EAS_POLICY
Require the transaction sender to hold a valid EAS attestation under a specified schema. The KYC/KYB enforcement gate.
Gates a transaction on whether the sender holds a valid (non-expired, non-revoked) attestation issued under a specific EAS schema. The canonical primitive for KYC, KYB, accreditation, and any credential-based gate. Resolves attestations through the EAS precompile so lookups stay cheap during AnteHandler evaluation.
Solidity struct + ABI
From
IPcl.sol:struct EasPolicy {
address easContract; // EAS deployment to query
address indexContract; // EAS Indexer (powers O(1) reverse lookups)
bytes32 schemaUid; // schema the sender must have an attestation under
}ABI tuple shorthand:
Encode for
(address easContract, address indexContract, bytes32 schemaUid).Encode for
PolicySet.policy:EasPolicy memory ep = EasPolicy({
easContract: 0x1000000000000000000000000000000000000007, // EAS preinstall
indexContract: 0x1000000000000000000000000000000000000008, // EAS Indexer preinstall
schemaUid: 0xabcd... // your KYC schema UID
});
bytes memory policyBytes = abi.encode(ep);
// PolicySet.templateId = "EAS_POLICY"The
easContract and indexContract addresses are typically the canonical Maroo preinstalls — you can resolve them at deploy time via the EAS precompile's getParams() instead of hard-coding.Evaluation
For each transaction, PCL:
1. Looks up attestations issued to
2. Rejects if no attestation has ever been received:
3. For each found UID, fetches the attestation and validates it:
- revoked? →
- expired (
- lookup fails? →
4. If at least one valid attestation exists → admit. Otherwise →
1. Looks up attestations issued to
sender under schemaUid via the EAS Indexer.2. Rejects if no attestation has ever been received:
EasNoAttestationReceived(sender).3. For each found UID, fetches the attestation and validates it:
- revoked? →
EasAttestationRevoked(sender)- expired (
expirationTime != 0 && expirationTime <= now)? → EasAttestationExpired(sender)- lookup fails? →
EasAttestationLookupFailed(sender)4. If at least one valid attestation exists → admit. Otherwise →
EasAttestationRequired(sender).ReasonCodes on rejection
EasAttestationRequired(address sender)— generic catch-all; the user has no valid attestation and must obtain one.EasNoAttestationReceived(address sender)— the user has never received any attestation under this schema.EasAttestationRevoked(address sender)— they had one, but it was revoked.EasAttestationExpired(address sender)— they had one, but it has expired.EasAttestationLookupFailed(address sender)— internal error reading the attestation; treat as transient.
Wallet UX: route the user to the appropriate KYC/KYB onboarding partner. Once a fresh attestation lands on-chain, the same transaction succeeds.
Typical usage
- KYC gate at the global level (
GlobalPolicyConfig): "only KYC-attested accounts may use the regulated path". - Higher-tier features: a
ContractPolicyConfigrequiring an institutional KYB schema for DeFi pool access. - Tiered models: combine with
OKRW_EAS_TRANSFER_LIMIT_POLICYso un-attested users get small limits and attested users get larger ones — typically more useful than a hard yes/no gate.