You've seen the structures. Now design the strongest one — a fully-backed, redeemable tokenized equity — at the level of authorities, mint logic, and key custody. This is the lesson where you could actually run the build review.
Why this, now? You asked to go deep, and this is the perfect specimen: SPCX is the gold-standard structure, and building it touches every concept in this course — permissioned tokens, the oracle problem, custody, the on/off-chain boundary, agent powers. If you can reason about this system's invariant and its keys, you can lead the team that builds Marketnode's equivalent.
The mental model: an equity-backed stablecoin
SPCX is structurally a reserve-backed token — the same pattern as USDC, except the reserve is SpaceX shares in a broker-dealer's custody instead of dollars in a bank.1 Everything in the design serves one invariant:
on-chain token supply ≡ shares held in regulated custody (always 1:1)
Mint only against deposited shares; burn only on redemption. If supply ever exceeds reserves, the token is fractionally backed and the whole product fails (the xStocks failure mode, Lesson 7). Protecting this invariant is the core engineering job.
Notice: the clever on-chain part is small; the off-chain custody, controller, KYC, and attestation are the bulk of the system — and every boundary arrow is a trust/integration point (Lesson 5).
The token design: Token-2022 extensions, mapped to what you know
Here is where your ERC-3643 knowledge transfers directly. Each Solana extension is a regulated-security control you already understand by another name:2
Token-2022 extension
What it enforces
ERC-3643 analog (Lesson 4)
Default Account State = Frozen
Every new account starts frozen; the issuer thaws it only after KYC. Non-whitelisted wallets simply cannot hold or move SPCX.3
Identity Registry / isVerified (WHO may hold)
Transfer Hook
Custom program runs on every transfer — enforce jurisdiction, lock-ups, caps; abort if a rule fails.
Compliance modules (WHETHER allowed)
Permanent Delegate
A mint-level authority that can transfer/burn from any account — clawback, forced transfer, lost-key recovery, OFAC.2
Agent powers: forced transfer / recovery
Mint & Freeze authority
Mint new SPCX (subscription), freeze a specific account (sanctions/dispute).
Agent powers: mint / burn / freeze
Metadata
On-chain ISIN, issuer, terms, links to disclosures.
(token metadata)
The whole permissioned-security pattern you learned on Ethereum exists on Solana — just assembled from program-level extensions rather than a suite of separate contracts. Same music, different instrument. (Caveat from Lesson 7: transfer hooks and confidential transfers don't compose, so SPCX trades privacy for the hook.)
The mint pipeline — defending the invariant
1 · Deposit
Broker-dealer buys SpaceX shares on-market and deposits them into a segregated custody account (so they're bankruptcy-remote for token holders).
2 · Attest
A proof-of-reserve feed publishes the custodied share count on-chain. This is the off-chain truth being bridged in — an oracle (Lesson 1), and the most trust-sensitive step.
3 · Secure mint
The controller mints SPCX only up to the attested reserve. Wiring a Proof-of-Reserve check into the mint logic (e.g. Chainlink PoR "Secure Mint") makes over-minting impossible, not just discouraged — it blocks the infinite-mint attack.4
4 · Deliver to a thawed account
Tokens go to the investor's KYC'd, thawed ATA. An unverified wallet's account is frozen by default and cannot receive them.
// The secure-mint guard, conceptuallyfn mint(amount) {
require(token.supply + amount <= proofOfReserve.custodied_shares); // ① invariantrequire(recipient.kyc_thawed); // ② WHO// only now token.mint_to(recipient, amount);
}
The redemption pipeline — "minting in reverse"
Redemption is what makes SPCX a claim, not a bet (Lesson 7). The holder burns SPCX; the broker-dealer delivers the real share via ACATS/DTCC, transferable to any standard brokerage.5 The hard part is atomicity across two worlds: the on-chain burn and the off-chain delivery aren't natively atomic, so you need a settlement protocol (escrow + attestation, or a Delivery-vs-Payment design) so a holder can't burn and get nothing — or get a share without burning.6
The keys: your crown jewels
Every power above is a key (Lesson 6). Whoever holds it can mint, freeze, or claw back SPCX. This is the highest-stakes part of the design:
Authority
Can do
Custody recommendation
Mint authority
Create new SPCX
MPC + policy engine; gated by the PoR check so even a compromised key can't over-mint beyond reserves
Permanent Delegate
Move/burn from any account (clawback)
The most dangerous key — multisig + timelock; named, accountable, audited use only
Freeze authority
Freeze/thaw accounts
Operational (KYC ops); MPC with approval policy
Hook / upgrade authority
Change compliance logic
Multisig + timelock (the upgrade-key risk, Lesson 6)
The architect's nightmare, named: a leaked Permanent Delegate key lets an attacker drain every holder's tokens. The PoR-gated mint is elegant precisely because it makes the mint key safe-by-design — it can't break the invariant even if stolen. Ask of every authority: "what's the worst this key can do, and what structurally limits it?"
The Marketnode lens & interview angles
Backing is an invariant, not a label. The engineering that matters is the supply≡reserves guard and the proof-of-reserve feed. That's the credibility difference between SPCX and a product that "never arrived."
Solana ≠ a different planet. Your team's ERC-3643 knowledge ports to Token-2022 extensions almost concept-for-concept. Hire for the model, not the syntax.
Interview probe (senior): "How do you guarantee a tokenized-equity issuer can never mint more tokens than shares it holds?" Listen for proof-of-reserve wired into mint logic, segregated custody, and independent attestation — not "we'll reconcile nightly."
Interview probe (security): "Your token has a permanent-delegate/clawback key. Justify it to a regulator and secure it from an attacker." Tests both the compliance rationale and the key-governance instinct.
Retrieve it (don't peek)
From memory. Interleaves Lessons 1, 4, 6 & 7 — the whole course.
1. What is the single invariant the entire SPCX design exists to protect?
Correct. SPCX is a reserve-backed token: supply ≡ custodied shares, always 1:1. Break that and it's fractionally backed — the failure mode. Price tracks via arbitrage, but the invariant is supply-vs-reserves.
Reconsider. Price tracking is a market outcome, not the design invariant. The thing the architecture must guarantee is supply ≤ shares actually held in custody.
2. Which Token-2022 extension provides the clawback / forced-transfer power a regulator may require?
Correct. Permanent Delegate is a mint-level authority that can transfer/burn from any account — the Solana clawback/recovery primitive, equivalent to the ERC-3643 agent's forced-transfer power.
Reconsider. Default-frozen gates who can hold; the hook gates each transfer. The power to seize/move tokens from any account is the Permanent Delegate.
3. Why is wiring a proof-of-reserve check directly into the mint function so valuable?
Correct. It makes the mint key safe-by-design: minting is structurally capped at attested reserves, so over-minting (the infinite-mint attack) is impossible even if the key is compromised.
Reconsider. It doesn't replace custody, KYC, or solve redemption atomicity. Its power is making the invariant unbreakable: no mint beyond reserves, even with a stolen key.
I'm your teacher — ask me. Want me to design the redemption settlement protocol (the burn↔delivery atomicity problem) in detail, or draft the full senior-engineer interview script for someone who'd build this? Either is strong capstone material.