What is ERC3643 on Solana?
ERC-3643 là tiêu chuẩn token Ethereum được thiết kế riêng cho việc tuân thủ quy định (KYC, AML, v.v.) và phát hành token có phân quyền. Giống như ERC-20, nó phác thảo chức năng cốt lõi của các token khả thay thế nhưng đảm bảo rằng các yêu cầu tuân thủ thiết yếu có thể được thực thi onchain.
Key Characteristics
- Eligibility Verification: The token contract verifies whether both the holder and the recipient have completed KYC (or AML) checks before allowing a transfer.
- Regulatory Compliance: Implementing features such as whitelists/blacklists, investor-count or jurisdictional limits, and other rules at the smart contract level.
- Enforcement & Control: If an unauthorized transfer is attempted, the contract blocks it, and issuers can forcibly transfer or burn tokens to fulfill real-world regulatory obligations.
Token Extensions
Solana's Token Extensions (also referred to as Token-2022) are a set of enhancements to Solana's native SPL Token program, introducing built-in support for advanced token features without requiring new standalone contracts. The motivation for Token Extensions was to provide a more flexible, extensible token standard that caters to complex and regulated use cases, all while avoiding the fragmentation seen in ecosystems with many bespoke token contracts.
Key Features (You can check other features here)
- Transfer Hooks: Cho phép logic onchain tùy chỉnh (thực thi phí bản quyền, kiểm tra tuân thủ theo thời gian thực) chạy bất cứ khi nào token được chuyển.
- Confidential Transfers: Hides the transfer amount from the public, preserving user privacy while allowing authorized parties (e.g., auditors) to access the data if needed.
- Transfer Fees: Automatically deducts a specified fee (or tax) during each transfer and routes it to a designated recipient address.
- Permanent Delegates: Grants a special authority unlimited privileges to override or reclaim tokens, enabling administrative actions like forced transfers and burns.
What Does a Token Extension Program for ERC3643 Look Like?
Below is a Solidity-style pseudocode that illustrates how key features of Solana's Token Extensions, such as KYC enforcement, account freezing, transfer hooks, and permanent delegate functionality could be conceptually represented in an Ethereum-like contract.
Additionally, this code builds on SPL-20 (the standard Solana token program, SPL-Token) and layers the Token Extension functionality on top of it using Solidity syntax. If you'd like to review the baseline Solana token program (SPL-Token), please refer to this link.
pragma solidity ^0.8.28;
interface ISpl20 {
function transfer(address to, address mintAddress, uint256 amount) external;
function getTokenAccount(address owner, address token) external view returns (uint256 balance, bool isFrozen);
function mintTokens(address to, address mintAddress, uint256 amount) external;
}
contract SPL3643 {
ISpl20 public immutable spl20;
address public immutable mintAddress;
mapping(address => bool) public isKYCApproved;
mapping(address => bool) public frozen;
address public complianceAuthority;
address public transferHookProgram;
event KYCApproved(address indexed user, bool status);
event AccountFrozen(address indexed user, bool status);
event TransferHookSet(address indexed hookProgram);
event ForcedTransfer(address indexed from, address indexed to, uint256 value);
event Transfer(address indexed from, address indexed to, uint256 value);
constructor(address _spl20, address _mint, address authority) {
spl20 = ISpl20(_spl20);
mintAddress = _mint;
complianceAuthority = authority;
}
modifier onlyComplianceAuth() {
require(msg.sender == complianceAuthority, "not compliance auth");
_;
}
function approveKYC(address user, bool approved) external onlyComplianceAuth {
isKYCApproved[user] = approved;
emit KYCApproved(user, approved);
}
function freezeAccount(address user, bool freeze) external onlyComplianceAuth {
frozen[user] = freeze;
emit AccountFrozen(user, freeze);
}
function setTransferHook(address hookProgram) external onlyComplianceAuth {
transferHookProgram = hookProgram;
emit TransferHookSet(hookProgram);
}
function setComplianceAuthority(address newAuthority) external onlyComplianceAuth {
