Connect your wallet to receive test stablecoins directly.

Send test stablecoins to any address.

The faucet funds the following assets. | Asset | Address | Amount | | ---------------------------------------------------------------------------------------- | -------------------------------------------- | -----: | | [AlphaUSD](https://explore.tempo.xyz/address/0x20c0000000000000000000000000000000000001) | `0x20c0000000000000000000000000000000000001` | `1M` | | [BetaUSD](https://explore.tempo.xyz/address/0x20c0000000000000000000000000000000000002) | `0x20c0000000000000000000000000000000000002` | `1M` | | [ThetaUSD](https://explore.tempo.xyz/address/0x20c0000000000000000000000000000000000003) | `0x20c0000000000000000000000000000000000003` | `1M` | import * as Demo from '../../components/guides/Demo.tsx' import { ConnectWallet } from '../../components/ConnectWallet.tsx' import LucideZap from '~icons/lucide/zap' import LucideLandmark from '~icons/lucide/landmark' import LucidePackage from '~icons/lucide/package' import LucideRocket from '~icons/lucide/rocket' import LucideHammer from '~icons/lucide/hammer' import LucidePlug from '~icons/lucide/plug' import LucideServer from '~icons/lucide/server' import LucideBookOpen from '~icons/lucide/book-open' import LucideMail from '~icons/lucide/mail' import LucideCoins from '~icons/lucide/coins' import LucideNetwork from '~icons/lucide/network' import LucideDroplet from '~icons/lucide/droplet' import LucideWallet from '~icons/lucide/wallet' import LucideSend from '~icons/lucide/send' import LucideArrowLeftRight from '~icons/lucide/arrow-left-right' import TempoTxProperties from '../../snippets/tempo-tx-properties.mdx' import { Callout } from 'vocs/components' import * as Card from "../../components/Card.tsx" ### Integrate Tempo Testnet Tempo is fully compatible with the Ethereum Virtual Machine (EVM), targeting the **Osaka** EVM hard fork. So, everything you'd expect to work with Ethereum works on Tempo, with only a few exceptions which we detail on the [EVM Differences](/quickstart/evm-compatibility) page.

Click here to deposit testnet funds directly into your wallet.

#### Start Building The guides below will help you get a sense for what is possible to do with Tempo. All of the guides below are fully-featured Tempo applications themselves, built with the [Tempo SDKs](/sdk).

Check out the Tempo SDKs for language-specific clients to dive in yourself.

#### Go Deeper The Tempo source code is fully open-source and available on [GitHub](https://github.com/tempoxyz). If you're interested in learning more about how Tempo works under the hood, feel free to explore the codebase directly, run a node for yourself, or refer to the protocol specifications for a deeper understanding. We welcome contributions from the community to help improve and expand the project. ### Predeployed Contracts #### System Contracts Core protocol contracts that power Tempo's features. | Contract | Address | Description | | -------------------------------------------------------------------- | -------------------------------------------- | ----------------------------------- | | [**TIP-20 Factory**](/protocol/tip20/overview) | `0x20fc000000000000000000000000000000000000` | Create new TIP-20 tokens | | [**Fee Manager**](/protocol/fees/spec-fee-amm#2-feemanager-contract) | `0xfeec000000000000000000000000000000000000` | Handle fee payments and conversions | | [**Stablecoin DEX**](/protocol/exchange) | `0xdec0000000000000000000000000000000000000` | Enshrined DEX for stablecoin swaps | | [**TIP-403 Registry**](/protocol/tip403/spec) | `0x403c000000000000000000000000000000000000` | Transfer policy registry | | [**pathUSD**](/protocol/exchange/pathUSD) | `0x20c0000000000000000000000000000000000000` | First stablecoin deployed | #### Standard Utilities Popular Ethereum contracts deployed for convenience. | Contract | Address | Description | | ------------------------------------------------------------------------------------------ | -------------------------------------------- | --------------------------------------- | | [**Multicall3**](https://www.multicall3.com/) | `0xcA11bde05977b3631167028862bE2a173976CA11` | Batch multiple calls in one transaction | | [**CreateX**](https://github.com/pcaversaccio/createx) | `0xba5Ed099633D3B313e4D5F7bdc1305d3c28ba5Ed` | Deterministic contract deployment | | [**Permit2**](https://docs.uniswap.org/contracts/permit2/overview) | `0x000000000022d473030f116ddee9f6b43ac78ba3` | Token