Open-source · Solana Frontier 2026

See what you're actually signing.

Plumb overlays the Squads V4 approval modal with a plain-English readout of every instruction — durable-nonce replay window, multisig admin actions, account-state diffs, and bytecode upgrades.

Install for ChromeWatch the 90s demo

Read-only at the signer interface. Plumb never modifies, signs, or co-signs a transaction.

What a signer sees today / with Plumb

Opaque base64, decoded.

Wallet popup, today
Unreadable
Transaction (base64)
AQABBQfqJaJg3vT9rR4VFhdQa1Nf8PgYbZjK0Yk4mVQ3X5p2dT6yLnA8x4t8L5sQO3kHwq8AAAAAGZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmAQECAwQABQYHCAkKCwwNDg8QERITFBUWFxgZGhscHR4fICEiIyQlJicoKSorLC0uLzAxMjM0NTY3ODk6Ozw9Pj9AQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVpbXF1eX2BhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ent8fX5/gIGCg4SFhoeIiYqLjI2OjwAAAAAAAAAAAAAA… (1,184 chars)
Plumb overlay
3 findings
  • Durable nonce · 47-day replay window
    First instruction is AdvanceNonceAccount. Signature is valid until the nonce is consumed.
  • Nonce owner mismatch
    Nonce authority does not match the multisig. Staged-account pattern.
  • Multisig admin transfer
    config_transaction_execute — replaces members and threshold.
What ships in the MVP

Three classes of finding. Nothing else.

01
Durable-nonce decoder
Surfaces the replay window in plain English. Flags owner-mismatched nonce accounts — the exact Drift staging pattern.
02
State-projected simulation
Forks mainnet via Surfpool. Diffs account, balance, and authority changes against the state you expect.
03
BPF bytecode diff
On program upgrades, disassembles old vs new program data. Highlights signer-check and authority-check changes.
Built on

The Solana stack, end to end.

Squads V4
Multisig program
Surfpool
Mainnet-fork simulation
Solana Attestation Service
Approval receipts
Helius
Dedicated RPC
WXT
MV3 extension framework
solana_rbpf
BPF disassembly