Sui Wallet Exploration
How do safety standards actually get written?
Not from committees. From the workshop floor, after someone gets hurt.
The Incident
On January 2, 2026, an official Solana Mobile notification deleted a seed phrase without warning. ~$10K gone. No confirmation dialog, no balance check, no recovery path. Support ran 33 days without resolution.
In a factory, that's a near-miss report. It becomes a procedure. The procedure becomes a standard. The standard prevents it from happening to anyone else.
The Standard
The response was not a complaint. It was architecture — five safety patterns built for Solana, now adapted for Sui. Not a port. A rethink. Because Sui's object model and Move language prevent entire categories of failure at the language level.
This is the knowledge stack in action:
| Stage | What Happened | What It Becomes |
|---|---|---|
| Pain | Seed phrase deleted, $10K lost | The observation that reveals the gap |
| Protocol | Five safety patterns built for Solana | Specific rules that prevent the failure |
| Standard | Same patterns proven across Sui + Solana | Chain-agnostic principles any wallet can adopt |
| Platform | Open components, shared across ventures | Infrastructure that compounds |
Every safety procedure in a factory started the same way. Someone got hurt. Someone wrote it down. The write-up became the standard. The standard transformed the industry.
The Safety Thesis
Four failures from the incident. Each maps to an architectural fix:
| Failure | What Happened | Solana Fix (Built) | Sui Fix (This PRD) |
|---|---|---|---|
| Silent destruction | Seed deleted without warning | NuclearWarningDialog — multi-step confirmation with countdown | Move linear types — resources cannot be accidentally destroyed |
| No balance check | Destructive op ignored existing assets | BalanceAwareGuard — checks all token accounts | Object ownership — assets are explicit objects, not hidden account balances |
| No simulation | User couldn't preview consequences | TransactionSimulator — dry-run before sign | PTB inspection — preview all effects of programmable transaction block |
| Key exposure | App touched seed phrase directly | Wallet adapter pattern — app never sees keys | zkLogin — Web2 credentials sign via ZKP |
The principle: Safety is an architectural constraint, not a feature. The best safety code is code that doesn't need to exist because the platform prevents the failure.
Patterns
1. Connection
Solana: Wallet adapter connects, app receives only public key.
Sui: Same principle, better primitives.
| Component | What It Does | Sui Advantage |
|---|---|---|
SuiWalletConnect | Connect via Sui dApp Kit | Native hooks, typed responses |
ZkLoginConnect | Sign in with Google/Apple/Twitch | No wallet install — zkLogin |
SponsoredSession | App covers gas costs | Sponsored transactions — zero friction |
ConnectionGuard | Verify network + wallet state | Object-level checks, not account-level |
zkLogin changes the game: Most wallet UX problems stem from the wallet itself — install friction, seed phrase management, network switching. zkLogin eliminates the wallet as a user-facing concept. Sign in with Google. Sui handles the rest.
2. Transaction Safety
Solana: TransactionSimulator dry-runs transactions and shows balance impact before signing.
Sui: PTBs make this more powerful — up to 1024 operations in one transaction, all previewable.
| Component | What It Does | Sui Advantage |
|---|---|---|
PtbInspector | Visualize all operations in a PTB before execution | One transaction, full visibility |
ObjectDiffPreview | Show which objects change and how | Explicit mutations, not opaque balance shifts |
GasEstimator | Predict gas cost before signing | Predictable fees even under load |
EffectsSimulator | Dry-run against current state | Dev Inspect — native |
The object difference: On Solana, simulation shows "your SOL goes from X to Y." On Sui, it shows "Object A (your NFT) transfers to Address B, Object C (coin) splits into Object D (payment) + Object E (change)." Explicit objects make consequences visible.
3. Destructive Operations
Solana: NuclearWarningDialog — multi-step confirmation with countdown for irreversible actions.
Sui: Move's type system adds a layer Solana can't have.
| Component | What It Does | Sui Advantage |
|---|---|---|
DestructiveOpGate | Multi-step confirmation for key/object deletion | Defense in depth |
ObjectOwnershipCheck | Verify caller owns the object before destructive action | Move has key — ownership in the type system |
CooldownTransfer | Time-locked transfers for high-value objects | Clock module — on-chain time |
MoveResourceGuard | Display: "This object cannot be accidentally destroyed" | Move linear types — compile-time, not runtime |
Move's structural safety: A resource with the key ability can only be transferred or stored — never silently dropped. The Solana Seed Vault incident was a "resource accidentally dropped" bug. Move makes that a compile-time error.
// A Coin<SUI> cannot be silently destroyed.
// The compiler enforces it. No UI warning needed.
public fun transfer_safely(coin: Coin<SUI>, recipient: address) {
// coin MUST go somewhere — transfer, merge, or split
// letting it drop = compile error
transfer::public_transfer(coin, recipient);
}
4. Balance Guard
Solana: BalanceAwareGuard — checks all token accounts before destructive operations.
Sui: Objects make this simpler and more complete.
| Component | What It Does | Sui Advantage |
|---|---|---|
OwnedObjectsAudit | List ALL objects owned by address | One call — suix_getOwnedObjects |
ValueAtRisk | Calculate total value of owned objects | No hidden token accounts to miss |
PreDestructionInventory | Full inventory before any key/account action | Objects enumerable by design |
The Solana problem was hidden state. Token accounts exist but aren't visible unless you know to look. On Sui, every asset is an explicit owned object. getOwnedObjects returns everything. Nothing hides.
