence

Deployment Intelligence — a new brainblast deploy-plan [dir] command that answers the two questions every Anchor builder works out by hand before anchor deploy: how much SOL do I need? and what's the exact ordered transaction sequence?

How much SOL do I need?

From the compiled .so under target/deploy/, modeled on the on-chain BPF upgradeable loader:

Item	Formula	Recoverable?
Program account	rent(36)	❌ until program closed
Program data (2× upgrade headroom)	rent(45 + 2·len)	❌ until program closed
Buffer (transient)	rent(37 + len)	✅ refunded at deploy
Init PDAs (treasury, config, …)	rent(space) each	depends on close logic
Transaction fees	base fee × (buffer + writes + deploy + inits)	❌ spent

Reports a wallet funding figure (safe upper bound) and the steady-state lockup.

Exact transaction sequence

Create buffer → write program chunks → deploy → one initialize step per #[derive(Accounts)] struct, each annotated with the rent it locks/refunds and its fee.

Notable

• Anchor init parsing (tree-sitter-rust) extracts space, seeds, and payer per init / init_if_needed account.
• Non-literal space (e.g. 8 + State::INIT_SPACE) is flagged and excluded from totals rather than guessed.
• --program-len BYTES models an uncompiled build; --max-len-mult N overrides the 2× headroom; --json emits the full plan for an agent.
• New /brainblast-deploy-plan slash command. 20 new tests (368 total green).

Also refreshed stale version + bundled-rule-count references (now 16 bundled rules incl. the 3 Anchor program-security checks).

---

npx brainblast@0.7.2 deploy-plan

The brainblast CLI publishes to npm automatically via the brainblast-v0.7.2 tag (publish-cli workflow).

brainblast v0.7.1 — Anchor/Rust security checkers

Pillar 2: Anchor/Rust Security Checkers — three new static checker kinds for Solana programs written with the Anchor framework, plus 6 fixtures and full test coverage.

New rules

• anchor-signer-constraint-missing (CRITICAL) — authority-named account fields (authority, admin, owner, payer, …) typed as AccountInfo<'info> without a signer constraint or Signer<'info> type. Anchor performs no signing check on AccountInfo — any key can be passed as the authority and privileged instructions execute without signature validation. Fix: use Signer<'info> or add #[account(signer)].

• anchor-unchecked-account-type (HIGH) — UncheckedAccount<'info> fields in instruction handlers. Anchor requires a /// CHECK: comment but performs zero runtime validation — ownership, signer status, and data layout are unchecked. Fix: replace with Account<'info, T>, Signer<'info>, or SystemAccount<'info>.

• anchor-pda-find-program-address (HIGH) — Pubkey::find_program_address calls inside handler bodies. Expensive (up to 255 SHA256 hashes/call) and unsafe (may silently use a non-canonical bump). Fix: use #[account(seeds=[...], bump=state.bump)] — Anchor re-derives and verifies at zero cost.

• Updated logo: assets/brainblast.png replaces assets/brainblast.jpg.

• 348/348 tests green.

---

Install/upgrade the npm CLI:

npx brainblast@0.7.1

The brainblast CLI publishes to npm automatically via the brainblast-v0.7.1 tag (publish-cli workflow).

brainblast v0.7.0 — the Solana power release

Six features that extend brainblast from "audit before you ship" to a full-lifecycle safety layer for Solana developers and AI agents. Each ships a CLI command and a programmatic export so agent frameworks can call it inline.

AI-agent transaction firewall — brainblast firewall <base64-tx>

Inspect a serialized Solana transaction before an agent signs it. Decodes legacy + v0 messages (incl. address lookup tables) locally, flags drain patterns (delegate Approve, SetAuthority, program upgrades, unknown programs), optionally simulates for the full CPI tree, and returns allow / warn / block. Exit 1 on block. inspectTransaction() for inline use.

Anchor IDL → auto-generated rules — brainblast idl-rules <idl.json>

Turns any Anchor IDL into a brainblast rule that verifies the program's Rust source actually declares every signer/mut account constraint the IDL promises. A missing Signer<'info> or mut is a silent authorization hole. Unlimited rules derived from your own program's spec.

Program trust score / oracle — brainblast score <program-id>

A 0–100 trust score + A–F grade for any deployed program: upgrade authority (renounced > DAO > multisig > single-key), verified build, audits, curation, cluster parity — with a transparent factor breakdown. --min gates CI; --json makes it an oracle other tools can consume.

Live on-chain monitoring — brainblast watch-chain <program-id>

Moves brainblast from "before you ship" to while it's live. Polls a deployed program and streams NDJSON anomalies: upgrade-authority changes (the headline event) and activity bursts. No websocket dependency.

