Sui Wallet Exploration
How do safety standards actually get written?
Not from committees. From the workshop floor, after someone gets hurt.
The Incident
On January 2, 2026, an official Solana Mobile notification deleted a seed phrase without warning. ~$10K gone. No confirmation dialog, no balance check, no recovery path. Support ran 33 days without resolution.
In a factory, that's a near-miss report. It becomes a procedure. The procedure becomes a standard. The standard prevents it from happening to anyone else.
The Standard
The response was not a complaint. It was architecture — five safety patterns built for Solana, now adapted for Sui. Not a port. A rethink. Because Sui's object model and Move language prevent entire categories of failure at the language level.
This is the knowledge stack in action:
| Stage | What Happened | What It Becomes |
|---|---|---|
| Pain | Seed phrase deleted, $10K lost | The observation that reveals the gap |
| Protocol | Five safety patterns built for Solana | Specific rules that prevent the failure |
| Standard | Same patterns proven across Sui + Solana | Chain-agnostic principles any wallet can adopt |
| Platform | Open components, shared across ventures | Infrastructure that compounds |
Every safety procedure in a factory started the same way. Someone got hurt. Someone wrote it down. The write-up became the standard. The standard transformed the industry.
Benchmark-First Direction
This PRD follows a benchmark-first order:
- Define wallet safety benchmark checklist as deterministic landing surface
- Validate implementations against that checklist
- Compare chain implementations (Solana, Sui, EVM)
- Encode benchmark attestations onchain (target: Sui/Move)
Reference landing standard: Wallet Safety Benchmarks.
The Safety Thesis
Four failures from the incident. Each maps to an architectural fix:
| Failure | What Happened | Solana Fix (Built) | Sui Fix (This PRD) |
|---|---|---|---|
| Silent destruction | Seed deleted without warning | NuclearWarningDialog — multi-step confirmation with countdown | Move linear types — resources cannot be accidentally destroyed |
| No balance check | Destructive op ignored existing assets | BalanceAwareGuard — checks all token accounts | Object ownership — assets are explicit objects, not hidden account balances |
| No simulation | User couldn't preview consequences | TransactionSimulator — dry-run before sign | PTB inspection — preview all effects of programmable transaction block |
| Key exposure | App touched seed phrase directly | Wallet adapter pattern — app never sees keys | zkLogin — Web2 credentials sign via ZKP |
The principle: Safety is an architectural constraint, not a feature. The best safety code is code that doesn't need to exist because the platform prevents the failure.
Patterns
1. Connection
Solana: Wallet adapter connects, app receives only public key.
Sui: Same principle, better primitives.
| Component | What It Does | Sui Advantage |
|---|---|---|
SuiWalletConnect | Connect via Sui dApp Kit | Native hooks, typed responses |
ZkLoginConnect | Sign in with Google/Apple/Twitch | No wallet install — zkLogin |
SponsoredSession | App covers gas costs | Sponsored transactions — zero friction |
ConnectionGuard | Verify network + wallet state | Object-level checks, not account-level |
zkLogin changes the game: Most wallet UX problems stem from the wallet itself — install friction, seed phrase management, network switching. zkLogin eliminates the wallet as a user-facing concept. Sign in with Google. Sui handles the rest.
2. Transaction Safety
Solana: TransactionSimulator dry-runs transactions and shows balance impact before signing.
Sui: PTBs make this more powerful — up to 1024 operations in one transaction, all previewable.
| Component | What It Does | Sui Advantage |
|---|---|---|
PtbInspector | Visualize all operations in a PTB before execution | One transaction, full visibility |
ObjectDiffPreview | Show which objects change and how | Explicit mutations, not opaque balance shifts |
GasEstimator | Predict gas cost before signing | Predictable fees even under load |
EffectsSimulator | Dry-run against current state | Dev Inspect — native |
The object difference: On Solana, simulation shows "your SOL goes from X to Y." On Sui, it shows "Object A (your NFT) transfers to Address B, Object C (coin) splits into Object D (payment) + Object E (change)." Explicit objects make consequences visible.
3. Destructive Operations
Solana: NuclearWarningDialog — multi-step confirmation with countdown for irreversible actions.
Sui: Move's type system adds a layer Solana can't have.
| Component | What It Does | Sui Advantage |
|---|---|---|
DestructiveOpGate | Multi-step confirmation for key/object deletion | Defense in depth |
ObjectOwnershipCheck | Verify caller owns the object before destructive action | Move has key — ownership in the type system |
CooldownTransfer | Time-locked transfers for high-value objects | Clock module — on-chain time |
MoveResourceGuard | Display: "This object cannot be accidentally destroyed" | Move linear types — compile-time, not runtime |
Move's structural safety: A resource with the key ability can only be transferred or stored — never silently dropped. The Solana Seed Vault incident was a "resource accidentally dropped" bug. Move makes that a compile-time error.