complianceAuthority = newAuthority;
}
function transfer(address to, uint256 amount) external {
require(!frozen[msg.sender] && !frozen[to], "account frozen");
require(isKYCApproved[msg.sender] && isKYCApproved[to], "KYC required");
if (transferHookProgram != address(0)) {
bool ok = ITransferHook(transferHookProgram).onTransfer(msg.sender, to, amount);
require(ok, "blocked by hook");
}
spl20.transfer(to, mintAddress, amount);
emit Transfer(msg.sender, to, amount);
}
function forceTransfer(address from, address to, uint256 amount) external onlyComplianceAuth {
// temporarily unfreeze to bypass Spl20.transfer require(msg.sender == owner)
frozen[from] = false;
spl20.transfer(to, mintAddress, amount);
frozen[from] = true;
emit ForcedTransfer(from, to, amount);
}
}
interface ITransferHook {
function onTransfer(address from, address to, uint256 amount) external returns (bool);
}
KYC Whitelisting
The isKYCApproved mapping ensures that only KYC-verified users can send or receive tokens. Before a transfer proceeds, both the sender and recipient must be flagged as approved. This mimics Solana's capability to restrict transfers to verified identities via identity-gated token accounts or transfer hooks configured at the mint level.
Freeze Enforcement
The frozen mapping lets the compliance authority lock any account from sending or receiving tokens. In Solana, token accounts can be frozen either by a freeze authority, a native feature that provides immediate enforcement without contract logic.
Transfer Hook
The transferHookProgram variable represents an external contract that implements custom logic. It is called during each token transfer, allowing dynamic enforcement like:
- Rejecting transfers over a certain size
- Charging royalties
- Checking external allowlists or oracles
Extension Transfer Hook của Solana thực hiện chức năng này ở tầng giao thức, mang đến cho các nhà phát triển khả năng kiểm soát onchain mạnh mẽ đối với các giao dịch chuyển mà không yêu cầu triển khai hợp đồng tùy chỉnh.
Permanent Delegate (Override Authority)
The complianceAuthority has the power to forcibly transfer tokens between any two addresses. This is comparable to Solana's Permanent Delegate feature, which allows authorized entities to bypass user permissions in regulated contexts as required, for example, to comply with legal orders or reclaim tokens during fraud mitigation.
How to do ERC3643 on Solana
1. Conceptual Map
| ERC-3643 Feature | Token-2022 Counterpart / Actor |
|---|---|
| KYC whitelist | Custom transfer-hook program |
| Account freeze | freeze_authority |
| Force / claw-back transfer | permanent_delegate::transfer |
| On-transfer custom logic | Transfer-hook callback (execute) |
| Compliance admin | PDA signer or multisig that owns the mint |
2. End-to-End Call Flow (simplified)
User → Token‑2022 (transfer) ↘
Transfer Hook (KYC check) → OK / ERR
↘
Token‑2022 (actual balance change)
Một giao dịch Solana đơn lẻ chứa cả lệnh token và lệnh gọi hook. Nếu hook trả về lỗi, toàn bộ giao dịch sẽ được hoàn tác - phản ánh cơ chế thực thi onchain của ERC-3643.
3. Minimal Transfer-Hook Program
This program adds a KYC gate to any Token 2022 mint. During setup the one-time init_meta instruction creates the extra_account_meta_list PDA whose fixed seeds bind it to the mint, stores the whitelist PDA inside that list, and immediately inserts the initializer (payer) into whitelist.allowed. That means the mint authority can move the first tokens without an extra whitelist update call. Later, whenever someone calls transfer_checked, the Token 2022 program CPI-invokes the hook's execute function, passing the five fixed accounts (source token, mint, destination token, owner, meta list) plus the forwarded whitelist PDA. The hook checks that the owners of both token accounts appear in whitelist.allowed; if either is missing it raises SrcNotAllowed or DstNotAllowed, rolling back the whole transaction, otherwise it returns Ok(()) and the transfer finalizes. All other administrative powers such as freezing, claw back, and supply changes remain with the mint's native authorities, so roughly ninety lines of code deliver ERC 3643 style compliance without breaking standard SPL tooling or wallet UX.