Launch pre-flight — brainblast pump-check <mint>

For pump.fun / SPL builders. Reads the on-chain mint account (is the mint authority revoked? the freeze authority?), verifies identity, and folds in Rico Maps forensics into one GO / CAUTION / NO-GO verdict. A live mint authority is an automatic NO-GO.

Batch token risk scanner — brainblast batch <file>

Risk-rank a list of contract addresses in parallel (identity + Rico Maps), impersonators floated to the top. For curating which tokens an app should support.

---

330 tests (268 baseline + 62 new), typecheck clean, SLSA-provenance build. No new runtime dependencies — the Solana message decoder and SPL mint / BPF-loader layout parsers are hand-written; @solana/web3.js stays test-only.

5 new agent slash commands: /brainblast-firewall, /brainblast-score, /brainblast-pump-check, /brainblast-batch, /brainblast-idl-rules.

Install / update

curl -fsSL https://raw.githubusercontent.com/DSB-117/brainblast/v0.7.0/install.sh | sh

brainblast v0.6.4

Rico Maps token identity + quality + 13th bundled rule

brainblast rico <CA> — new CLI subcommand

One command, two checks on any Solana contract address:

Identity (offline, no key needed)

• Bundled canonical mint snapshot for 12 blue-chip tokens (USDC, USDT, SOL, WSOL, JUP, BONK, WIF, PYTH, RAY, ORCA, MNGO, mSOL)
• Falls back to Jupiter token registry for anything not in the snapshot
• Flags impersonators — tokens claiming a canonical symbol at the wrong mint address

Quality (Rico Maps API, optional key)

• Risk score 0–100
• Sniper detection, cabal count, bundle cluster detection
• Deployer flags: mint authority live, freeze authority live, metadata mutable
• Graceful key prompt/skip — anonymous free tier attempted first; prompts on auth failure

Exit 1 on impersonation, --expect symbol mismatch, or risk score ≥ threshold (default 70).

/brainblast-rico-maps <CA> slash command

Registered automatically by the installer for Claude Code users.

13th bundled rule: solana-token-impersonation

Offline static checker for TypeScript source with @solana/web3.js or @solana/spl-token imports. Catches hardcoded mint constants whose symbol name doesn't match the canonical address — e.g. const USDC_MINT = new PublicKey("<USDT address>").

SKILL.md step 3f

When requirements mention a Solana token or CA, the research skill now runs an identity + quality pre-check before researching the component.

---

268 tests passing. SHA256SUMS regenerated for all changed tracked files.

Install / update

curl -fsSL https://raw.githubusercontent.com/DSB-117/brainblast/v0.6.4/install.sh | sh

brainblast v0.6.3 — installer fix

Patch release. Fixes a checksum mismatch in SHA256SUMS introduced in v0.6.2: SKILL.md was updated but its SHA-256 hash wasn't regenerated, causing the installer to reject the file. No functional changes beyond the fix.

brainblast v0.6.2 — 3 Solana ecosystem packs

Warning

This release has a broken installer. The SHA256SUMS file was not updated after SKILL.md changed, causing a checksum mismatch for anyone running the installer pinned to v0.6.2. Use v0.6.3 instead.

What's new in v0.6.2

Three HIGH-severity Solana ecosystem packs, all PROVEN (RED→GREEN via npm run synth with existing vetted checkers — no new logic):

solana-sendtx-unconfirmed — @solana/web3.js

connection.sendTransaction() submits a transaction and returns a signature immediately — it does not wait for the network to confirm the transaction landed. If the transaction is dropped due to congestion, validator restart, or blockhash expiry, the code continues as if it succeeded. Fix: use sendAndConfirmTransaction().

metaplex-nft-royalty-zero — @metaplex-foundation/js

metaplex.nfts().create({ sellerFeeBasisPoints: 0, … }) bakes zero royalties into the NFT's on-chain metadata at mint time. Metaplex token-metadata is immutable after mint — there is no correction path short of burning and reminting the entire collection. Fix: set sellerFeeBasisPoints to the intended value (e.g. 500 = 5%).

raydium-compute-zero-slippage — @raydium-io/raydium-sdk-v2

raydium.liquidity.computeAmountOut({ slippage: 0, … }) sets minAmountOut === amountOut with zero tolerance, meaning any price movement between compute and on-chain execution — including a sandwich attack — executes the swap at a worse rate with no revert protection. Fix: set slippage to a nonzero value (e.g. 0.5 = 0.5%).

---

Full changelog: CHANGELOG.md