Tokens

This document is better viewed at https://docs.openzeppelin.com/confidential-contracts/api/token

This set of interfaces, contracts, and utilities are all related to ERC7984, an evolving confidential token standard. The standard utilizes the Zama fhEVM co-processor for manipulating FHE values. All amounts are stored on-chain as ciphertext handles (or pointers) to values stored on the co-processor.

  • ERC7984: Implementation of IERC7984.

  • ERC7984ERC20Wrapper: Extension of ERC7984 which wraps an ERC20 into a confidential token. The wrapper allows for free conversion in both directions at a fixed rate.

  • ERC7984Freezable: An extension for ERC7984, which allows accounts granted the "freezer" role to freeze and unfreeze tokens.

  • ERC7984ObserverAccess: An extension for ERC7984, which allows each account to add an observer who is given access to their transfer and balance amounts.

  • ERC7984Utils: A library that provides the on-transfer callback check used by ERC7984.

Core

ERC7984 

import "@openzeppelin/confidential-contracts/token/ERC7984/ERC7984.sol";

Reference implementation for IERC7984.

This contract implements a fungible token where balances and transfers are encrypted using the Zama fhEVM, providing confidentiality to users. Token amounts are stored as encrypted, unsigned integers (euint64) that can only be decrypted by authorized parties.

Key features:

  • All balances are encrypted

  • Transfers happen without revealing amounts

  • Support for operators (delegated transfer capabilities with time bounds)

  • Transfer and call pattern

  • Safe overflow/underflow handling for FHE operations

Functions

  • constructor(name_, symbol_, tokenURI_)

  • name()

  • symbol()

  • decimals()

  • tokenURI()

  • confidentialTotalSupply()

  • confidentialBalanceOf(account)

  • isOperator(holder, spender)

  • setOperator(operator, until)

  • confidentialTransfer(to, encryptedAmount, inputProof)

  • confidentialTransfer(to, amount)

  • confidentialTransferFrom(from, to, encryptedAmount, inputProof)

  • confidentialTransferFrom(from, to, amount)

  • confidentialTransferAndCall(to, encryptedAmount, inputProof, data)

  • confidentialTransferAndCall(to, amount, data)

  • confidentialTransferFromAndCall(from, to, encryptedAmount, inputProof, data)

  • confidentialTransferFromAndCall(from, to, amount, data)

  • discloseEncryptedAmount(encryptedAmount)

  • finalizeDiscloseEncryptedAmount(requestId, amount, signatures)

  • _setOperator(holder, operator, until)

  • _mint(to, amount)

  • _burn(from, amount)

  • _transfer(from, to, amount)

  • _transferAndCall(from, to, amount, data)

  • _update(from, to, amount)

Events
IERC7984

  • OperatorSet(holder, operator, until)

  • ConfidentialTransfer(from, to, amount)

  • AmountDisclosed(encryptedAmount, amount)

Errors

  • ERC7984InvalidReceiver(receiver)

  • ERC7984InvalidSender(sender)

  • ERC7984UnauthorizedSpender(holder, spender)

  • ERC7984ZeroBalance(holder)

  • ERC7984UnauthorizedUseOfEncryptedAmount(amount, user)

  • ERC7984UnauthorizedCaller(caller)

  • ERC7984InvalidGatewayRequest(requestId)

constructor(string name_, string symbol_, string tokenURI_) internal

name() → string public

Returns the name of the token.

symbol() → string public

Returns the symbol of the token.

decimals() → uint8 public

Returns the number of decimals of the token. Recommended to be 6.

tokenURI() → string public

Returns the token URI.

confidentialTotalSupply() → euint64 public

Returns the confidential total supply of the token.

confidentialBalanceOf(address account) → euint64 public

Returns the confidential balance of the account account.

isOperator(address holder, address spender) → bool public

Returns true if spender is currently an operator for holder.

setOperator(address operator, uint48 until) public

Sets operator as an operator for holder until the timestamp until.