approvals and transfers | | [**Arachnid Create2 Factory**](https://github.com/Arachnid/deterministic-deployment-proxy) | `0x4e59b44847b379578588920cA78FbF26c0B4956C` | CREATE2 deployment proxy | | [**Safe Deployer**](https://github.com/safe-global/safe-deployer) | `0x914d7Fec6aaC8cd542e72Bca78B30650d45643d7` | Safe deployer contract | #### Contract ABIs ABIs for these contracts are available in the SDK: ```typescript import { Abis } from 'viem/tempo' const tip20Abi = Abis.tip20 const tip20FactoryAbi = Abis.tip20Factory const stablecoinExchangeAbi = Abis.stablecoinExchange const feeManagerAbi = Abis.feeManager const feeAmmAbi = Abis.feeAmm // ... ``` import { Callout } from 'vocs/components' import LucideCircleHelp from '~icons/lucide/circle-help' import LucideRoute from '~icons/lucide/route' import LucideBanknote from '~icons/lucide/banknote' import LucideWallet from '~icons/lucide/wallet' import LucideShield from '~icons/lucide/shield' import LucideFileCheck from '~icons/lucide/file-check' import LucideSettings from '~icons/lucide/settings' import LucideGift from '~icons/lucide/gift' import LucideMessageSquare from '~icons/lucide/message-square' import * as Card from "../../components/Card.tsx" ## Use the TIP-20 Standard TIP-20 is Tempo's native token standard for stablecoins and payment tokens. TIP-20 is designed for stablecoin payments, and is the foundation for many token-related functions on Tempo including transaction fees, payment lanes, and optimized routing for DEX liquidity on Tempo.

This means ERC-20 functions works with TIP-20 out of the box.

Transaction [SDKs](#integration-guides) are available for TypeScript, Rust, Go, and Foundry.

If you're integrating with Tempo, we **strongly recommend** using Tempo Transactions, and not regular Ethereum transactions. Learn more about the benefits below, or follow the guide on issuance [here](/guide/issuance). ### Integration Guides Integrating Tempo Transactions is easy and can be done quickly by a developer in multiple languages. See below for quick links to some of our guides. | Language | Source | Integration Time | | ------------------- | ------------------------------------------------------------------------------------------------------------------ | ---------------- | | **TypeScript** | [tempoxyz/tempo-ts](/sdk/typescript) | \< 1 hour | | **Rust** | [tempo-alloy](/sdk/rust) | \< 1 hour | | **Golang** | [tempo-go](https://github.com/tempoxyz/tempo-go) | \< 1 hour | | **Python** | [pytempo](https://github.com/tempoxyz/pytempo) | \< 1 hour | | **Other Languages** | Reach out to us! Specification is [here](/protocol/transactions/spec-tempo-transaction) and easy to build against. | 1-3 days | If you are an EVM smart contract developer, see the [Tempo extension for Foundry](/sdk/foundry). ### Properties ### Learn more ## Accounts \[Default Delegation (Experimental)] :::warning **Note: This feature will likely be deprecated before mainnet launch.** We recommend using the standard [Tempo Transaction](/protocol/transactions/spec-tempo-transaction) type instead if you need smart contract functionality. ::: Tempo uses a "Default Delegation" (DD) model for accounts on the Tempo blockchain. DD extends the Ethereum account model by allowing any externally owned account (EOA) to be seamlessly upgraded into a smart contract wallet, without requiring user intervention or setup. The core mechanism is that, on first use (when an EOA sends its first transaction and has never been used before), the protocol automatically delegates the account to a canonical smart contract implementation by setting its code to a special format. This enables all EOAs to immediately benefit from smart wallet features, while preserving full backward compatibility with legacy ECDSA transactions and not affecting contract accounts. Additionally, a registrar precompile is introduced to allow anyone to permissionlessly delegate an EOA to the default implementation by proving control of the address via a signature. The default implementation contract is treated as always warm for gas purposes. Tempo's DD model is fully compatible with EIP-7702. For a detailed understanding of the underlying delegation format and semantics, see the [EIP-7702 specification](https://eips.ethereum.org/EIPS/eip-7702). ### Features Default Delegation (DD) allows any EOA to be used as a smart contract wallet. It does so through two new behaviors in-protocol: 1. **Auto-delegation on first use.