// A Coin<SUI> cannot be silently destroyed.
// The compiler enforces it. No UI warning needed.
public fun transfer_safely(coin: Coin<SUI>, recipient: address) {
// coin MUST go somewhere — transfer, merge, or split
// letting it drop = compile error
transfer::public_transfer(coin, recipient);
}
4. Balance Guard
Solana: BalanceAwareGuard — checks all token accounts before destructive operations.
Sui: Objects make this simpler and more complete.
| Component | What It Does | Sui Advantage |
|---|---|---|
OwnedObjectsAudit | List ALL objects owned by address | One call — suix_getOwnedObjects |
ValueAtRisk | Calculate total value of owned objects | No hidden token accounts to miss |
PreDestructionInventory | Full inventory before any key/account action | Objects enumerable by design |
The Solana problem was hidden state. Token accounts exist but aren't visible unless you know to look. On Sui, every asset is an explicit owned object. getOwnedObjects returns everything. Nothing hides.
5. Asset Operations
Solana: Separate patterns for SPL tokens vs SOL vs NFTs.
Sui: Everything is an object. One pattern.
| Component | What It Does | Sui Advantage |
|---|---|---|
ObjectTransfer | Transfer any owned object | One function: transfer::public_transfer |
CoinSplitMerge | Split/merge coin objects for exact payments | Native coin operations |
NftManager | Display, transfer, list NFTs | NFTs are objects — same as coins |
KioskIntegration | List/buy/delist on marketplace | Kiosk standard |
Cross-Chain Comparison
Build both, learn from both:
| Dimension | Solana | Sui | Implication |
|---|---|---|---|
| Data model | Accounts + token accounts | Objects with explicit owners | Sui: nothing hides. Solana: must discover accounts |
| Safety | Runtime checks (UI code) | Compile-time (Move type system) | Sui: fewer bugs possible |
| Onboarding | Wallet required | zkLogin (no wallet) | Sui: mainstream-ready |
| Gas | User pays | Sponsored transactions native | Sui: app covers gas |
| Composability | CPI calls between programs | PTBs (1024 ops in one tx) | Sui: complex flows atomic |
| Speed | ~400ms | ~390ms | Comparable |
| Ecosystem | Mature, deep DeFi | Growing, strong gaming/NFT | Solana: proven. Sui: higher ceiling |
Architecture
Stack
┌─────────────────────────────────────────────────┐
│ SAFETY PATTERNS (UI) │
│ Connect │ Simulate │ Guard │ Balance │ Assets │
├─────────────────────────────────────────────────┤
│ SUI DAPP KIT │
│ Hooks │ Components │ Wallet Connect │ RPC │
├─────────────────────────────────────────────────┤
│ MOVE CONTRACTS │
│ Identity │ Links │ Loyalty │ Device Registry │
├─────────────────────────────────────────────────┤
│ SUI CORE │
│ Objects │ PTBs │ zkLogin │ Mysticeti (~390ms) │
└─────────────────────────────────────────────────┘
Existing Move Contracts
Already built in Stackmates:
| Module | What It Does | Wallet Relevance |
|---|---|---|
identity | On-chain identity objects | User profile, reputation |
links | Object relationship chains | Attribution, provenance |
loyalty | Points/rewards system | Display loyalty objects |
collision | Cross-domain interactions | Third-space object creation |
device-registry | DePIN device management | Hardware wallet integration |
governance | Voting and proposals | DAO participation from wallet |
Each has a TypeScript client. The wallet UI wires to these.
Product Features
| Feature | Function | User Outcome | Priority |
|---|---|---|---|
Safe Connect (SuiWalletConnect, ZkLoginConnect) | Establish authenticated session without exposing keys | Users can start safely with minimal friction | Must |
Transaction Preview (PtbInspector, ObjectDiffPreview) | Show exactly what objects and value will change before signing | Fewer irreversible mistakes, clearer trust | Must |
Destructive Guardrails (DestructiveOpGate, ObjectOwnershipCheck) | Block unsafe operations with explicit confirmation and ownership checks | Prevent silent loss and accidental deletion | Must |
Portfolio Audit (OwnedObjectsAudit, ValueAtRisk) | Enumerate all owned objects and estimate value at risk | Users understand full account exposure | High |
Asset Operations (ObjectTransfer, CoinSplitMerge, KioskIntegration) | Provide safe defaults for transfer, payment, and listing | Users can act confidently, not just inspect | High |
| Safety Logging | Capture near-miss and blocked-risk events for analysis | Safety patterns improve over time | Medium |
Business Dev
The first market is teams and apps that need trustworthy wallet UX, not speculative token users.