An operator may transfer any amount of tokens on behalf of a holder while approved.

confidentialTransfer(address to, externalEuint64 encryptedAmount, bytes inputProof) → euint64 public

Transfers the encrypted amount encryptedAmount to to with the given input proof inputProof.

Returns the encrypted amount that was actually transferred.

confidentialTransfer(address to, euint64 amount) → euint64 public

Similar to confidentialTransfer but without an input proof. The caller must already be allowed by ACL for the given amount.

confidentialTransferFrom(address from, address to, externalEuint64 encryptedAmount, bytes inputProof) → euint64 transferred public

Transfers the encrypted amount encryptedAmount from from to to with the given input proof inputProof. msg.sender must be either from or an operator for from.

Returns the encrypted amount that was actually transferred.

confidentialTransferFrom(address from, address to, euint64 amount) → euint64 transferred public

Similar to confidentialTransferFrom but without an input proof. The caller must be already allowed by ACL for the given amount.

confidentialTransferAndCall(address to, externalEuint64 encryptedAmount, bytes inputProof, bytes data) → euint64 transferred public

Similar to confidentialTransfer but with a callback to to after the transfer.

The callback is made to the IERC7984Receiver.onConfidentialTransferReceived function on the to address with the actual transferred amount (may differ from the given encryptedAmount) and the given data data.

confidentialTransferAndCall(address to, euint64 amount, bytes data) → euint64 transferred public

Similar to confidentialTransfer but with a callback to to after the transfer.

confidentialTransferFromAndCall(address from, address to, externalEuint64 encryptedAmount, bytes inputProof, bytes data) → euint64 transferred public

Similar to confidentialTransferFrom but with a callback to to after the transfer.

confidentialTransferFromAndCall(address from, address to, euint64 amount, bytes data) → euint64 transferred public

Similar to confidentialTransferFrom but with a callback to to after the transfer.

discloseEncryptedAmount(euint64 encryptedAmount) public

Discloses an encrypted amount encryptedAmount publicly via an IERC7984.AmountDisclosed event. The caller and this contract must be authorized to use the encrypted amount on the ACL.

This is an asynchronous operation where the actual decryption happens off-chain and finalizeDiscloseEncryptedAmount is called with the result.

finalizeDiscloseEncryptedAmount(uint256 requestId, uint64 amount, bytes[] signatures) public

Finalizes a disclose encrypted amount request.

_setOperator(address holder, address operator, uint48 until) internal

_mint(address to, euint64 amount) → euint64 transferred internal

_burn(address from, euint64 amount) → euint64 transferred internal

_transfer(address from, address to, euint64 amount) → euint64 transferred internal

_transferAndCall(address from, address to, euint64 amount, bytes data) → euint64 transferred internal

_update(address from, address to, euint64 amount) → euint64 transferred internal

ERC7984InvalidReceiver(address receiver) error

The given receiver receiver is invalid for transfers.

ERC7984InvalidSender(address sender) error

The given sender sender is invalid for transfers.

ERC7984UnauthorizedSpender(address holder, address spender) error

The given holder holder is not authorized to spend on behalf of spender.

ERC7984ZeroBalance(address holder) error

The holder holder is trying to send tokens but has a balance of 0.

ERC7984UnauthorizedUseOfEncryptedAmount(euint64 amount, address user) error

The caller user does not have access to the encrypted amount amount.

Try using the equivalent transfer function with an input proof.

ERC7984UnauthorizedCaller(address caller) error

The given caller caller is not authorized for the current operation.

ERC7984InvalidGatewayRequest(uint256 requestId) error

The given gateway request ID requestId is invalid.

Extensions

ERC7984ERC20Wrapper 

import "@openzeppelin/confidential-contracts/token/ERC7984/extensions/ERC7984ERC20Wrapper.sol";

A wrapper contract built on top of ERC7984 that allows wrapping an ERC20 token into an ERC7984 token. The wrapper contract implements the IERC1363Receiver interface which allows users to transfer ERC1363 tokens directly to the wrapper with a callback to wrap the tokens.