** When a top-level transaction originates from an address `A`, `nonce(A) == 0`, and `code(A)` is empty, the protocol **sets `code(A) = 0xEF0100 || DEFAULT_7702_IMPL`** during execution, thereby delegating `A` to the default implementation per 7702 semantics. Legacy ECDSA tx validation is unchanged. 2. **Registrar precompile.** A new precompile, **DefaultAccountRegistrar**, takes `(hash, v, r, s)`, derives an `authority` address via `ecrecover(hash, v, r, s)`, and **delegates `authority` to DEFAULT\_7702\_IMPL**. It reverts if that address is already delegated or is a contract. Additionally, **DEFAULT\_7702\_IMPL** is treated as **always warm** for gas, like a precompile. ### Motivation * Make EOAs immediately usable with a canonical smart-wallet implementation without user setup. * Preserve full backward compatibility with legacy ECDSA transactions. * Avoid changing any behavior of non-EOA addresses. * Provide a permissionless path to prove that an address is an EOA (via any prior ECDSA signature) and delegate an address to DEFAULT. ### Specification #### Notation & constants * `EMPTY` — empty byte array * `EF_PREFIX` — `0xEF0100` (EIP-7702 delegation prefix) * `DEFAULT_7702_IMPL` — **`0x7702c00000000000…`** (20-byte, fixed in genesis) * `DEFAULT_ACCOUNT_REGISTRAR` — **`0x7702ac00000000000…`** (20-byte precompile address) * “Delegated to X” ⇔ `code(account) == EF_PREFIX || X` (exact 7702 format) * “Plain EOA” ⇔ `code(account) == EMPTY` > **Out of scope:** The runtime behavior/ABI of `DEFAULT_7702_IMPL` itself (separate spec). DD only defines delegation mechanics. #### 1) Auto-delegation on first use **Trigger:** When executing a **top-level** transaction with `tx.from = A`. **Preconditions (checked at transaction start, during execution):** * `code(A) == EMPTY` * `nonce_pre(A) == 0` *(the nonce value read before nonce increment)* **State transition:** * Set `code(A) := EF_PREFIX || DEFAULT_7702_IMPL`. **Ordering / validation:** * Legacy ECDSA tx admission and verification are unchanged. * The auto-delegation check uses **`nonce_pre(A)`** (the state prior to the normal nonce increment). This makes behavior deterministic across implementations. **Scope exclusions:** * If `code(A) != EMPTY` (e.g., a contract), do **nothing**. * If `nonce_pre(A) != 0`, do **nothing**. * This rule **does not** prohibit later re-delegation or undelegation; those are governed by standard 7702 semantics (see *Redelegation & undelegation* below). **Gas:** * The gas accounting for installing `EF_PREFIX || DEFAULT_7702_IMPL` matches the cost model for 7702 delegation on Tempo (same schedule as 7702 delegation). #### 2) DefaultAccountRegistrar precompile **Address:** `DEFAULT_ACCOUNT_REGISTRAR = 0x7702ac00000000000…` **ABI (EVM call interface):** ``` delegateToDefault(bytes32 hash, uint8 v, bytes32 r, bytes32 s) ``` * **Inputs**: * `hash`: any 32-byte string, typically a hash of a message * `(v, r, s)`: ECDSA signature parameters * **Internal derivation**: * `pubkey = ecrecover(hash, v, r, s)` with standard Ethereum constraints: * Accept `v ∈ {27,28}` or `{0,1}` (treated as 27/28, respectively) * Enforce EIP-2 style “low-s” (reject high-`s`) * Reject invalid points or failed recovery * `authority = address(pubkey)` **Effects (on success):** * **Require** `code(authority) == EMPTY`. If not, **revert**. * **Require** `nonce(authority) == 0`. If not, **revert**. * **Set** `code(authority) := EF_PREFIX || DEFAULT_7702_IMPL`. **Outputs / logs:** * Returns **authority** on success. * **No event** is emitted. **Gas:** * Charge identical total gas as a 7702 delegation on Tempo (i.e., `ecrecover` cost + code-installation cost consistent with 7702). Exact numeric schedule is inherited from 7702 on Tempo. #### Always-warm rule * **`DEFAULT_7702_IMPL` is always warm** (like a precompile). For gas, treat it as if it appears in the access list at the start of every transaction. This applies chain-wide and unconditionally. #### Redelegation & undelegation * After auto-delegation or registrar delegation, an account **may**: * Re-delegate to another 7702 target, or * Delegate to **nothing** (undelegate), * …using the **exact same mechanisms and semantics as EIP-7702**. ### Rationale * **First-use default:** Ensures EOAs are smart-wallet capable immediately without wallet migration UX, while preserving legacy tx signing. * **Registrar “any message”:** The design intentionally accepts **any** valid