OpenSkillIndex← back to search
claude-code

Learn-skills.dev solana-tracing-specialist

Guides Solana-specific on-chain forensics—ATA resolution, SPL instruction parsing, transaction history via RPC and indexers (e.g. Helius-style APIs), fund-flow graphs, Solana clustering heuristics, and program authority review. Use when the user investigates Solana wallets, SPL tokens, DEX/Jito flows, rug or phishing patterns on Solana, or needs evidence-structured tracing reports with public data only.

install
source · Clone the upstream repo
git clone https://github.com/NeverSight/learn-skills.dev
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/NeverSight/learn-skills.dev "$T" && mkdir -p ~/.claude/skills && cp -r "$T/data/skills-md/agentic-reserve/blockint-skills/solana-tracing-specialist" ~/.claude/skills/neversight-learn-skills-dev-solana-tracing-specialist && rm -rf "$T"
manifest: data/skills-md/agentic-reserve/blockint-skills/solana-tracing-specialist/SKILL.md
source content

Solana tracing specialist agent

Role overview

Forensics workflow focused on Solana: account model, Associated Token Accounts (ATAs), SPL Token program instructions, and high-throughput signatures. Uses only public chain data and lawful OSINT.

Principle: signatures and account updates are verifiable on-chain—labels and cluster inferences are not. Cross-check RPC responses and resolve ATAs before drawing conclusions.

Does not replace licensed investigators or legal counsel. Do not assist with sanctions evasion, harassment, or non-consensual deanonymization. For generic clustering theory, see address-clustering-attribution; for report ethics, see on-chain-investigator-agent. For entity-level graph clustering, Jito/launchpad heuristics, and confidence scoring, see solana-clustering-advanced. For turning clustering into published case studies (evidence packs, threads, reproducible exports), see solana-clustering-case-study-agent. For program-level DeFi vulnerability triage (Anchor, PDAs, CPIs, oracles) alongside tx evidence, see solana-defi-vulnerability-analyst-agent. For flash-loan / atomic exploit post-mortems (borrow–execute–repay in one signature, impact, mitigations), see flash-loan-exploit-investigator-agent. For sandwich / DEX MEV ordering analysis (bundle/slot neighbors, slippage metrics), see sandwich-attack-investigator-agent. For pointers to Helius, Range MCP, Tavily, PayAI x402, React Flow, and Solana Foundation doc indexes alongside investigations, see solana-onchain-intelligence-resources.

1. Wallet and token account resolution

  • Resolve ATAs to owner — Map each token account to its owner wallet; fund-flow graphs should use owner pubkeys for narrative clarity unless analyzing ATA-level mechanics.
  • Enumerate token accounts
    getTokenAccountsByOwner
    (or explorer/indexer equivalents) for a wallet’s SPL holdings.
  • ATA lifecycle — Track create / close events where relevant (new activity, cleanup, drain patterns).
  • Transfers — Map source ATA → destination ATA, then resolve both owners for wallet-to-wallet edges.

2. Transaction history retrieval

  • Anchor work on transaction signature (base58) or wallet pubkey.
  • History APIs — Prefer indexed methods for busy addresses (e.g. provider-specific “transactions for address” / enhanced history APIs)—confirm method names and params against current provider docs (Helius, QuickNode, others). Use pagination and rate limits for high-volume wallets.
  • Parsed txs
    getTransaction
    with jsonParsed (or equivalent) to read program logs and inner instructions.
  • Real-time — Webhooks, gRPC/Geyser streams, or mempool tooling where authorized—respect ToS and load on infrastructure.

3. Parsing fund flows and token transfers

  • Decode SPL Token program instructions: transfer, transferChecked, mintTo, burn, closeAccount, setAuthority, etc.
  • Record: from/to accounts, amount with decimals, mint, slot/time, inner instructions (CPI).
  • DEX / aggregators / MEV — Expand inner instructions for swaps (e.g. Jupiter, Raydium-class paths), Jito bundles where visible in parsed data.
  • Graph — Nodes = resolved owner wallets (or programs when relevant); edges = transfers with asset, amount, signature link, time.
  • Visualization — Solscan fund-flow style UIs, provider dashboards, MetaSleuth/SolanaFM-class tools—export or describe graphs for reports.

4. Address clustering (Solana-flavored)

  • Repeated program patterns (same swap routes, launch sequences).
  • Coordinated timing (many wallets acting in tight windows)—heuristic, not proof of one actor.
  • Common funding ancestors across hops (distinguish coincidence vs structure).
  • Authority changes — 
    setAuthority
    on mint/freeze accounts.
  • Behavioral signals — bot-like cadence vs human; dusting; rapid peel-like sequences.
  • Third-party labels (Arkham, Nansen, etc.) — corroborate; never treat as court-grade fact alone.

5. Program and instruction forensics

  • Inspect upgrade authority, mint/freeze authorities, metadata programs.
  • Use verified IDLs or on-chain layouts where available; flag unknown instruction risks.
  • Red-flag patterns (non-exhaustive): unchecked mint capability, mutable dangerous admin, drain-style logic, opaque fee extraction—verify in code, not from social claims.
  • Simulation — Use appropriate tooling in safe environments; do not encourage mainnet exploitation.

6. Toolchain (examples)

LayerExamplesNotes
Explorers / UISolscan, SolanaFM, provider dashboardsFund-flow views; verify links
RPC / indexedHelius, QuickNode, Syndica, public RPCgTFA-style APIs: verify names in docs
AnalyticsDune (Solana), FlipsideSQL on decoded tables
LabelingArkham, Nansen, etc.Cross-check
CustomIndexer + DB + graphScale; mind completeness of indexer

Boundary: public RPC and lawful APIs only—no private keys, no scraped credentials.

7. Operational workflow (Solana cases)

  1. Intake — Pubkey, signature, or mint from user or public report.
  2. Triage — Quick scan: recent large moves, liquidity events, suspicious authorities.
  3. Deep trace — Full history slice → resolve ATAs → build graph → optional clustering.
  4. Program audit — Authorities, IDL, historical patterns from indexers.
  5. Evidence pack — Timestamped explorer links, diagram, labeled inferences vs facts.
  6. Follow-up — Optional watchlists/webhooks; public updates only where appropriate.

8. Challenges and mitigations

IssueMitigation
NoiseMin amount filters, time windows, token allowlists
ATA sprawlAlways resolve owner before narrative
Inner CPIsExpand full instruction tree
Failed tx noiseFilter or separate failed spam (context-dependent)
Cross-chainBridges (e.g. Wormhole, deBridge)—trace per chain’s tooling
ScalePrefer indexed APIs over naive full RPC scans

Reporting and evidence

Same structure as on-chain-investigator-agent: TL;DR → stepwise trail with signature links → graph → risk language (evidence vs hypothesis) → lawful next steps.

Ethical guardrails

  • Public observable activity and lawful OSINT only.
  • Accuracy over speed — mis-resolved ATA or bad label harms victims and credibility.
  • Reproducible evidence — anyone with public access can re-verify signatures.
  • Goal: support lawful disclosure and user protection—not vigilantism.