Minting assumes the full amount of the underlying token transfer has been received, hence some non-standard tokens such as fee-on-transfer or other deflationary-type tokens are not supported by this wrapper.
Functions

  • constructor(underlying_)

  • decimals()

  • rate()

  • underlying()

  • onTransferReceived(, from, amount, data)

  • wrap(to, amount)

  • unwrap(from, to, amount)

  • unwrap(from, to, encryptedAmount, inputProof)

  • finalizeUnwrap(requestID, amount, signatures)

  • _unwrap(from, to, amount)

  • _fallbackUnderlyingDecimals()

  • _maxDecimals()

ERC7984

  • name()

  • symbol()

  • tokenURI()

  • confidentialTotalSupply()

  • confidentialBalanceOf(account)

  • isOperator(holder, spender)

  • setOperator(operator, until)

  • confidentialTransfer(to, encryptedAmount, inputProof)

  • confidentialTransfer(to, amount)

  • confidentialTransferFrom(from, to, encryptedAmount, inputProof)

  • confidentialTransferFrom(from, to, amount)

  • confidentialTransferAndCall(to, encryptedAmount, inputProof, data)

  • confidentialTransferAndCall(to, amount, data)

  • confidentialTransferFromAndCall(from, to, encryptedAmount, inputProof, data)

  • confidentialTransferFromAndCall(from, to, amount, data)

  • discloseEncryptedAmount(encryptedAmount)

  • finalizeDiscloseEncryptedAmount(requestId, amount, signatures)

  • _setOperator(holder, operator, until)

  • _mint(to, amount)

  • _burn(from, amount)

  • _transfer(from, to, amount)

  • _transferAndCall(from, to, amount, data)

  • _update(from, to, amount)

Events
IERC7984

  • OperatorSet(holder, operator, until)

  • ConfidentialTransfer(from, to, amount)

  • AmountDisclosed(encryptedAmount, amount)

Errors
ERC7984

  • ERC7984InvalidReceiver(receiver)

  • ERC7984InvalidSender(sender)

  • ERC7984UnauthorizedSpender(holder, spender)

  • ERC7984ZeroBalance(holder)

  • ERC7984UnauthorizedUseOfEncryptedAmount(amount, user)

  • ERC7984UnauthorizedCaller(caller)

  • ERC7984InvalidGatewayRequest(requestId)

constructor(contract IERC20 underlying_) internal

decimals() → uint8 public

Returns the number of decimals of the token. Recommended to be 6.

rate() → uint256 public

Returns the rate at which the underlying token is converted to the wrapped token. For example, if the rate is 1000, then 1000 units of the underlying token equal 1 unit of the wrapped token.

underlying() → contract IERC20 public

Returns the address of the underlying ERC-20 token that is being wrapped.

onTransferReceived(address, address from, uint256 amount, bytes data) → bytes4 public

ERC1363 callback function which wraps tokens to the address specified in data or the address from (if no address is specified in data). This function refunds any excess tokens sent beyond the nearest multiple of rate. See wrap from more details on wrapping tokens.

wrap(address to, uint256 amount) public

Wraps amount amount of the underlying token into a confidential token and sends it to to. Tokens are exchanged at a fixed rate specified by rate such that amount / rate() confidential tokens are sent. Amount transferred in is rounded down to the nearest multiple of rate.

unwrap(address from, address to, euint64 amount) public

Unwraps tokens from from and sends the underlying tokens to to. The caller must be from or be an approved operator for from. amount * rate() underlying tokens are sent to to.

This is an asynchronous function and waits for decryption to be completed off-chain before disbursing tokens. NOTE: The caller must already be approved by ACL for the given amount.

unwrap(address from, address to, externalEuint64 encryptedAmount, bytes inputProof) public

Variant of unwrap that passes an inputProof which approves the caller for the encryptedAmount in the ACL.

finalizeUnwrap(uint256 requestID, uint64 amount, bytes[] signatures) public

Fills an unwrap request for a given request id related to a decrypted unwrap amount.

