Reference
Transaction safety
Transaction construction, simulation, signing, confirmation, and verification requirements.
Every write example in this documentation follows the same flow:
- Read the current on-chain accounts at
confirmedcommitment. - Validate balances, pause flags, caps, deadlines, and user-entered bounds.
- Create missing associated token accounts before the Nest instruction.
- Fetch a fresh oracle payload when the action changes borrowing power.
- Simulate the exact transaction.
- Ask the wallet to sign and verify that it did not mutate any instruction.
- Send with preflight enabled and confirm against the same blockhash.
- Re-read balances and protocol accounts to verify the expected postcondition.
User-controlled bounds
Never submit a zero output bound merely because the program accepts a number:
mint_nusd_with_oracle: derive the requested mint from current safe value and let the program reject an unsafe position.stake: setmin_shares_outfrom a fresh share quote minus the user's explicit slippage tolerance.- PSM conversion: current mainnet fees are zero and conversion is raw 1:1, but still show the user the exact input and output before signing.
Atomic oracle instructions
For minting and debt-bearing withdrawals, include these instructions in one transaction:
Ed25519 verification -> Nest oracle refresh -> protected Nest actionThe verifier index is encoded inside the refresh instruction. If middleware inserts or moves instructions, rebuild the transaction and indexes. Do not sign an oracle refresh in one transaction and perform the protected action in a later transaction.
RPC and wallet handling
- Do not put private keys, paid RPC credentials, or custody material in browser source, logs, URLs, or analytics.
- Use the user's wallet adapter as the signer. A Nest integration does not need to custody the user's assets.
- Do not silently fall back to a different RPC when reads fail.
- Treat simulation success as a preflight check, not finality. Confirm and then verify state.
- Show program errors to the user in plain language. Never loop retries around a risk rejection such as stale prices, bad debt, or an unsafe LTV.
The complete simulateSignSend implementation is in Project setup.