When you connect your Solana wallet to a rent recovery tool, you are trusting that tool with access to your accounts. The architecture of that tool — specifically whether it processes transactions client-side or server-side — fundamentally determines how much trust you need to place in it.
This article provides a technical deep-dive into both approaches, explaining the security implications of each and why we believe client-side tools offer a meaningfully better security profile.
How Wallet Connections Work on Solana
Before comparing architectures, it is helpful to understand what happens when you connect your wallet to any Solana dApp.
When you click “Connect Wallet” on a Solana application, your wallet extension (Phantom, Solflare, Backpack, etc.) shares your public key with the application. This is not sensitive information — your public key is already visible on the blockchain. It simply tells the application which account to work with.
The critical moment comes when the application asks your wallet to sign a transaction. This is where the architecture matters.
Client-Side Architecture
In a client-side architecture, the entire workflow happens in your browser:
- Account scanning: The tool’s JavaScript code queries the Solana RPC endpoint directly from your browser to find your token accounts
- Account filtering: The code identifies which accounts are empty (zero token balance) and eligible for closure
- Transaction construction: The close-account instructions are assembled into a Solana transaction entirely in browser JavaScript
- Transaction signing: The transaction is passed to your wallet extension for review and signing
- Transaction submission: The signed transaction is submitted to the Solana network, either from the browser or via the wallet
At no point in this flow does the tool’s server see your transaction data. The server’s role is limited to serving the static web page and JavaScript code. Tools like SolRecover and other client-side recovery tools follow this pattern.
Trust model: You trust that the JavaScript code served by the tool’s website does what it claims to do. This can be verified by inspecting the code in your browser’s developer tools. You also trust that the transaction your wallet displays for signing matches what the tool described.
Security Properties of Client-Side
What the tool CAN do:
- Read your public key and account data (publicly available on-chain anyway)
- Present a transaction for you to sign
- Include unexpected instructions in the transaction (which your wallet should display)
What the tool CANNOT do:
- Sign transactions without your wallet approval
- Access your private key
- Modify a transaction after you sign it
- Execute transactions you do not approve in your wallet
Attack vectors:
- Malicious transaction construction: The tool could include unexpected instructions (like transferring SOL to the attacker) in the transaction. However, wallet extensions display transaction details, allowing you to review what you are signing.
- Frontend compromise: If the tool’s website is compromised (supply chain attack, DNS hijack), malicious code could be served to users. This risk exists for all web applications, not just recovery tools.
- RPC manipulation: Theoretically, the tool could route RPC calls through a malicious endpoint that returns incorrect account data. This would be difficult to exploit for account closure transactions.
Server-Side Architecture
In a server-side architecture, some or all of the processing happens on the tool’s backend:
- Account scanning: Your public key is sent to the tool’s server, which queries the blockchain on your behalf
- Account filtering: The server identifies closeable accounts
- Transaction construction: The server builds the close-account transaction
- Transaction return: The constructed transaction is sent back to your browser
- Transaction signing: You sign the server-constructed transaction in your wallet
- Transaction submission: The signed transaction is submitted, potentially through the server
The key difference is that the tool’s server is an active participant in the transaction lifecycle. It sees your public key, knows your account structure, builds the transaction, and may handle submission.
Trust model: You trust the tool’s server infrastructure to construct honest transactions and to not log or misuse your account data. You cannot easily verify what the server is doing, unlike client-side code which runs in your browser.
Security Properties of Server-Side
What the tool CAN do:
- Everything the client-side tool can do, plus:
- See your complete account structure on their servers
- Log your activity and wallet address
- Construct transactions with any instructions they choose
- Potentially delay or manipulate transaction submission
What the tool CANNOT do:
- Sign transactions without your wallet approval (same as client-side)
- Access your private key (same as client-side)
Additional attack vectors (beyond client-side):
- Server compromise: If the tool’s server is hacked, the attacker can modify transaction construction for all users simultaneously. This is a significantly larger attack surface than a frontend-only compromise.
- Insider threat: An employee or operator of the tool could modify server logic to include malicious instructions in constructed transactions.
- Man-in-the-middle: Communication between your browser and the server introduces opportunities for interception, especially if TLS is misconfigured.
- Data collection: Even without malicious intent, the server can collect and store data about your wallet, accounts, and activity patterns.
Comparing the Attack Surface
| Attack Vector | Client-Side | Server-Side |
|---|---|---|
| Private key exposure | Not possible | Not possible |
| Malicious transaction | Possible (visible in wallet) | Possible (less transparent) |
| Server compromise | Static files only | Full transaction pipeline |
| Insider threat | Limited to frontend code | Can affect all transactions |
| Data collection | Minimal (public data only) | Full account data logged |
| Code auditability | Browser DevTools | Server code not visible |
| Supply chain attack | Frontend dependencies | Frontend + backend dependencies |
The comparison makes it clear that client-side architectures have a smaller attack surface. While neither approach can steal your private key, the number of things that can go wrong — and the number of parties you need to trust — is meaningfully lower with client-side tools.
Why This Matters for Rent Recovery
Rent recovery transactions are relatively simple: they close token accounts and return SOL to your wallet. This simplicity actually makes client-side processing particularly well-suited for the task. There is no need for complex server-side logic, batch processing queues, or database interactions.
A client-side tool needs to:
- Query the RPC for your token accounts (a single API call)
- Filter for empty accounts (simple JavaScript logic)
- Build close-account instructions (standard SPL Token program calls)
- Bundle them into a transaction and present for signing
This entire workflow can run efficiently in a browser with no server interaction. Tools that choose server-side processing for this use case are adding complexity (and trust requirements) without clear technical justification.
Practical Security Recommendations
Regardless of which tool you choose, follow these practices:
-
Review transactions before signing. Your wallet extension shows you what a transaction will do. Take a few seconds to verify that the instructions match what the tool described.
-
Use a reputable wallet extension. Phantom, Solflare, and Backpack all provide transaction previews that help you understand what you are approving.
-
Check the URL. Make sure you are on the correct website. Phishing sites that mimic popular tools are common in crypto.
-
Start small. If you are trying a tool for the first time, close a small number of accounts first to verify the tool works as expected before processing your entire wallet.
-
Consider the trust model. When functionality is equivalent, a tool with a smaller trust surface requires less trust. Client-side tools keep all processing in your browser, while server-assisted tools require trusting additional infrastructure.
Which Tools Use Which Architecture?
Based on our analysis and testing:
| Tool | Architecture | Fee | Notes |
|---|---|---|---|
| SolRecover.io | Client-side | 4% | Browser-based processing |
| RefundYourSOL | Server-assisted | 15% | Server involved in transaction construction |
| ReclaimSOL | Server-side | 12% | Heavy server dependency |
Conclusion
From a pure security standpoint, client-side tools have a smaller attack surface for Solana rent recovery. The trust model is simpler and the code is more transparent since it runs in your browser. However, server-assisted tools like RefundYourSOL have operated for years without known security incidents, demonstrating that a larger attack surface does not automatically mean a tool is unsafe.
When choosing a tool, consider the security model alongside other factors like fees, track record, and ease of use. For our full tool comparison, see our rent recovery tool analysis.
Disclosure: SolanaInfo is affiliated with SolRecover.io, one of the client-side tools discussed in this article.