Solana Funding Arb Cn
v1.0.1Solana 资金费率套利 | Solana Funding Rate Arbitrage. 永续合约资金费率套利 | Perpetual funding rate arbitrage. 监控资金费率、发现套利机会 | Monitor funding rates, find arb opportunities....
⭐ 0· 539·0 current·0 all-time
byGuohongbin@guohongbin-git
MIT-0
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose (funding-rate arbitrage / auto-trader) matches the included code (auto-trader, DEX clients, transaction sending), so functionality is coherent. However the registry/metadata claims 'required env vars: none' and 'no install spec' while SKILL.md and many scripts clearly require wallet credentials, a ~/.secrets config, npm installation, and RPC keys — this mismatch is unexpected and reduces trustworthiness.
Instruction Scope
SKILL.md instructs the agent / user to read ~/.secrets/.env, create ~/.secrets/funding-arb-config.json, and write logs and state under ~/.clawd/funding-arb/. The runtime instructions also show running cron-runner.sh (which sources ~/.secrets/.env) and executing ts-node auto-trader that will sign and send Solana transactions. These actions are within the stated purpose but require access to sensitive local files (wallet key or keypair path) and will perform network I/O; there is no instruction or safeguard in the SKILL.md to prevent accidental use of a real private key without testing.
Install Mechanism
The skill is labeled 'instruction-only' (no install spec) but contains a full scripts/ Node project with package.json and package-lock. The Quick Start tells users to run 'cd scripts && npm install', but there is no formal install spec in the registry metadata. Cron-runner.sh and other scripts use 'npx ts-node ...' — if ts-node/npm dependencies are missing, npx could fetch packages at runtime from the registry (runtime remote fetch). The code relies on many npm packages (axios, express, optional @solana/web3.js, etc.), and the package-lock shows additional optional packages (including third-party clients). This combination increases the attack surface if users follow cron directives without first auditing and installing dependencies in a controlled environment.
Credentials
SKILL.md and USER_GUIDE require highly sensitive items (SOLANA_PRIVATE_KEY or path to keypair file, and optional RPC API keys). Those are proportionate to a live auto-trading bot, but the registry metadata claimed 'Required env vars: none' — a clear inconsistency. The skill will ask for secrets that grant full authority to sign transactions; the SKILL.md recommends storing a raw private key in an .env file which is risky. There are no additional unrelated credentials requested, but the presence of wallet private keys is extremely sensitive and must be minimized / isolated.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. It instructs users how to add a crontab entry to run every 4 hours and writes persistent state to ~/.clawd/funding-arb/ (positions.json, logs, trader-state.json). That behavior is expected for a continuous trading bot, but it does create ongoing background activity if the user follows the cron instructions. The skill does not request system-wide privileges or modify other skills' configs in the provided files.
What to consider before installing
Key points to consider before installing or running this skill:
- Source verification: The skill's Source/Homepage are missing or 'unknown' while the codebase is non-trivial. Prefer code from a known/reputable repository and author. Review the repository origin and commit history before trusting it.
- Private keys are required for live trading: The SKILL.md directs you to provide SOLANA_PRIVATE_KEY or a keypair path. Never provide your main wallet private key. If you want to test, create a dedicated wallet with minimal funds and/or use a read-only keypair path or hardware signer that does not expose raw keys.
- Metadata mismatch: The registry metadata lists no required env vars or install steps, but the runtime clearly needs npm install, ts-node, and wallet credentials. Treat the metadata as untrustworthy and follow the code + README instead — after auditing them.
- Audit the code that signs/transmits transactions: auto-trader.ts and sendTransaction() call connection.sendRawTransaction() after signing with the provided wallet. Inspect these files (and any HTTP/network clients) for unexpected external endpoints, logging of private keys, or code that transmits files/credentials off-host. I saw no obvious exfiltration endpoints in the supplied snippets, but you should search for axios/post/fetch calls or hardcoded URLs before running.
- Installation & runtime safety: Run 'npm install' in an isolated environment (container, VM) and inspect package-lock.json for unexpected packages. Avoid allowing 'npx' to auto-download runtime packages unattended — ensure dependencies are installed locally (npm ci) and don't rely on npx to fetch at cron time.
- Use dry-run and small limits first: Start with dry_run: true and tiny max_position_usd, run 'npm run trade:dry' and monitor behavior. Do not enable auto_execute or set dry_run false until you've validated behavior for several days.
- Protect secrets and filesystem: Store .env and keypair files in a secure location, add them to .gitignore, and restrict filesystem permissions. Prefer using SOLANA_KEYPAIR_PATH pointing to a file with strict permissions rather than embedding raw private keys in environment variables.
- Operational suggestions: Review cron-runner.sh; the script sources ~/.secrets/.env and runs npx ts-node. Modify it to run only after manual verification, and replace npx invocation with a fully installed binary or a wrapper script that uses an installed ts-node / built JS artefact. Consider running the bot inside a dedicated container/VM with limited network access and small funds.