_unwrap(address from, address to, euint64 amount) internal

_fallbackUnderlyingDecimals() → uint8 internal

Returns the default number of decimals of the underlying ERC-20 token that is being wrapped. Used as a default fallback when {_tryGetAssetDecimals} fails to fetch decimals of the underlying ERC-20 token.

_maxDecimals() → uint8 internal

Returns the maximum number that will be used for decimals by the wrapper.

ERC7984Freezable 

import "@openzeppelin/confidential-contracts/token/ERC7984/extensions/ERC7984Freezable.sol";

Extension of ERC7984 that implements a confidential freezing mechanism that can be managed by an authorized account with setConfidentialFrozen functions.

The freezing mechanism provides the guarantee to the contract owner (e.g. a DAO or a well-configured multisig) that a specific confidential amount of tokens held by an account won’t be transferable until those tokens are unfrozen.

Inspired by https://github.com/OpenZeppelin/openzeppelin-community-contracts/blob/master/contracts/token/ERC20/extensions/ERC20Freezable.sol

Functions

  • confidentialFrozen(account)

  • confidentialAvailable(account)

  • setConfidentialFrozen(account, encryptedAmount, inputProof)

  • setConfidentialFrozen(account, encryptedAmount)

  • _setConfidentialFrozen(account, encryptedAmount)

  • _checkFreezer()

  • _update(from, to, encryptedAmount)

ERC7984

  • name()

  • symbol()

  • decimals()

  • tokenURI()

  • confidentialTotalSupply()

  • confidentialBalanceOf(account)

  • isOperator(holder, spender)

  • setOperator(operator, until)

  • confidentialTransfer(to, encryptedAmount, inputProof)

  • confidentialTransfer(to, amount)

  • confidentialTransferFrom(from, to, encryptedAmount, inputProof)

  • confidentialTransferFrom(from, to, amount)

  • confidentialTransferAndCall(to, encryptedAmount, inputProof, data)

  • confidentialTransferAndCall(to, amount, data)

  • confidentialTransferFromAndCall(from, to, encryptedAmount, inputProof, data)

  • confidentialTransferFromAndCall(from, to, amount, data)

  • discloseEncryptedAmount(encryptedAmount)

  • finalizeDiscloseEncryptedAmount(requestId, amount, signatures)

  • _setOperator(holder, operator, until)

  • _mint(to, amount)

  • _burn(from, amount)

  • _transfer(from, to, amount)

  • _transferAndCall(from, to, amount, data)

Events

  • TokensFrozen(account, encryptedAmount)

IERC7984

  • OperatorSet(holder, operator, until)

  • ConfidentialTransfer(from, to, amount)

  • AmountDisclosed(encryptedAmount, amount)

Errors
ERC7984

  • ERC7984InvalidReceiver(receiver)

  • ERC7984InvalidSender(sender)

  • ERC7984UnauthorizedSpender(holder, spender)

  • ERC7984ZeroBalance(holder)

  • ERC7984UnauthorizedUseOfEncryptedAmount(amount, user)

  • ERC7984UnauthorizedCaller(caller)

  • ERC7984InvalidGatewayRequest(requestId)

confidentialFrozen(address account) → euint64 public

Returns the confidential frozen balance of an account.

confidentialAvailable(address account) → euint64 public

Returns the confidential available (unfrozen) balance of an account. Up to confidentialBalanceOf.

setConfidentialFrozen(address account, externalEuint64 encryptedAmount, bytes inputProof) public

Freezes a confidential amount of tokens for an account with a proof.

setConfidentialFrozen(address account, euint64 encryptedAmount) public

Freezes a confidential amount of tokens for an account.

_setConfidentialFrozen(address account, euint64 encryptedAmount) internal

Internal function to freeze a confidential amount of tokens for an account.