// programs/kyc_hook/src/lib.rs
use anchor_lang::prelude::*;
use anchor_spl::token_interface::{Mint, TokenAccount, TokenInterface};
use spl_tlv_account_resolution::{seeds::Seed, state::*};
use spl_transfer_hook_interface::instruction::TransferHookInstruction;
declare_id!("KycHook1111111111111111111111111111111111111");
#[program]
pub mod kyc_hook {
use super::*;
/// One-time initializer: create extra_account_meta_list PDA,
/// register the whitelist PDA, and automatically whitelist the payer.
#[interface(spl_transfer_hook_interface::initialize_extra_account_meta_list)]
pub fn init_meta(ctx: Context<InitMeta>) -> Result<()> {
/* -- 1. Seed the whitelist with the payer / mint authority -- */
let wl = &mut ctx.accounts.whitelist;
let payer_key = ctx.accounts.payer.key();
if !wl.allowed.contains(&payer_key) {
wl.allowed.push(payer_key);
}
/* -- 2. Build ExtraAccountMeta so Token-2022 forwards whitelist -- */
let metas = vec![ExtraAccountMeta::new_with_pubkey(
&ctx.accounts.whitelist.key(),
/* is_signer */ false,
/* is_writable*/ true,
)?];
/* -- 3. Create extra_account_meta_list PDA -- */
let size = ExtraAccountMetaList::size_of(metas.len())? as u64;
let lamports = Rent::get()?.minimum_balance(size as usize);
let seeds = &[
b"extra-account-metas",
ctx.accounts.mint.key().as_ref(),
&[ctx.bumps.extra_metas],
];
anchor_lang::system_program::create_account(
CpiContext::new_with_signer(
ctx.accounts.system_program.to_account_info(),
anchor_lang::system_program::CreateAccount {
from: ctx.accounts.payer.to_account_info(),
to: ctx.accounts.extra_metas.to_account_info(),
},
&[seeds],
),
lamports,
size,
ctx.program_id,
)?;
/* -- 4. Initialise TLV data inside the PDA -- */
ExtraAccountMetaList::init::<TransferHookInstruction>(
&mut ctx.accounts.extra_metas.try_borrow_mut_data()?,
&metas,
)?;
Ok(())
}
/// Called automatically on every Token-2022 transfer.
#[interface(spl_transfer_hook_interface::execute)]
pub fn execute(ctx: Context<Hook>, _amount: u64) -> Result<()> {
let wl = &ctx.accounts.whitelist;
let src = ctx.accounts.source_token.owner;
let dst = ctx.accounts.dest_token.owner;
require!(wl.allowed.contains(&src), ComplianceError::SrcNotAllowed);
require!(wl.allowed.contains(&dst), ComplianceError::DstNotAllowed);
Ok(())
}
}
/* ---------------- Data & account structs ---------------- */
#[account] // simple demo whitelist
pub struct Whitelist {
pub allowed: Vec<Pubkey>,
}
/* init_meta accounts */
#[derive(Accounts)]
pub struct InitMeta<'info> {
#[account(mut)]
payer: Signer<'info>,
/// CHECK: PDA = ["extra-account-metas", mint]
#[account(mut, seeds = [b"extra-account-metas", mint.key().as_ref()], bump)]
extra_metas: AccountInfo<'info>,
/// CHECK: verified by interface macro
#[account(mut)]
mint: InterfaceAccount<'info, Mint>,
#[account(mut)]
whitelist: Account<'info, Whitelist>,
system_program: Program<'info, System>,
}
/* execute accounts (fixed order!) */
