SamPump Protocol Documentation

A technical reference for the SamPump on-chain architecture — the first Solana token launchpad where rug-pull resistance is a mathematical invariant, not a policy.

Protocol Status Live on Solana Mainnet · All accounts publicly verifiable · No admin keys · No upgrade authority

SamPump is a permissionless token launchpad built on Solana that enforces creator accountability at the smart contract level. The protocol's core innovation is the Guarantee Vault — an immutable escrow primitive that makes it cryptographically impossible for a token creator to exit with investor funds before satisfying verifiable on-chain conditions.

This documentation covers the full protocol specification: account architecture, bonding curve mathematics, anti-bot mechanisms, migration logic, and the formal security properties that derive from the program's immutability.

Core Concepts

Before diving into the architecture, it's important to understand three foundational primitives the protocol is built on.

Program Derived Addresses (PDAs)

All protocol accounts are Program Derived Addresses — deterministic on-chain accounts owned exclusively by the SamPump program. No external keypair can sign transactions that modify these accounts. This is the cryptographic foundation of all security properties described in this documentation.

Immutability

The SamPump program has no upgrade authority. Once deployed, its instruction set is permanent. This means the fee rate, vault unlock conditions, anti-bot thresholds, and migration trigger cannot be changed by any party — including the protocol developers.

Real vs. Virtual Reserves

The protocol maintains a strict separation between virtual SOL reserves (used for price computation) and real SOL reserves (actual lamports held by the curve account). Migration is triggered exclusively by real reserves, preventing price manipulation attacks that inflate virtual reserves without depositing actual SOL.

Architecture

The protocol is composed of four interdependent on-chain components. Each component exposes a minimal instruction surface, reducing the attack vector to near zero.

GlobalConfig PDA · immutable · no_auth fee_rate · min_deposit · threshold Creator sign · deposit_sol no vault access after lock Guarantee Vault PDA · locked SOL 2 unlock conditions only Bonding Curve AMM · x·y=k real + virtual reserves 1.20% fee per swap AntiBotEngine counter per wallet +5% after 6 buys/30m immutable Raydium CPMM post-migration only LP burned · mint revoked permanent liquidity lock deposit unlock migrate All accounts are PDAs — no external signing authority exists post-deployment
Figure 1. Full protocol account graph. Dashed borders = external / post-migration accounts.

GlobalConfig PDA

The GlobalConfig account is a singleton PDA that stores the protocol's immutable parameters. It is written once at deployment and has no associated update instruction. Any attempt to modify its state will fail at the runtime level.

FieldTypeDescription
fee_bpsu16Total protocol fee in basis points (120 = 1.20%)
platform_fee_bpsu16Platform share (80 = 0.80%)
creator_fee_bpsu16Creator share (40 = 0.40%)
min_vault_depositu64Minimum vault deposit in lamports
migration_thresholdu64Real SOL reserves trigger (~85 SOL)
antibot_window_secsu32Rolling window for purchase counter (1800s)
antibot_max_buysu8Purchases before fee escalation (6)
antibot_penalty_bpsu16Additional fee after threshold (500 = 5.00%)

Guarantee Vault

The GuaranteeVault is a PDA seeded from the token mint pubkey and the program ID. It is funded at token creation by the creator and holds its balance in a native SOL account that only the program can authorize spending from.

The vault has exactly two unlock conditions, encoded as program invariants:

Condition A — Migration Success

When isMigrated == true, the vault balance is transferred to the creator's designated fee_recipient account. This is the expected path for a legitimate project.

Condition B — Holder Consensus

When a holder consensus threshold is reached, the vault is distributed proportionally to token holders. This is the protection path if the creator abandons the project.

Security Note No instruction exists in the program that allows the vault to be unlocked by the creator unilaterally, regardless of time elapsed. This is enforced at the bytecode level.

Bonding Curve Engine

The BondingCurve account tracks all state related to a token's price discovery phase. It maintains both virtual and real reserve balances, the current token supply, and migration status flags.

Anti-Bot Engine

Embedded within the bonding curve's swap instruction, the anti-bot engine evaluates every purchase against a per-wallet, per-token purchase counter with a 30-minute rolling window. The counter and its associated fee escalation logic are implemented as an immutable subroutine within the program.

Curve Invariant & Mathematics

The bonding curve implements a modified constant-product market maker (CPMM) invariant, with a dual-reserve model to achieve rug-pull-resistant migration triggering.