| Layer | Decision | Initial Assumption | Validation Signal |
|---|---|---|---|
| ICP | Who adopts first? | Sui app builders and teams integrating wallet flows | 5 design-partner teams |
| Offer | What are we selling? | Open safety pattern kit + implementation support | 3 production integrations |
| Channel | How do we reach them? | Builder communities, docs, ecosystem partnerships | Qualified inbound from technical teams |
| Conversion | What proves fit? | Team adopts at least 2 safety components in production | Integration completion within one cycle |
| Retention | Why do they keep using it? | Safety incidents decline and upgrade path stays simple | Repeat usage across new wallet flows |
| Expansion | How does it compound? | Cross-chain safety standard package from Sui + Solana learnings | Additional chain adaptations requested |
Commercial Paths
- Open standard path: Free reference implementation and docs.
- Integration path: Paid implementation and safety review.
- Platform path: Bundle into Stackmates trust layer for ventures needing asset operations.
Why This Matters
Crypto products are unfriendly to non-experts. Hiding what's going on undermines the trust the technology ensures. Every wallet team navigates this tension independently. There is no shared standard.
Compare that to factory engineering. NIST, ISO, OWASP — every safety-critical industry has extractable standards that prevent known failure modes. Crypto wallets don't. Each team learns the hard way.
This PRD is the beginning of a wallet safety standard:
| What factories have | What wallets don't | This PRD provides |
|---|---|---|
| Near-miss reporting | Incidents buried in support tickets | Public documentation of failure modes |
| Safety procedures | Each team invents their own | Five extractable patterns with rationale |
| Cross-site adoption | Patterns locked inside companies | Chain-agnostic principles proven on Sui + Solana |
| Commissioning gates | Ship and hope | Progressive verification per component |
The Dream-Engineering handoff: the dream is wallets that don't destroy people's assets. The standard is the spec. The engineering is building it in the open.
Commissioning
Each component progresses through the factory model:
| Component | Schema | Client | UI | Tests | Status |
|---|---|---|---|---|---|
SuiWalletConnect | Pending | Pending | Pending | Pending | 0% |
ZkLoginConnect | Pending | Pending | Pending | Pending | 0% |
PtbInspector | Pending | Pending | Pending | Pending | 0% |
ObjectDiffPreview | Pending | Pending | Pending | Pending | 0% |
DestructiveOpGate | Pending | Pending | Pending | Pending | 0% |
OwnedObjectsAudit | Pending | Pending | Pending | Pending | 0% |
ObjectTransfer | Pending | Pending | Pending | Pending | 0% |
KioskIntegration | Pending | Pending | Pending | Pending | 0% |
Pre-existing: 12 Move modules deployed to testnet. 5 TypeScript clients built. Wallet UI is the gap.
Engineering Handoff: Navigation and Safety Corrections
This section is the current RFP-style handoff from Dream repo to Engineering repo.
Job To Be Done
Make Sui safety patterns discoverable and trustworthy in the design system so teams can evaluate and adopt them without ambiguity.
Current failure mode:
- Sui pages exist in code, but main crypto navigation hides/blocks them.
- Some pages are presented as complete while still demo/mock.
- A destructive operation demo bypasses ownership check.
Scope (Engineering Repo)
Primary implementation paths:
apps/dreamineering/drmg-design-system/src/app/_components/navigation.tsxapps/dreamineering/drmg-design-system/src/app/(crypto)/crypto/page.tsxapps/dreamineering/drmg-design-system/src/app/(crypto)/sui/destructive-ops/page.tsxapps/dreamineering/drmg-design-system/src/app/(crypto)/sui/page.tsx
Required Outcomes
| Outcome | Pass Condition | Why It Matters |
|---|---|---|
| Sui discoverability | Sui appears in sidebar crypto section and crypto landing page links to /sui | Users can actually find and test the Sui implementation |
| Truthful readiness state | Sui status labels reflect real state (in-progress / demo) rather than complete when mocks remain | Prevents false confidence in adoption decisions |
| Safety integrity | Destructive operations demo does not bypass ownership verification by default | Aligns with core safety thesis: architecture before UX theater |
| Route consistency | Legacy /onchain/solana references do not conflict with /solana and /sui route model | Reduces navigation drift and maintenance errors |
Commissioning Checklist (Independent Verification)
Commissioner verifies in browser and code:
/cryptoshows active link card to Sui (not disabled).- Sidebar crypto section includes both Solana and Sui.
- Navigating to
/suiexposes 5 pattern pages:/sui/connection/sui/transaction-safety/sui/destructive-ops/sui/balance-guard/sui/asset-operations
DestructiveOpGatedoes not useskipOwnershipCheckin default demo path.- Sui readiness badges match implementation reality (demo/mock clearly labeled).