5. Asset Operations
Solana: Separate patterns for SPL tokens vs SOL vs NFTs.
Sui: Everything is an object. One pattern.
| Component | What It Does | Sui Advantage |
|---|---|---|
ObjectTransfer | Transfer any owned object | One function: transfer::public_transfer |
CoinSplitMerge | Split/merge coin objects for exact payments | Native coin operations |
NftManager | Display, transfer, list NFTs | NFTs are objects — same as coins |
KioskIntegration | List/buy/delist on marketplace | Kiosk standard |
Cross-Chain Comparison
Build both, learn from both:
| Dimension | Solana | Sui | Implication |
|---|---|---|---|
| Data model | Accounts + token accounts | Objects with explicit owners | Sui: nothing hides. Solana: must discover accounts |
| Safety | Runtime checks (UI code) | Compile-time (Move type system) | Sui: fewer bugs possible |
| Onboarding | Wallet required | zkLogin (no wallet) | Sui: mainstream-ready |
| Gas | User pays | Sponsored transactions native | Sui: app covers gas |
| Composability | CPI calls between programs | PTBs (1024 ops in one tx) | Sui: complex flows atomic |
| Speed | ~400ms | ~390ms | Comparable |
| Ecosystem | Mature, deep DeFi | Growing, strong gaming/NFT | Solana: proven. Sui: higher ceiling |
Architecture
Stack
┌─────────────────────────────────────────────────┐
│ SAFETY PATTERNS (UI) │
│ Connect │ Simulate │ Guard │ Balance │ Assets │
├──────────────── ─────────────────────────────────┤
│ SUI DAPP KIT │
│ Hooks │ Components │ Wallet Connect │ RPC │
├─────────────────────────────────────────────────┤
│ MOVE CONTRACTS │
│ Identity │ Links │ Loyalty │ Device Registry │
├─────────────────────────────────────────────────┤
│ SUI CORE │
│ Objects │ PTBs │ zkLogin │ Mysticeti (~390ms) │
└─────────────────────────────────────────────────┘
Existing Move Contracts
Already built in Stackmates:
| Module | What It Does | Wallet Relevance |
|---|---|---|
identity | On-chain identity objects | User profile, reputation |
links | Object relationship chains | Attribution, provenance |
loyalty | Points/rewards system | Display loyalty objects |
collision | Cross-domain interactions | Third-space object creation |
device-registry | DePIN device management | Hardware wallet integration |
governance | Voting and proposals | DAO participation from wallet |
Each has a TypeScript client. The wallet UI wires to these.
Why This Matters
Crypto products are unfriendly to non-experts. Hiding what's going on undermines the trust the technology ensures. Every wallet team navigates this tension independently. There is no shared standard.
Compare that to factory engineering. NIST, ISO, OWASP — every safety-critical industry has extractable standards that prevent known failure modes. Crypto wallets don't. Each team learns the hard way.
This PRD is the beginning of a wallet safety standard:
| What factories have | What wallets don't | This PRD provides |
|---|---|---|
| Near-miss reporting | Incidents buried in support tickets | Public documentation of failure modes |
| Safety procedures | Each team invents their own | Five extractable patterns with rationale |
| Cross-site adoption | Patterns locked inside companies | Chain-agnostic principles proven on Sui + Solana |
| Commissioning gates | Ship and hope | Progressive verification per component |
The Dream-Engineering handoff: the dream is wallets that don't destroy people's assets. The standard is the spec. The engineering is building it in the open.
Commissioning
Each component progresses through the factory model:
| Component | Schema | Client | UI | Tests | Status |
|---|---|---|---|---|---|
SuiWalletConnect | Pending | Pending | Pending | Pending | 0% |
ZkLoginConnect | Pending | Pending | Pending | Pending | 0% |
PtbInspector | Pending | Pending | Pending | Pending | 0% |
ObjectDiffPreview | Pending | Pending | Pending | Pending | 0% |
DestructiveOpGate | Pending | Pending | Pending | Pending | 0% |
OwnedObjectsAudit | Pending | Pending | Pending | Pending | 0% |
ObjectTransfer | Pending | Pending | Pending | Pending | 0% |
KioskIntegration | Pending | Pending | Pending | Pending | 0% |
Pre-existing: 12 Move modules deployed to testnet. 5 TypeScript clients built. Wallet UI is the gap.
Next Steps
1. Port TransactionSimulator → PtbInspector (highest learning)
2. Implement ZkLoginConnect (biggest UX unlock)
3. Build ObjectDiffPreview (Sui's unique advantage)
4. Wire to existing Move contracts
5. Deploy alongside Solana version for comparison
Smallest move: One component. Both chains. Compare. The feedback loop validates the thesis.
Context
- The Incident — The near-miss report that started the standard
- Solana Safety Patterns — First implementation, single chain
- Standards — How protocols become standards become platform
- Knowledge Stack — Pain → protocol → standard → platform
- Sui Technical — Object model, Move, Mysticeti
- Sui Dev Resources — SDKs, tools
- Stackmates — The platform these patterns plug into
- Open PRDs — Building in the open