What is a Program Derived Address
A Program Derived Address (PDA) is an account address calculated from a program’s ID and a selection of arbitrary inputs (known as “seeds”) that is intentionally created such that there is no private key for the address. As a result, only the deriving program can initiate actions on a PDA address, making the address effectively a program-owned safe, ledger, or escrow — the backbone of nearly all non-wallet accounts on Solana.
Consider the example of valet parking. A parking service generates your ticket ID based on a formula that uses some inputs that are public (your license plate) and some inputs that are secret (an internal value known to the valet only). No key is generated for this specific parking spot. No amount of luck or brute force can guess the key. And the parking spot owner knows that it is impossible to access your car. The valet can move the car. And anyone with a calculator can recreate the spot your car is currently parked in. Similarly, a PDA’s address is created from a formula using public (your wallet address) and secret (the number 4) inputs; only the program can act on the PDA address; and anyone with a calculator can recreate the address.
How PDAs Work Technically
In the derivation, the seeds are arbitrarily defined, such as a wallet address or the word "vault". They are hashed together with the program's ID. There is a problem here: the output of the hash could theoretically be a valid Ed25519 curve point and therefore a valid address, with a private key that exists (albeit one that is unknown). As a consequence, the address derivation adds a “bump seed” value, starting at 255 and iterating downwards. The first value for which the resulting address is off-curve (no key) is referred to as the “canonical bump seed” and is stored as a constant in the deriving program’s logic.
When it comes time to execute an action from the PDA, say, to release funds locked in an escrow account, or to update a token account associated with a liquidity position, the program will call a special instruction invoke_signed and pass the seeds used to generate the address as proof of derivation. If the math checks out, the PDA address is treated as a valid signer, though no cryptographic signature is involved.
Determinism is the secret weapon of PDAs. If I open up Phantom today, I will find my USDC wallet. Phantom doesn’t need to reach out to the blockchain to ask me, “Hey, where is your USDC?” because USDC is a token account (a PDA) that is computed from my wallet address and the USDC mint address, and is available to any wallet in existence. My Orca liquidity position, my Kamino vault, and my Marinade stake account are each similarly PDAs whose addresses are known, given the public inputs.
How PDAs Compare to Ethereum
Ethereum’s closest match to PDA is the CREATE2 opcode. Given a deployed contract’s address and two pieces of user-defined input, a CREATE2 opcode can produce a deterministically computed contract address where the contract bytecode has never been deployed. In Ethereum, to create a program-controlled storage account at a deterministic address, one must also deploy an actual contract to that address and pay a deployment fee (in gas). With a PDA, the account is created at no cost beyond a rent-exempt storage deposit (~0.002 SOL or $0.16 for a token account). In Ethereum, a contract stores state internally (and so owns that state). In Solana, we keep the ownership of program-controlled state in keyless PDA addresses and use the program as a valid signature on the account.
Why PDAs Matter
When you list an NFT on Tensor or Magic Eden, your NFT is held in an escrow account (a PDA). Only the marketplace program has authority to move that NFT to a buyer or to return it to your wallet. No one, including the marketplace’s employees, has the authority (private key) to do anything with your NFT. And yet, you don’t need to trust the marketplace to do the right thing. Trustless escrow is baked into the logic of the PDA. Similarly, your funds routed by Jupiter and your Solend loans are secured by PDAs. PDAs do come with some costs, which are paid by the dApp developers. Programs have been hacked in the past because of incorrectly computed PDA addresses, and each PDA account created requires the rent deposit (in SOL) to be refunded by an account close transaction.
Can anyone figure out what the private key for a PDA is?
Since all PDA addresses are provably off-curve and thus cannot have a key, it’s impossible for anyone to figure out the private key for a PDA. In fact, no private key exists. In order to spend from a PDA, a user must rely on the deriving program to move the funds, which is exactly what we want.