Acceptance Evidence
For delivery to be marked "ready for inspection", provide:
- Screenshot/video of
/cryptoand sidebar showing Sui discoverability - Diff references for navigation/status changes
- Screenshot/video of destructive op flow with ownership check enforced
- Short note describing remaining mocked dependencies (if any) and their current status
Priority
P0 — This is a commissioning integrity issue, not a cosmetic issue.
If discoverability and safety signaling are wrong, commissioning cannot be trusted.
Lead Architect: Plan Instantiation Pack
This block is formatted for the orchestration flow in:
.ai/orchestration/team-operations/user-interface/.ai/orchestration/team-operations/intelligence-engine/
Primary Team Route
| Team | Template | Why |
|---|---|---|
| user-interface | cdd-jtbd-exploration | Component/nav wiring work in design-system app and libs |
| user-interface | e2e-intent-validation | Browser-proof that navigation + safety flows are realizable |
Plan Metadata (for plan-cli.ts create)
Use these values when instantiating the first UI plan:
| Field | Value |
|---|---|
team | user-interface |
branch | team/ui |
objective | "Make Sui safety patterns discoverable and truthfully commissioned in crypto design system flows." |
prdRef.path | src/pages/phygital-mycelium/prd-sui-wallet/index.md |
prdRef.section | Engineering Handoff: Navigation and Safety Corrections |
prdRef.acceptanceCriteria | Commissioning Checklist (Independent Verification) |
UI Scope Mapping
| Work Type | Path |
|---|---|
| Explore pages | apps/dreamineering/drmg-design-system/src/app/(crypto)/ |
| Navigation wiring | apps/dreamineering/drmg-design-system/src/app/_components/navigation.tsx |
| Shared UI extraction target | libs/app-client/ui-onchain/ and related libs/app-client/* |
| E2E validation | apps/dreamineering/drmg-sales-e2e/ (or design-system equivalent test harness) |
Task Seed (Phase 1)
- Enable Sui discoverability on
/cryptoand sidebar. - Remove default ownership-check bypass in destructive operations.
- Correct readiness labels to reflect real state (demo/mock vs complete).
- Align route model to avoid split between legacy and active crypto nav paths.
Cross-Team Note
If API/contract validation is required for phygital-agent flows, raise follow-up to intelligence-engine templates. UI team owns biological-flow proof through CDD and E2E, per team charter.
Onchain Benchmark Roadmap (Sui/Move)
Intent: engineer wallet safety benchmarking into verifiable onchain artifacts.
Job To Be Done
As a commissioner, I need wallet safety results represented as deterministic, auditable objects so benchmark outcomes are comparable across wallets and over time.
Proposed Move Artifacts
| Artifact | Purpose | Deterministic Field Examples |
|---|---|---|
BenchmarkSpec | Versioned definition of criteria and thresholds | spec_id, version, critical_rules |
WalletSubmission | Wallet/team submits implementation evidence | wallet_id, chain, build_hash, evidence_uri |
BenchmarkRun | One execution of benchmark suite | run_id, timestamp, executor, result_by_dimension |
CertificationState | Current cert level for wallet/version | level, status, expires_at, last_run_id |
Deterministic Rules
- Any critical-rule breach sets run status to
Fail. CertificationStatecan only promote when required dimensions arePass.- Every state transition stores prior state reference for audit trail.
- Same spec version + same inputs must produce same result state.
Phase Sequence
- Spec Freeze: finalize checklist fields and thresholds in docs.
- Offchain Runner: implement repeatable benchmark runner + result schema.
- Move Registry: write minimal onchain package for spec/run/cert state.
- Dual-Chain Comparison: run Solana and Sui implementations through same spec.
- EVM Extension: add EVM implementation track against unchanged benchmark model.
Success Criteria
- Benchmark checklist is single source of truth for all chain comparisons
- Pass/Warn/Fail outcomes are reproducible
- Certification state can be independently re-verified
- Sui/Move implementation proves onchain auditability for wallet safety
Next Steps
1. Port TransactionSimulator → PtbInspector (highest learning)
2. Implement ZkLoginConnect (biggest UX unlock)
3. Build ObjectDiffPreview (Sui's unique advantage)
4. Wire to existing Move contracts
5. Deploy alongside Solana version for comparison
Smallest move: One component. Both chains. Compare. The feedback loop validates the thesis.
Context
- The Incident — The near-miss report that started the standard
- Solana Safety Patterns — First implementation, single chain
- Standards — How protocols become standards become platform
- Knowledge Stack — Pain → protocol → standard → platform
- Sui Technical — Object model, Move, Mysticeti
- Sui Dev Resources — SDKs, tools
- Stackmates — The platform these patterns plug into
- Open PRDs — Building in the open