_checkFreezer() internal

Unimplemented function that must revert if msg.sender is not authorized as a freezer.

_update(address from, address to, euint64 encryptedAmount) → euint64 internal

See ERC7984._update. The from account must have sufficient unfrozen balance, otherwise 0 tokens are transferred.

TokensFrozen(address indexed account, euint64 encryptedAmount) event

Emitted when a confidential amount of token is frozen for an account

ERC7984ObserverAccess 

import "@openzeppelin/confidential-contracts/token/ERC7984/extensions/ERC7984ObserverAccess.sol";

Extension of ERC7984 that allows each account to add a observer who is given permanent ACL access to its transfer and balance amounts. A observer can be added or removed at any point in time.

Functions

  • setObserver(account, newObserver)

  • observer(account)

  • _update(from, to, amount)

ERC7984

  • name()

  • symbol()

  • decimals()

  • tokenURI()

  • confidentialTotalSupply()

  • confidentialBalanceOf(account)

  • isOperator(holder, spender)

  • setOperator(operator, until)

  • confidentialTransfer(to, encryptedAmount, inputProof)

  • confidentialTransfer(to, amount)

  • confidentialTransferFrom(from, to, encryptedAmount, inputProof)

  • confidentialTransferFrom(from, to, amount)

  • confidentialTransferAndCall(to, encryptedAmount, inputProof, data)

  • confidentialTransferAndCall(to, amount, data)

  • confidentialTransferFromAndCall(from, to, encryptedAmount, inputProof, data)

  • confidentialTransferFromAndCall(from, to, amount, data)

  • discloseEncryptedAmount(encryptedAmount)

  • finalizeDiscloseEncryptedAmount(requestId, amount, signatures)

  • _setOperator(holder, operator, until)

  • _mint(to, amount)

  • _burn(from, amount)

  • _transfer(from, to, amount)

  • _transferAndCall(from, to, amount, data)

Events

  • ERC7984ObserverAccessObserverSet(account, oldObserver, newObserver)

IERC7984

  • OperatorSet(holder, operator, until)

  • ConfidentialTransfer(from, to, amount)

  • AmountDisclosed(encryptedAmount, amount)

Errors

  • Unauthorized()

ERC7984

  • ERC7984InvalidReceiver(receiver)

  • ERC7984InvalidSender(sender)

  • ERC7984UnauthorizedSpender(holder, spender)

  • ERC7984ZeroBalance(holder)

  • ERC7984UnauthorizedUseOfEncryptedAmount(amount, user)

  • ERC7984UnauthorizedCaller(caller)

  • ERC7984InvalidGatewayRequest(requestId)

setObserver(address account, address newObserver) public

Sets the observer for the given account account to newObserver. Can be called by the account or the existing observer to abdicate the observer role (may only set to address(0)).

observer(address account) → address public

Returns the observer for the given account account.

_update(address from, address to, euint64 amount) → euint64 transferred internal

ERC7984ObserverAccessObserverSet(address account, address oldObserver, address newObserver) event

Emitted when the observer is changed for the given account account.

Unauthorized() error

Thrown when an account tries to set a newObserver for a given account without proper authority.

Utilities

ERC7984Utils 

import "@openzeppelin/confidential-contracts/token/ERC7984/utils/ERC7984Utils.sol";

Library that provides common ERC7984 utility functions.

Functions

  • checkOnTransferReceived(operator, from, to, amount, data)

checkOnTransferReceived(address operator, address from, address to, euint64 amount, bytes data) → ebool internal

Performs a transfer callback to the recipient of the transfer to. Should be invoked after all transfers "withCallback" on a ERC7984.

The transfer callback is not invoked on the recipient if the recipient has no code (i.e. is an EOA). If the recipient has non-zero code, it must implement IERC7984Receiver.onConfidentialTransferReceived and return an ebool indicating whether the transfer was accepted or not. If the ebool is false, the transfer will be reversed.

← Interfaces
Utils →