© 2026 Della Group. All Rights Reserved.
Okay, look. Every other "guide" out there treats Ed25519 on Solana like it's some magic black box you just plug into your wallet and forget. But that's bullshit. The real deal? It's a native program for verifying signatures off chain stuff on chain without wasting compute units. Guides skip the gritty part: how the Ed25519SigVerify111111111111111111111111111 program actually parses that instruction data with offsets and all. Miss that, and your airdrop claims or whatever fail silently. In my experience, that's why 90% of newbie Solana devs rage quit signature verification.
Why does this matter? Because Solana's fast as hell-50k TPS-but verifying Ed25519 sigs is a precompile. Zero compute cost if you do it right. Screw the format? Transaction rejects, you burn like 0.000005 SOL in fees anyway.
Ed25519's the signature scheme Solana lives on. Fast. Secure. 64-byte sigs, 32-byte pubkeys. Your wallet spits out a keypair, signs tx data, validators check it. Simple.
But on Solana, it's not just for tx signing. You can verify arbitrary messages on chain using the native Ed25519 program. Think distributor signs "hey, give 1 SOL to this pubkey" off chain. User submits that sig + message on chain. Boom, verified without your program doing crypto math. That's the hack.
The thing is, it's stateless. No accounts needed. Everything's jammed into the instruction data. Sound familiar? If you've fought Anchor errors, yeah.
Here's the: Ed25519SigVerify111111111111111111111111111. That's the program ID. Hardcode it. Every Ed25519 instruction targets this.
Honestly, if you're generating keys, use ed25519-dalek crate off chain. Solana keypairs are Ed25519 under the hood anyway.
| Part | Size | Notes |
|---|---|---|
| Signature | 64 bytes | Always |
| Public | 32 bytes | Ed25519 standard |
| Message | Variable | Your data, e.g. 40 bytes for pubkey + u64 amount |
| Header | 16 bytes | Sig count (1 byte) + 7 u16 offsets/padding |
So, you wanna build one? Don't code from scratch. Use helpers.
In JS with @solana/web3.js? Grab createInstruction from the ed25519 program utils. But let's do Rust first, since on chain cares.
sh -c "$(curl -sSfL https://release.solana.com/stable/install)" then anchor init test ed25519.solana keygen new -o distributor.json. That's your signer.let message = [recipient.asref(), amount.tolebytes().asref()].concat();let signature = keypair.sign(message).to_bytes();let ix = newed25519instruction(&keypair, &message);Full snippet? Here, from the sdk:
use solanasdk::ed25519instruction; let ix = ed25519instruction::newed25519_instruction(&keypair, message);
That newed25519instruction packs the header offsets automatically. Sig at some offset, pubkey next, message last. Padding byte for alignment. Magic.
What's next? Stick this ix FIRST in your transaction. Then your claim ix second.
Most guides show theory. This? Copy paste ready Anchor program. I use this for airdrops all the time.
Setup: anchor init airdrop ed25519. Update lib.rs.
First, imports. Gotta grab the sysvar for peeking at prev ix.
use anchor_lang::prelude::*;
use anchorlang::solanaprogram::{ ed25519program, pubkey::Pubkey, sysvar::instructions as ixsysvar,
};
Declare ID, program mod. Now the claim fn. This is where it gets fun.
Load instruction sysvar. Find current ix index. Grab the one before (your Ed25519 ix).
let currentixindex = ixsysvar::loadcurrentindexchecked(&ixsysvaraccount)?;
let edix = ixsysvar::loadinstructionatchecked((currentixindex - 1) as usize, &ixsysvar_account)?;
Checks: Must be Ed25519 program ID, no accounts.
require!(edix.programid == ed25519_program::id(), AirdropError::BadEd25519Program);
require!(edix.accounts.isempty(), AirdropError::BadEd25519Accounts);
Now parse data. Header's 16 bytes. Sig count == 1. Read u16 offsets.
Helper fn for offsets:
let readu16 = |i: usize| -> Result<u16> { let start = 2 + 2 * i; let src = data.get(start.start+2).unwrap(); Ok(u16::fromle_bytes([src, src]))
};
Grab offsets for sig (0), pubkey (2), msg (4). Ensure all point to this ix (u16::MAX) and past header.
Slice 'em out. Rebuild pubkey: Pubkey::newfromarray(pk_arr). Match expected distributor.
Message: first 32 bytes recipient pubkey, next 8 amount u64. Match tx accounts.
If all good? Transfer tokens or whatever. Done.
Accounts struct:
#[derive(Accounts)]
pub struct Claim<'info> { #[account(mut)] pub recipient: Signer<'info>, /// CHECK: manual validate pub expecteddistributor: UncheckedAccount<'info>, #[account(address = ixsysvar::ID)] pub instructionsysvar: AccountInfo<'info>, pub systemprogram: Program<'info, System>,
}
Errors? Define enum: InvalidInstructionSysvar, BadEd25519Program, etc. Anchor handles msg.
Potential issue: Offsets wrong? Boom, InvalidInstructionSysvar. Test with wrong sig-tx fails precompile, your program never runs. Smart.
const ed25519Program = Ed25519Program.programId;createEd25519Instruction(keypair, message) helper. Packs data right.In my experience, Phantom/Solflare handle Solana keypairs fine. But for distributor (server side), use node ed25519.
Fees? Ed25519 ix itself: ~0.000005 SOL priority fee if congested. Claim ix: compute units dirt cheap since verification's precompile.
But wait, stuff breaks. A lot.
Message too big? data.len() < offset + size. Fix: Pad messagedatasize exactly. No more, no less.
Forget signatureixidx == 65535? Program reads wrong ix data. Cross instruction hacks fail. Always set to MAX for same ix.
u64 little endian. JS: new DataView(buffer).setBigUint64? No, LE: use Buffer.writeUIntLE.
Parsed pk != expected? Check slicing: publickeyoffset to +32 exactly.
Another gotcha: Transaction with >255 ixs? Indices u8? Nah, Solana handles, but keep simple.
Airdrops. Merkle drops (sig per claim). Off chain oracles signing prices. Permissionless claims.
Why not CPI to ed25519_program? You can't directly. It's instruction introspection only. Prev ix must be the verify.
Scale? Verify 10 sigs in one ix. Header supports num_sigs >1. Loop in precompile.
Localnet: solana test validator. Anchor test.
Off chain helper for distributor sig:
async function createEd25519Instruction(distributorKeypair, recipient, amount) { const message = Buffer.concat([ recipient.toBuffer(), Buffer.from(U64Bytes(amount).toArray('le', 8)) ]); // Use web3.js ed25519 utils or tweetnacl const signature = nacl.sign.detached(message, distributorKeypair.secretKey); // Build ix data manually or helper return web3.Ed25519Program.createInstructionWithPublicKey({ publicKey: distributorKeypair.publicKey, message, signature });
}
Run test: Sign, build tx [edIx, claimIx], send to localhost. Watch logs: "Instruction passed" for ed25519.
Devnet? Fund distributor 0.1 SOL. Try real tx. Fees negligible.
Empty message? Allowed, size=0. But offsets must validate.
Pubkey invalid bytes? Precompile errors before your program.
Multi sig ix before multi claim? Parse loop over sig_count.
Honestly, the header parsing is finicky. Copy the Anchor code verbatim first time.
I usually batch claims. One tx, multiple verifies? Nah, one ix per verify, but chain 'em.
Monitor compute: Introspection cheap, ~1k CU.
Security: Never trust sig without parsing msg yourself. Replay attacks? Add nonce/timestamp to message.
© 2026 Della Group. All Rights Reserved.