ECDSA signature to “prove EOA control,” enabling use of existing public signatures (tweets, GitHub sigs, old onchain proofs). Replay across chains or contexts is **explicitly allowed** by design (no domain binding). * **Revert if nonce is not 0:** Allows addresses to opt out (by delegating to some other 7702 contract or to empty code) and not be forcibly redelegated. * **Revert if code is not empty:** Prevents edge cases (including repeated auto-delegation of the same account). * **Always-warm DEFAULT\_7702\_IMPL:** Smooths gas, based on the assumption that many transactions will use the default contract. ### Backwards Compatibility * **Legacy ECDSA transactions:** Unchanged validation. The only new effect is auto-delegation on the **first** tx for plain EOAs with `nonce == 0`. * **Contracts / codeful accounts:** Never auto-delegated; registrar reverts. * **7702 tooling:** Fully compatible; DD uses the **exact** 7702 delegation bytecode format and override semantics. ### Security Considerations * **Forced delegation by third parties:** Anyone can delegate an EOA via the registrar if they can produce **any** valid signature by that key (by design). This does **not** grant fund control if `DEFAULT_7702_IMPL` respects the original key, but it does change account semantics and may surprise tooling. Accepted as a trade-off. * **Signature replay & no domain binding:** Signatures from other chains or contexts can be reused. This is deliberate; downstream apps MUST NOT treat registrar delegation as consent for anything beyond delegation. * **Malleability constraints:** Enforce low-`s` and canonical `v` mapping to avoid malleability and recovery edge cases. * **CREATE/CREATE2 & contracts at EOA addresses:** DD never writes code to an account that already has code; changing a contract account’s code via registrar is disallowed (revert). Accounts created as contracts at genesis are unaffected. ### Test Cases (illustrative) 1. **First legacy tx auto-delegates** * Pre: `code(A)=EMPTY`, `nonce(A)=0` * Execute: valid legacy ECDSA tx `from=A` * Post: `code(A)=EF_PREFIX||DEFAULT_7702_IMPL`; tx body executes normally. 2. **First tx when `nonce(A)=1` (e.g., state pre-set)** * Pre: `code(A)=EMPTY`, `nonce(A)=1` * Execute: tx `from=A` * Post: No delegation performed. 3. **Address has code (contract)** * Pre: `code(A)=`, `nonce(A)=0` * Execute: tx `from=A` * Post: No delegation performed. 4. **Registrar happy path** * Input: `(hash, v, r, s)` where `ecrecover(hash, v,r,s)=A` * Pre: `code(A)=EMPTY` * Call: `DEFAULT_ACCOUNT_REGISTRAR.delegateToDefault(...)` * Post: `code(A)=EF_PREFIX||DEFAULT_7702_IMPL`; success (empty returndata). 5. **Registrar with reused public signature** * As (4), but `hash` is a keccak hash of a known public message (e.g., a tweet contents). Same success outcome. 6. **Registrar when already delegated (to default or another impl)** * Pre: `code(A)=EF_PREFIX||X` for any `X` * Call: registrar * Post: **Revert**. 7. **Registrar for contract address** * Pre: `code(A) != EMPTY` * Call: registrar with signature yielding `A` * Post: **Revert**. 8. **Invalid signature** * `ecrecover` fails or `s` is high * Post: **Revert**. 9. **Re-delegation via 7702** * Pre: `code(A)=EF_PREFIX||DEFAULT_7702_IMPL` * Action: perform a standard 7702 redelegation of `A` to `I2` (or to none) * Post: `code(A)=EF_PREFIX||I2` (or `EMPTY` if undelegated) 10. **Gas warmness** * Any tx executing a `CALL`/`DELEGATECALL` to `DEFAULT_7702_IMPL` treats it as warm without prior access-list touch. ### Reference Pseudocode (consensus-level) **Auto-delegation on tx start** ``` /// Executed at the beginning of a top-level tx, during execution: fn maybe_auto_delegate_on_first_use(sender: Address): let code = state.get_code(sender) let nonce_pre = state.get_nonce(sender) // value before nonce increment if code.length == 0 && nonce_pre == 0: state.set_code(sender, EF_PREFIX ++ DEFAULT_7702_IMPL) ``` **DefaultAccountRegistrar precompile** ``` /// At address DEFAULT_ACCOUNT_REGISTRAR /// abi: delegateToDefault(bytes hash, uint8 v, bytes32 r, bytes32 s) fn delegateToDefault(message: bytes, v: u8, r: bytes32, s: bytes32): let v_norm = if v in {27,28} then v else if v in {0,1} then (v + 27) else revert() require(is_low_s(s)) // EIP-2 style let authority = ecrecover(hash, v_norm, r, s) or revert() require(state.get_code(authority).length == 0) // must be plain EOA require(!is_7702_delegated(state.get_code(authority))) // no EF_PREFIX