- If you are not comfortable auditing Node code and crypto transaction signing, do not run live trading. At minimum, run in a sandbox, review all network calls in the codebase, and consider third-party audits before trusting with funds.Like a lobster shell, security has layers — review code before you run it.
arbitragechineselatestsolana
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
◎ Clawdis
SKILL.md
Solana Funding Rate Arbitrage (v2.0)
Automated funding rate arbitrage bot for Solana perpetual DEXes.
🔥 What's New in v2.0
- Auto-Trading: Fully automated position management
- Multi-DEX Support: Drift Protocol + Flash Trade
- Position Manager: Track PnL and funding collected
- Risk Management: Stop-loss, max DD, auto-rebalancing
- Cron Integration: Scheduled rate checks
Supported DEXes
| DEX | Markets | Trading | Data Source |
|---|---|---|---|
| Drift Protocol | 64 | ✅ Full | Direct API |
| Flash Trade | 19 | 🔶 DRY_RUN | CoinGecko |
Strategy Options
| Strategy | Leverage | Win Rate | APY | Max Drawdown |
|---|---|---|---|---|
| Ultra Safe | 1x | 96% | 126% | 2% |
| Conservative | 1.5x | 89% | 203% | 4% |
| Moderate | 2.5x | 85% | 411% | 9% |
Quick Start
cd scripts && npm install
# 1. Scan funding rates (no trading)
npm run trade:scan
# 2. Check position status
npm run trade:status
# 3. Run in DRY_RUN mode (simulated)
npm run trade:dry
# 4. Run live trading (requires wallet)
npm run trade
# Other commands
npm run scan # Basic rate scanner
npm run dashboard # Web dashboard (:3456)
npm run monte-carlo # Risk simulations
Configuration
Config file: ~/.secrets/funding-arb-config.json
{
"strategy": "ultra_safe",
"max_position_pct": 50,
"min_spread": 0.5,
"max_dd_pct": 2,
"auto_execute": true,
"dry_run": true,
"leverage": 1,
"check_interval_hours": 4,
"min_apy_threshold": 100,
"max_position_usd": 100,
"notification": {
"telegram": true,
"on_open": true,
"on_close": true,
"on_funding": true
},
"risk": {
"max_positions": 2,
"stop_loss_pct": 2,
"take_profit_pct": null,
"auto_rebalance": true,
"rebalance_threshold": 0.3
}
}
Environment Variables
Create .env in scripts directory or ~/.secrets/.env:
# Required for live trading
SOLANA_PRIVATE_KEY=[1,2,3,...] # Or use wallet file
SOLANA_WALLET_PATH=/path/to/wallet.json
# Optional
SOLANA_RPC_URL=https://mainnet.helius-rpc.com/?api-key=YOUR_KEY
DEBUG=true # Verbose logging
Cron Setup
Run every 4 hours:
# Add to crontab -e
0 */4 * * * ~/clawd/skills/solana-funding-arb/scripts/cron-runner.sh
How It Works
- Scan: Compare funding rates on Drift vs Flash Trade
- Identify: Find pairs where one is paying and other is receiving
- Execute:
- Go LONG on exchange with negative rate (receive funding)
- Go SHORT on exchange with positive rate (receive funding)
- Collect: Delta-neutral = collect funding from both sides
- Rebalance: Close when spread reverses or DD exceeded
Example Trade
SOL Funding Rates:
- Drift: -500% APY (longs receive)
- Flash: +800% APY (shorts receive)
- Spread: 1300% APY
Action:
→ LONG $50 SOL on Drift (receive 500% APY)
→ SHORT $50 SOL on Flash (receive 800% APY)
→ Net: Delta-neutral, collecting ~1300% APY in funding
Files
scripts/
├── src/trading/
│ ├── auto-trader.ts # Main trading logic
│ ├── drift-client.ts # Drift Protocol integration
│ ├── flash-client.ts # Flash Trade integration
│ └── position-manager.ts # Position tracking
├── cron-runner.sh # Cron wrapper script
└── ...
~/.clawd/funding-arb/
├── positions.json # Current positions
├── history.json # Trade history
├── trader-state.json # Bot state
└── logs/ # Cron logs
Risks
⚠️ Smart Contract Risk: DEX bugs, hacks ⚠️ Rate Reversal: 15-18% daily probability ⚠️ Execution Slippage: 0.2-0.4% ⚠️ Liquidation: Only with leverage >1x
Yield Comparison
| Platform | APY | vs Ultra Safe |
|---|---|---|
| Ultra Safe (1x) | 126% | — |
| US Bank (FDIC) | 4.5% | 28x less |
| Aave V3 | 2.5% | 50x less |
| Marginfi | 8.5% | 15x less |
Testing
- Start with
dry_run: true(default) - Run
npm run trade:scanto verify opportunities - Run
npm run trade:dryto test execution flow - When ready, set
dry_run: falseandmax_position_usd: 10 - Monitor logs at
~/.clawd/funding-arb/logs/
References
Files
52 totalSelect a file
Select a file to preview.
Comments
Loading comments…