ERC-7303: Token-Controlled Token Circulation
Access control scheme based on token ownership.
Abstract
This ERC introduces an access control scheme termed Token-Controlled Token Circulation (TCTC). By representing the privileges associated with a role as an ERC-721 or ERC-1155 token (referred to as a control token
), the processes of granting or revoking a role can be facilitated through the minting or burning of the corresponding control token
.
Motivation
There are numerous methods to implement access control for privileged actions. A commonly utilized pattern is "role-based" access control as specified in ERC-5982. This method, however, necessitates the use of an off-chain management tool to grant or revoke required roles through its interface. Additionally, as many wallets lack a user interface that displays the privileges granted by a role, users are often unable to comprehend the status of their privileges through the wallet.
Use Cases
This ERC is applicable in many scenarios where role-based access control as described in ERC-5982 is used. Specific use cases include:
Mint/Burn Permission:
In applications that circulate items such as tickets, coupons, membership cards, and site access rights as tokens, it is necessary to provide the system administrator with the authority to mint or burn these tokens. These permissions can be realized as control tokens
in this scheme.
Transfer Permission:
In some situations within these applications, it may be desirable to limit the ability to transfer tokens to specific agencies. In these cases, an agency certificate is issued as a control token
. The ownership of this control token
then provides the means to regulate token transfers.
Address Verification:
Many applications require address verification to prevent errors in the recipient's address when minting or transferring target tokens. A control token
is issued as proof of address verification to users, which is required by the recipient when a mint or transfer transaction is executed, thus preventing misdeliveries. In some instances, this control token
for address verification may be issued by a government agency or specific company after an identity verification process.
Specification
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 and RFC 8174.
- Smart contracts implementing the ERC-7303 standard MUST represent the privilege required by the role as an ERC-721 token or ERC-1155 token. The tokens that represent privileges are called
control tokens
in this ERC. Thecontrol token
can be any type of token, and its transactions may be recursively controlled by anothercontrol token
. - To associate the required
control token
with the role, the address of the previously deployed contract for thecontrol token
MUST be used. - To ascertain whether an account possesses the necessary role, it SHOULD be confirmed that the balance of the
control token
exceeds 0, utilizing thebalanceOf
method defined in ERC-721 or ERC-1155. Note that thetypeId
must be specified if an ERC-1155 token is used for thebalanceOf
method. - To grant a role to an account, a
control token
representing the privilege SHOULD be minted to the account usingsafeMint
method defined in ERC-5679. - To revoke a role from an account, the
control token
representing the privilege SHOULD be burned using theburn
method defined in ERC-5679. - A role in a compliant smart contract is represented in the format of
bytes32
. It's RECOMMENDED the value of such role is computed as akeccak256
hash of a string of the role name, in this format:bytes32 role = keccak256("<role_name>")
such asbytes32 role = keccak256("MINTER")
.
Rationale
The choice to utilize ERC-721 or ERC-1155 token as the control token for privileges enhances visibility of such privileges within wallets, thus simplifying privilege management for users.
Generally, when realizing privileges as tokens, specifications like Soulbound Token (e.g., ERC-5192) are used. Given that ERC-5192 inherits from ERC-721, this ERC has choiced ERC-721 as the requirement for the control token.
Employing a transferable control token can cater to scenarios where role delegation is necessary. For example, when an authority within an organization is replaced or on vacation, the ability to transfer their privileges to another member becomes possible. The decision to designate the control token as transferable will depend on the specific needs of the application.
Backwards Compatibility
This ERC is designed to be compatible for ERC-721, ERC-1155, and ERC-5679 respectively.
Reference Implementation
ERC-7303 provides a modifier to facilitate the implementation of TCTC access control in applications. This modifier checks if an account possesses the necessary role. ERC-7303 also includes a function that grants a specific role to a designated account.
The following is a simple example of utilizing ERC7303
within an ERC-721 token to define "minter" and "burner" roles. Accounts possessing these roles are allowed to create new tokens and destroy existing tokens, facilitated by specifying ERC-721 or ERC-1155 control tokens:
Security Considerations
The security of tokens subject to circulation depends significantly on the security of the control tokens. Careful consideration must be given to the settings regarding the administrative privileges, mint/transfer/burn permissions, and the possibility of contract updates of control tokens.
In particular, making control tokens transferable allows for flexible operations, such as the temporary delegation of administrative rights. However, it also raises the possibility that the rights to circulate tokens could fall into the hands of inappropriate third parties. Therefore, control tokens should generally be made non-transferable. If control tokens are to be made transferable, at the very least, the authority to burn these tokens should be retained by a trusted administrator.
Copyright
Copyright and related rights waived via CC0.