state.set_code(authority, EF_PREFIX ++ DEFAULT_7702_IMPL) return authority ``` **Helpers** ``` const EF_PREFIX = 0xEF0100 const DEFAULT_7702_IMPL = 0x7702c00000000000... // 20 bytes fn is_7702_delegated(code: bytes) -> bool: return code.length == 1+1+1+20 // 0xEF 0x01 0x00 || 20 bytes && code[0..3] == EF_PREFIX ``` ### Deployment / Activation * **Genesis:** Insert `DEFAULT_7702_IMPL` as an immutable, predeployed contract at `0x7702c00000000000…` with its code defined by the separate implementation spec. * **Fork rules:** DD is active from genesis on Tempo. Clients must include: * the auto-delegation state transition hook, * the DefaultAccountRegistrar precompile at `0x7702ac00000000000…`, * the always-warm treatment for `DEFAULT_7702_IMPL`. ## Tempo Transaction ### Abstract This spec introduces native protocol support for the following features, using a new Tempo transaction type: * WebAuthn/P256 signature validation - enables passkey accounts * Parallelizable nonces - allows higher tx throughput for each account * Gas sponsorship - allows apps to pay for their users' transactions * Call Batching - allows users to multicall efficiently and atomically * Scheduled Txs - allow users to specify a time window in which their tx can be executed * Access Keys - allow a sender's key to provision scoped access keys with spending limits ### Motivation Current accounts are limited to secp256k1 signatures and sequential nonces, creating UX and scalability challenges.\ Users cannot leverage modern authentication methods like passkeys, applications face throughput limitations due to sequential nonces. ### Specification #### Transaction Type A new EIP-2718 transaction type is introduced with type byte `0x76`: ```rust pub struct TempoTransaction { // Standard EIP-1559 fields chain_id: ChainId, // EIP-155 replay protection max_priority_fee_per_gas: u128, max_fee_per_gas: u128, gas_limit: u64, calls: Vec, // Batch of calls to execute atomically access_list: AccessList, // EIP-2930 access list // nonce-related fields nonce_key: U256, // 2D nonce key (0 = protocol nonce, >0 = user nonces) nonce: u64, // Current nonce value for the nonce key // Optional features fee_token: Option

, // Optional fee token preference fee_payer_signature: Option, // Sponsored transactions (secp256k1 only) valid_before: Option, // Transaction expiration timestamp valid_after: Option, // Transaction can only be included after this timestamp key_authorization: Option, // Access key authorization (optional) aa_authorization_list: Vec, // EIP-7702 style authorizations with AA signatures } // Call structure for batching pub struct Call { to: TxKind, // Can be Address or Create value: U256, input: Bytes // Calldata for the call } // Key authorization for provisioning access keys // RLP encoding: [chain_id, key_type, key_id, expiry?, limits?] pub struct KeyAuthorization { chain_id: u64, // Chain ID for replay protection (0 = valid on any chain) key_type: SignatureType, // Type of key: Secp256k1 (0), P256 (1), or WebAuthn (2) key_id: Address, // Key identifier (address derived from public key) expiry: Option, // Unix timestamp when key expires (None = never expires) limits: Option>, // TIP20 spending limits (None = unlimited spending) } // Signed key authorization (authorization + root key signature) pub struct SignedKeyAuthorization { authorization: KeyAuthorization, signature: PrimitiveSignature, // Root key's signature over keccak256(rlp(authorization)) } // TIP20 spending limits for access keys pub struct TokenLimit { token: Address, // TIP20 token address limit: U256, // Maximum spending amount for this token } ``` #### Signature Types Four signature schemes are supported. The signature type is determined by length and type identifier: ##### secp256k1 (65 bytes) ```rust pub struct Signature { r: B256, // 32 bytes s: B256, // 32 bytes v: u8 // 1 byte (recovery id) } ``` **Format**: No type identifier prefix (backward compatible). Total length: 65 bytes. **Detection**: Exactly 65 bytes with no type identifier. ##### P256 (130 bytes) ```rust pub struct P256SignatureWithPreHash { typeId: u8, // 0x01 r: B256, // 32 bytes s: B256, // 32 bytes pub_key_x: B256, // 32 bytes pub_key_y: B256, // 32 bytes pre_hash: bool // 1 byte } ``` **Format**: Type identifier `0x01` + 129 bytes of signature data. Total length: 130 bytes. The `typeId` is a wire format prefix (not a struct field) prepended during encoding. Note: Some P256 implementers (like Web