#[derive(Accounts)]
pub struct Hook<'info> {
// 0 source token
#[account(token::mint = mint, token::authority = owner)]
source_token: InterfaceAccount<'info, TokenAccount>,
// 1 mint
mint: InterfaceAccount<'info, Mint>,
// 2 destination token
#[account(token::mint = mint)]
dest_token: InterfaceAccount<'info, TokenAccount>,
// 3 owner (source wallet)
/// CHECK:
owner: UncheckedAccount<'info>,
// 4 extra_account_meta_list
/// CHECK:
#[account(seeds = [b"extra-account-metas", mint.key().as_ref()], bump)]
extra_account_meta_list: UncheckedAccount<'info>,
// 5 whitelist (forwarded via meta list)
whitelist: Account<'info, Whitelist>,
}
#[error_code]
pub enum ComplianceError {
#[msg("source wallet not allowed")]
SrcNotAllowed,
#[msg("destination wallet not allowed")]
DstNotAllowed,
}
4. CLI Quickstart (Solana v1.18+, spl-token-cli v3.0.0+, Anchor v0.30+)
Đầu tiên bạn chọn một ví sẽ đóng vai trò quản trị viên tuân thủ và lưu pubkey của nó vào COMP_AUTH, sau đó tính trước PDA danh sách trắng mà bạn sẽ lưu trong hook và đặt tên là WL_PDA. Khi các khóa đã sẵn sàng, bạn biên dịch kyc_hook bằng lệnh anchor build và triển khai nó, ghi lại program-id vừa được in ra làm HOOK_ID. Tiếp theo, bạn tạo một mint Token-2022 hoàn toàn mới trỏ đến hook này bằng cách truyền --transfer-hook $HOOK_ID, đồng thời chỉ định ví quản trị là quyền freeze và claw-back; Solana in ra MINT_ADDRESS kết quả. Vì Token-2022 cần biết những tài khoản phụ nào cần truyền vào hook, bạn chạy ngay anchor run init-meta, lệnh này gọi hàm khởi tạo của hook và lưu WL_PDA vào danh sách extra-account-meta của mint. Bước này chỉ thực hiện một lần. Bây giờ mint đã được cài đặt KYC, bạn có thể tự do mint nguồn cung ban đầu cho chính mình; hook không được gọi trong các thao tác mint. Cuối cùng bạn chuyển token sang ví khác: tại thời điểm đó Token-2022 gọi hook, hook sẽ kiểm tra cả người gửi và người nhận so với danh sách trắng onchain. Nếu cả hai đều có trong danh sách, giao dịch chuyển sẽ thành công; nếu thiếu một trong hai, hook sẽ báo lỗi và toàn bộ giao dịch sẽ được hoàn tác, mang đến cho bạn cơ chế tuân thủ kiểu ERC-3643 trong một giao dịch Solana duy nhất.
# 0. Keys & PDAs
COMP_AUTH=$(solana address) # compliance admin key
WL_PDA=<derived whitelist PDA> # used in step 2
# 1. Build & deploy the hook
anchor build
solana program deploy target/deploy/kyc_hook.so # save as HOOK_ID
# 2. Create a KYC-enabled mint (Token-2022 CLI)
spl-token --program-id TokenzQdBNbLqP5VEhdkAS6EPFLC1PHnBqCXEpPxuEb create-token \
--transfer-hook $HOOK_ID \
--enable-permanent-delegate \
--freeze-authority $COMP_AUTH # returns MINT_ADDRESS
# 3. Initialize extra_account_meta_list (one-time)
anchor run init-meta -- --mint $MINT_ADDRESS --whitelist $WL_PDA
# 4. Mint & transfer
spl-token mint $MINT_ADDRESS 100 $(solana address) # minting bypasses hook
spl-token transfer $MINT_ADDRESS 10 <RECIPIENT> # hook executes, KYC enforced
