Urbanium - Efficient Markets. Sustainable Yield.

PDA Model

Urbanium uses Program Derived Addresses (PDAs) extensively to ensure security and eliminate centralized control. PDAs are deterministically generated addresses that have no corresponding private keys, allowing only the program to sign transactions on their behalf.

Vault PDA

The Vault PDA holds all deposited assets for a specific token type. It is derived from the token mint address and creator's public key, ensuring each vault has a unique, deterministic address.

Seeds: ["vault", token_mint, creator]
Purpose: Holds user deposits
Authority: Vault Authority PDA
Accounts:
  - token_mint: Pubkey
  - authority: Pubkey  
  - total_shares: u64
  - total_assets: u64
  - created_at: i64
  - bump: u8

Vault Authority PDA

The Vault Authority PDA is the signer for all vault operations. It controls asset movements for yield generation but cannot be accessed by any external party. Only program logic can invoke this PDA as a signer.

Seeds: ["vault-authority", vault_address]
Purpose: Signs yield operations
Authority: Program only (no private key exists)
Capabilities:
  - Deposit to yield strategies
  - Withdraw from strategies
  - Execute oracle-based swaps
  - Rebalance allocations
Restrictions:
  - Cannot withdraw to external addresses
  - Cannot modify vault parameters
  - Cannot transfer authority

User Position PDA

Each user's position in a vault is tracked by a unique PDA derived from the vault address and user's wallet. This ensures each user has exactly one position per vault, preventing double-accounting.

Seeds: ["user-position", vault_address, user_wallet]
Purpose: Track user ownership
Authority: User wallet
Accounts:
  - owner: Pubkey
  - vault: Pubkey
  - shares: u64
  - last_deposit: i64
  - last_withdrawal: i64
  - bump: u8

Vault Authority

Non-custodial Architecture

The vault authority model is designed to enable programmatic asset management while maintaining complete non-custodial security. No individual, team member, or organization can access user funds outside of the predefined program logic.

Program-controlled Signer

The vault authority PDA can only be invoked as a signer through specific program instructions. The Solana runtime verifies that the PDA is correctly derived and that the program owns it before allowing it to sign transactions.

// In Anchor program
pub fn execute_yield_operation(ctx: Context<YieldOp>) -> Result<()> {
    // Vault authority is validated by Anchor
    let vault_authority_seeds = &[
        b"vault-authority",
        ctx.accounts.vault.key().as_ref(),
        &[ctx.accounts.vault.authority_bump],
    ];
    
    let signer_seeds = &[&vault_authority_seeds[..]];
    
    // Program signs with vault authority
    invoke_signed(
        &yield_instruction,
        accounts,
        signer_seeds, // Only program can provide these seeds
    )?;
    
    Ok(())
}

Deterministic Seed Derivation

All PDA seeds are deterministic and publicly verifiable. Anyone can independently verify that a vault authority controls specific assets by deriving the PDA themselves and checking on-chain accounts.

✓

Transparent: All seeds are documented and verifiable

✓

Auditable: On-chain state proves authority relationships

✓

Immutable: Seeds cannot be changed after deployment

Oracle Adapter

External Oracle Integration

Urbanium integrates with multiple oracle providers to ensure accurate, manipulation-resistant pricing. The oracle adapter supports Pyth, Switchboard, and Chainlink on Solana, with fallback mechanisms if any feed becomes unavailable.

Price Normalization

Different oracles use different decimal precision, confidence intervals, and update frequencies. The adapter normalizes all prices to a standard format:

pub struct NormalizedPrice {
    pub price: i64,           // Price with 8 decimals
    pub confidence: u64,      // Confidence interval (±)
    pub timestamp: i64,       // Unix timestamp
    pub source: PriceSource,  // Which oracle provided this
}

// Normalization process:
// 1. Fetch from multiple oracles
// 2. Convert all to 8 decimal precision
// 3. Calculate confidence-weighted median
// 4. Discard outliers (>2 std dev from median)
// 5. Return normalized price with combined confidence

Swap Safety Enforcement

Before executing any swap, the oracle adapter performs multiple safety checks:

Freshness Check: Price must be less than 60 seconds old

Confidence Check: Confidence interval must be below 1% of price

Deviation Check: Price must be within 5% of 5-minute TWAP

Slippage Check: Actual execution price must be within user-specified slippage

Security Model

No Admin Custody

Urbanium has zero admin privileges over user funds. There are no owner accounts, no multisig controllers, and no upgrade authority that could modify vault behavior.

✗ No admin withdrawal function

✗ No emergency pause mechanism

✗ No upgrade authority after mainnet deploy

✗ No fee change capability

Explicit Authority Separation

Different operations require different authorities, creating natural security boundaries:

User Deposits/Withdrawals: Only user's wallet can sign

Yield Operations: Only vault authority PDA can sign

Oracle Updates: Only oracle programs can update prices

Strategy Changes: Hard-coded in program, no runtime modification

Deterministic Execution Paths

Every possible state transition is explicitly defined in the program code. There are no dynamic dispatch mechanisms, no proxy patterns, and no delegatecall equivalents. All execution paths can be audited and verified before deployment.

Program Deployment

Mainnet Address

UrbaniumVault11111111111111111111111111111

Deployment Status

Deployed to Solana mainnet. Upgrade authority renounced. Code is immutable.

Audit Status

Audited by leading Solana security firms. All critical and high severity issues resolved.

Questions about Architecture?

Review our comprehensive documentation or explore the open source code.

View Source Code Full Documentation

Smart Contract Architecture