Crypto) require the digests to be pre-hashed before verification. If `pre_hash` is set to `true`, then before verification: `digest = sha256(digest)`. ##### WebAuthn (Variable length, max 2KB) ```rust pub struct WebAuthnSignature { typeId: u8, // 0x02 webauthn_data: Bytes, // Variable length (authenticatorData || clientDataJSON) r: B256, // 32 bytes s: B256, // 32 bytes pub_key_x: B256, // 32 bytes pub_key_y: B256 // 32 bytes } ``` **Format**: Type identifier `0x02` + variable webauthn\_data + 128 bytes (r, s, pub\_key\_x, pub\_key\_y). Total length: variable (minimum 129 bytes, maximum 2049 bytes). The `typeId` is a wire format prefix prepended during encoding. Parse by working backwards: last 128 bytes are r, s, pub\_key\_x, pub\_key\_y. ##### Keychain (Variable length) ```rust pub struct KeychainSignature { typeId: u8, // 0x03 user_address: Address, // 20 bytes - root account address signature: PrimitiveSignature // Inner signature (Secp256k1, P256, or WebAuthn) } ``` **Format**: Type identifier `0x03` + user\_address (20 bytes) + inner signature. The `typeId` is a wire format prefix prepended during encoding. **Purpose**: Allows an access key to sign on behalf of a root account. The handler validates that `user_address` has authorized the access key in the AccountKeychain precompile. #### Address Derivation ##### secp256k1 ```solidity address(uint160(uint256(keccak256(abi.encode(x, y))))) ``` ##### P256 and WebAuthn ```solidity function deriveAddressFromP256(bytes32 pubKeyX, bytes32 pubKeyY) public pure returns (address) { // Hash bytes32 hash = keccak256(abi.encodePacked( pubKeyX, pubKeyY )); // Take last 20 bytes as address return address(uint160(uint256(hash))); } ``` #### Tempo Authorization List The `aa_authorization_list` field enables EIP-7702 style delegation with support for all three AA signature types (secp256k1, P256, and WebAuthn), not just secp256k1. ##### Structure ```rust pub struct TempoSignedAuthorization { inner: Authorization, // Standard EIP-7702 authorization signature: TempoSignature, // Can be Secp256k1, P256, or WebAuthn } ``` Each authorization in the list: * Delegates an account to a specified implementation contract * Is signed by the account's authority using any supported signature type * Follows EIP-7702 semantics for delegation and execution ##### Validation * Cannot have `Create` calls when `aa_authorization_list` is non-empty (follows EIP-7702 semantics) * Authority address is recovered from the signature and matched against the authorization #### Parallelizable Nonces * **Protocol nonce (key 0)**: Existing account nonce, incremented for regular txs, 7702 authorization, or `CREATE` * **User nonces (keys 1-N)**: Enable parallel execution with special gas schedule * **Reserved sequence keys**: Nonce sequence keys with the most significant byte `0x5b` are reserved for [sub-block transactions](/protocol/blockspace/sub-block-specification#11-sub-block-transactions). ##### Account State Changes * `nonces: mapping(uint256 => uint64)` - 2D nonce tracking **Implementation Note:** Nonces are stored in the storage of a designated precompile at address `0x4E4F4E4345000000000000000000000000000000` (ASCII hex for "NONCE"), as there is currently no clean way to extend account state in Reth. **Storage Layout at 0x4E4F4E4345:** * Storage key: `keccak256(abi.encode(account_address, nonce_key))` * Storage value: `nonce` (uint64) Note: Protocol Nonce key (0), is directly stored in the account state, just like normal transaction types. ##### Nonce Precompile The nonce precompile implements the following interface for managing 2D nonces: ```solidity /// @title INonce - Nonce Precompile Interface /// @notice Interface for managing 2D nonces as per the Tempo Transaction spec /// @dev This precompile manages user nonce keys (1-N) while protocol nonces (key 0) /// are handled directly by account state. Each account can have multiple /// independent nonce sequences identified by a nonce key. interface INonce { /// @notice Emitted when a nonce is incremented for an account and nonce key /// @param account The account whose nonce was incremented /// @param nonceKey The nonce key that was incremented /// @param newNonce The new nonce value after incrementing event NonceIncremented(address indexed account, uint256 indexed nonceKey, uint64 newNonce); /// @notice Thrown when trying to access protocol nonce (key 0) through the precompile /// @dev Protocol nonce should be accessed