// ─── Core Invariant ─────────────────────────────────────── x · y = k // x = virtual_sol_reserves // y = virtual_token_reserves // k = constant (set at initialization) // ─── Marginal Price ─────────────────────────────────────── P(x) = k / x² // price increases as SOL enters // ─── Swap Output (fee-adjusted) ─────────────────────────── Δy = y · (1 - x / (x + Δx · (1 - fee_rate))) // ─── Migration Trigger (real reserves only) ─────────────── if real_sol_reservesMIGRATION_THRESHOLD: trigger_migration() // permissionless · atomic // ─── Anti-Bot Fee Escalation ────────────────────────────── fn effective_fee_bps(wallet, token, now) → u16: count = purchase_count(wallet, token, now - 1800s) if count > 6: return BASE_FEE_BPS + 500 return BASE_FEE_BPS // 120 bps = 1.20%

Price Discovery

Token price is a deterministic function of the virtual SOL reserve state. As SOL flows in, the curve moves along the hyperbola x·y=k, increasing the marginal price for subsequent buyers. This creates fair price discovery: early buyers pay less, and price appreciation reflects genuine demand accumulation.

Fee Model

Fee ComponentBasis PointsPercentageRecipient
Platform Fee800.80%Protocol treasury
Creator Fee400.40%Token creator wallet
Total (normal)1201.20%
Anti-bot penalty+500+5.00%Protocol treasury
Total (bot)6206.20%

Token Lifecycle

1

Token Launch create_token

Creator submits a transaction with at minimum min_vault_deposit SOL. The program atomically: creates the token mint, initializes the BondingCurve PDA, creates and funds the GuaranteeVault PDA, and sets migration status to false. From this point, the vault is inaccessible to the creator.

2

Trading Phase buy / sell

Any wallet can buy or sell tokens through the bonding curve. Each swap evaluates the anti-bot counter, applies the appropriate fee, updates both virtual and real reserves, and emits a price event. Sells are always unrestricted — no instruction can block them.

3

Migration migrate

When real_sol_reserves crosses the threshold (~85 SOL), the migrate instruction becomes executable by anyone. In a single atomic transaction: liquidity is moved to a Raydium CPMM pool, LP tokens are burned, mint authority is revoked, and the BondingCurve account is closed.

4

Vault Release release_vault

Immediately following migration, the release_vault instruction transfers the vault's full SOL balance to the creator's fee_recipient account. The creator receives their deposit back as a reward for building a successful project. A creator who disappeared receives nothing.

Formal Security Properties

The following properties are mathematical consequences of the program's structure. They hold under the assumption that the Solana runtime correctly enforces PDA ownership — a standard cryptographic assumption for all Solana programs.

Rug Pull Resistance Proven

No instruction exists that allows the creator to withdraw vault funds before isMigrated == true or holder consensus. Enforced by PDA ownership — no keypair can authorize such a transaction.

Fee Immutability Proven

The GlobalConfig account has no update authority. Fee rates are fixed at deployment and cannot be changed by any party, including the protocol team.

Unrestricted Sells Proven

No blocklist instruction exists in the program. Any wallet that holds tokens can sell at any time. The program is structurally incapable of freezing sell operations.

Anti-Bot Immutability Proven

The anti-bot threshold (6 purchases / 30 minutes / +5%) is hardcoded in program logic. Neither the protocol team nor any admin account can disable or modify it.

Mint Finality Proven

Mint authority is revoked in the same atomic transaction as Raydium migration. No new tokens can be created after this point under any circumstances.

Permissionless Migration Proven

The migrate instruction can be called by any wallet once the threshold is reached. No single party can block migration from occurring.

Attack Surface Analysis

Attack VectorDescriptionMitigationStatus
Vault DrainCreator attempts to withdraw vault before migrationPDA ownership — no unlock instruction existsBlocked
Fee ManipulationAdmin changes fee rate post-deploymentGlobalConfig has no update authorityBlocked
Sell BlockCreator blacklists wallets from sellingNo blocklist instruction in programBlocked
Mint InflationNew tokens minted after migrationMint authority revoked at migrationBlocked
Bot Front-runAutomated wallets mass-buy at launchAnti-bot fee escalation from 7th purchaseMitigated
Virtual Reserve InflationManipulate price without depositing real SOLMigration uses real reserves exclusivelyBlocked
Migration BlockCreator prevents migration from occurringMigration is permissionless — callable by anyoneBlocked

Audit History

Independent Audits The SamPump program has undergone three independent security reviews. All critical and high-severity findings have been resolved prior to mainnet deployment.
AuditScopeCriticalHighMediumStatus
Audit #1 · Q1 2025Vault mechanics, PDA ownership002Resolved
Audit #2 · Q3 2025Anti-bot engine, fee model011Resolved
Audit #3 · Q4 2025Migration protocol, full review000Clean