Overview
To enable native Solana program calls via API and dApps, you must create a Policy rule with the Program Call operation type. You can use the following rule parameters to govern your native Solana program calls: source, initiator, designated signer, and allow/block/request approval. Additionally, you can whitelist specific programs and addresses to ensure that only approved program calls are executed.
Note
Policy rules for Solana Raw Signing transactions do not apply to Solana program calls initiated via the Fireblocks API.
Whitelisting programs and destinations
For Solana program calls to work as expected, every program you interact with must be explicitly whitelisted, along with any transfer destinations involved in the transaction.
For example, if you're swapping SOL on a DEX like Jupiter, and the transaction routes through wrapped SOL (wSOL), you must whitelist both the wSOL program and the relevant Jupiter program addresses. Without this, the transaction may fail due to missing permissions.
To whitelist specific programs, use the Contract Wallet to add a Program Address. Choose SOL or SOL_TEST as the blockchain's base asset and add the program address. The new program appears as Pending Approval and can be used once approved.
Automatically whitelisted programs
Fireblocks automatically whitelists certain Solana programs and accounts, removing the need for manual whitelisting.
| Program | Address | Purpose |
| System Program | 11111111111111111111111111111111 | Responsible for creating and managing accounts, transferring SOL, and other system-level operations. |
| Compute Budget | ComputeBudget111111111111111111111111111111 | Adjusts compute limits and resource allocation for transactions that require additional resources. |
| Token Program | TokenkegQfeZyiNwAJbNbGKPFXCWuBvf9Ss623VQ5DA | Defines a common implementation for fungible and non-fungible tokens. |
| Token-2022 Program | TokenzQdBNbLqP5VEhdkAS6EPFLC1PHnBqCXEpPxuEb | A superset of the Token Program, also known as Token Extensions. |
| Associated Token Account Program | ATokenGPvbdGVxr1b2hvZbsiqW5xWH25efTNsLJA8knL | Defines the convention for mapping a user's wallet address to their associated token accounts. |
| Memo Program | MemoSq4gqABAXKb96qnH8TysNcWxMyWCqXgDLGmfcHr | Validates a string of UTF-8 encoded characters and verifies that any accounts provided are signers of the transaction. |
| RecentBlockhashes Sysvar Account | SysvarRecentB1ockHashes11111111111111111111 | Contains the active recent blockhashes and their associated fee calculators. |
| Rent Sysvar Account | SysvarRent111111111111111111111111111111111 | Contains the rental rate. |
| Staking program | Stake11111111111111111111111111111111111111 | Automatically whitelists addresses so staking customers don't have to do it manually. |
How dApps program calls work with policy
When you initiate a Solana program call, Fireblocks evaluates every program ID involved in the transaction against your policy rules before approving it for signing. A program ID is the on-chain address of a Solana program - similar to a smart contract address on EVM chains.
Many DeFi operations involve more than one program. When a program executes an instruction, it often calls other programs as part of the same transaction. For example, a token swap on a DEX aggregator like Jupiter doesn't interact with a single program - it dynamically routes through multiple possible programs. A single swap may involve Jupiter's own program, plus Orca, Raydium, or Meteora depending on liquidity conditions. Every program invoked in that transaction - including those called indirectly - must be permitted by your policy.
If any program in the transaction is not whitelisted and not covered by your policy, the entire transaction is blocked.
This could cause a cascading effect of many programs that have to be whitelisted for transactions to be securely executed after being screened by the policy engine.
To overcome this complexity while keeping secure policies, Fireblocks has grouped dApps that employ multiple programs into groups, embodied in the Global Program Whitelisting.
Global program whitelisting
Manually whitelisting every program a DeFi transaction might call is impractical for many use cases. DeFi aggregators like Jupiter can route through dozens of different programs depending on liquidity conditions at the time of the transaction, and the specific programs involved are not always known in advance.
To solve this, Fireblocks is introducing global program whitelisting - a managed list of commonly used Solana program IDs that you can include in your policy rules with a single selection, instead of managing program IDs manually.
Program categories
When configuring the allowed programs for a Program Call policy rule, you select from three categories:
System programs
Core Solana runtime programs that Fireblocks already whitelists automatically (see table above). These are always included and cannot be deselected.
Predefined programs
A curated list of widely used DeFi protocol programs maintained by Fireblocks - for example, Jupiter, Orca and Raydium. You can select all predefined programs, or choose a specific subset relevant to your operations.
Note:
dApps containers are updated periodically based on changes applied by the dApps themselves of the programs they use. You may add any program that is not included in the predefined list of a dApp, as needed.
Whitelisted programs
Programs you have manually added to your workspace whitelist. You can select all of your whitelisted programs, or restrict the rule to a specific subset.
Configure policy rules using global program whitelisting
- In the Fireblocks Console, go to Policies.
- Select the policy you want to edit, then select Edit policy.
- Select + Add rule and choose Program Call as the operation type.
- In the Destination section, select the categories and specific programs you want this rule to govern.
- Complete the remaining rule parameters (source, initiator, action).
- Select Save, then publish the policy. The required approval quorum must approve the change before the rule takes effect.
Note:
You must opt into the global and predefined program lists per policy rule - they are not applied automatically to existing rules.