through account state, not this precompile error ProtocolNonceNotSupported(); /// @notice Thrown when an invalid nonce key is provided error InvalidNonceKey(); /// @notice Thrown when a nonce value would overflow error NonceOverflow(); /// @notice Get the current nonce for a specific account and nonce key /// @param account The account address /// @param nonceKey The nonce key (must be > 0, protocol nonce key 0 not supported) /// @return nonce The current nonce value function getNonce(address account, uint256 nonceKey) external view returns (uint64 nonce); } ``` ##### Precompile Implementation The precompile contract maintains a single storage mapping: ```solidity contract Nonce is INonce { /// @dev Mapping from account -> nonce key -> nonce value mapping(address => mapping(uint256 => uint64)) private nonces; } ``` ##### Gas Schedule For transactions using nonce keys: 1. **Protocol nonce (key 0)**: No additional gas cost * Uses the standard account nonce stored in account state 2. **Existing user key (nonce > 0)**: Add 5,000 gas to base cost * Rationale: Cold SLOAD (2,100) + warm SSTORE reset (2,900) 3. **New user key (nonce == 0)**: Add 22,100 gas to base cost * Rationale: Cold SLOAD (2,100) + SSTORE set for 0 → non-zero (20,000) We specify the complete gas schedule in more detail in the [gas costs section](#gas-costs) #### Transaction Validation ##### Signature Validation 1. Determine type from signature format: * 65 bytes (no type identifier) = secp256k1 * First byte `0x01` + 129 bytes = P256 (total 130 bytes) * First byte `0x02` + variable data = WebAuthn (total 129-2049 bytes) * First byte `0x03` + 20 bytes + inner signature = Keychain * Otherwise invalid 2. Apply appropriate verification: * secp256k1: Standard `ecrecover` * P256: P256 curve verification with provided public key (sha256 pre-hash if flag set) * WebAuthn: Parse clientDataJSON, verify challenge and type, then P256 verify * Keychain: Verify inner signature, then validate access key authorization via AccountKeychain precompile ##### Nonce Validation 1. Fetch sequence for given nonce key 2. Verify sequence matches transaction 3. Increment sequence ##### Fee Payer Validation (if present) 1. Verify fee payer signature (K1 only initially) 2. Recover payer address via `ecrecover` 3. Deduct fees from payer instead of sender #### Fee Payer Signature Details The Tempo Transaction Type (0x76) supports **gas sponsorship** where a third party (fee payer) can pay transaction fees on behalf of the sender. This is achieved through dual signature domains—the sender signs with transaction type byte `0x76`, while the fee payer signs with magic byte `0x78` to ensure domain separation and prevent signature reuse attacks. ##### Signing Domains ##### Sender Signature For computing the transaction hash that the sender signs: * Fields are preceded by transaction type byte `0x76` * Field 11 (`fee_token`) is encoded as empty string (`0x80`) **if and only if** `fee_payer_signature` is present. This allows the fee payer to specify the fee token. * Field 12 (`fee_payer_signature`) is encoded as: * Single byte `0x00` if fee payer signature will be present (placeholder) * Empty string `0x80` if no fee payer **Sender Signature Hash:** ```rust // When fee_payer_signature is present: sender_hash = keccak256(0x76 || rlp([ chain_id, max_priority_fee_per_gas, max_fee_per_gas, gas_limit, calls, access_list, nonce_key, nonce, valid_before, valid_after, 0x80, // fee_token encoded as EMPTY (skipped) 0x00 // placeholder byte for fee_payer_signature ])) // When no fee_payer_signature: sender_hash = keccak256(0x76 || rlp([ chain_id, max_priority_fee_per_gas, max_fee_per_gas, gas_limit, calls, access_list, nonce_key, nonce, valid_before, valid_after, fee_token, // fee_token is INCLUDED 0x80 // empty for no fee_payer_signature ])) ``` ##### Fee Payer Signature Only included for sponsored transactions. For computing the fee payer's signature hash: * Fields are preceded by **magic byte `0x78`** (different from transaction type `0x76`) * Field 11 (`fee_token`) is **always included** (20-byte address or `0x80` for None) * Field 12 is serialized as the **sender address** (20 bytes). This commits the fee payer to sponsoring a specific sender. **Fee Payer Signature Hash:** ```rust fee_payer_hash = keccak256(0x78 || rlp([ // Note: 0x78 magic byte chain_id, max_priority_fee_per_gas, max_fee_per_gas, gas_limit, calls, access_list, nonce_key, nonce, valid_before, valid_after, fee_token, // fee_token ALWAYS included sender_address // 20-byte sender address key_authorization, ])) ``` ##### Key Properties 1. **Sender Flexibility**: By omitting `fee_token` from sender signature when fee payer is present, the fee payer can specify which token to use for payment without invalidating the sender's signature 2. **Fee Payer Commitment**: Fee payer's signature includes `fee_token` and `sender_address`, ensuring they agree to: * Pay for the specific sender * Use the specific fee token 3. **Domain Separation**: Different magic bytes (`0x76` vs `0x78`) prevent signature reuse attacks between sender and fee payer roles 4. **Deterministic Fee Payer**: The fee payer address is statically recoverable from the transaction via secp256k1 signature recovery ##### Validation Rules **Signature Requirements:** * Sender signature MUST be valid (secp256k1, P256, or WebAuthn depending on signature length) * If `fee_payer_signature` present: * MUST be recoverable via secp256k1 (only secp256k1 supported for fee payers) * Recovery MUST succeed, otherwise transaction is invalid * If `fee_payer_signature` absent: * Fee payer defaults to sender address (self-paid transaction) **Token Preference:** * When `fee_token` is `Some(address)`, this overrides any account/validator-level preferences * Validation ensures the token is a valid TIP-20 token with sufficient balance/liquidity * Failures reject the transaction before execution (see Token Preferences spec) **Fee Payer Resolution:** * Fee payer signature present → recovered address via `ecrecover` * Fee payer signature absent → sender address * This address is used for all fee accounting (pre-charge, refund) via TIP Fee Manager precompile ##### Transaction Flow 1. **User prepares transaction**: Sets `fee_payer_signature` to placeholder (`Some(Signature::default())`) 2. **User signs**: Computes sender hash (with fee\_token skipped) and signs 3. **Fee payer receives** user-signed transaction 4. **Fee payer verifies** user signature is valid 5. **Fee payer signs**: Computes fee payer hash (with fee\_token and sender\_address) and signs 6. **Complete transaction**: Replace placeholder with actual fee payer signature 7. **Broadcast**: Transaction is sent to network with both signatures ##### Error Cases * `fee_payer_signature` present but unrecoverable → invalid transaction * Fee payer balance insufficient for `gas_limit * max_fee_per_gas` in fee token → invalid * Any sender signature failure → invalid * Malformed RLP → invalid #### RLP Encoding The transaction is RLP encoded as follows: **Signed Transaction Envelope:** ``` 0x76 || rlp([ chain_id, max_priority_fee_per_gas, max_fee_per_gas, gas_limit, calls, // RLP list of Call structs access_list, nonce_key, nonce, valid_before, // 0x80 if None valid_after, // 0x80 if None fee_token, // 0x80 if None fee_payer_signature, // 0x80 if None, RLP list [v, r, s] if Some aa_authorization_list, // EIP-7702 style authorization list with AA signatures key_authorization?, // Only encoded if present (backwards compatible) sender_signature // TempoSignature bytes (secp256k1, P256, WebAuthn, or Keychain) ]) ``` **Call Encoding:** ``` rlp([to, value, input]) ``` **Key Authorization Encoding:** ``` rlp([ chain_id, key_type, key_id, expiry?, // Optional trailing field (omitted or 0x80 if None) limits?, // Optional trailing field (omitted or 0x80 if None) signature // PrimitiveSignature bytes ]) ``` **Notes:** * Optional fields encode as `0x80` (EMPTY\_STRING\_CODE) when `None` * The `key_authorization` field is truly optional - when `None`, no bytes are encoded (backwards compatible) * The `calls` field is a list that must contain at least one Call (empty calls list is invalid) * The `sender_signature` field is the final field and contains the TempoSignature bytes (secp256k1, P256, WebAuthn, or Keychain) * KeyAuthorization uses RLP trailing field semantics for optional `expiry` and `limits` #### WebAuthn Signature Verification WebAuthn verification follows the [Daimo P256 verifier approach](https://github.com/daimo-eth/p256-verifier/blob/master/src/WebAuthn.sol). ##### Signature Format ``` signature = authenticatorData || clientDataJSON || r (32) || s (32) || pubKeyX (32) || pubKeyY (32) ``` Parse by working backwards: * Last 32 bytes: `pubKeyY` * Previous 32 bytes: `pubKeyX` * Previous 32 bytes: `s` * Previous 32 bytes: `r` * Remaining bytes: `authenticatorData || clientDataJSON` (requires parsing to split) ##### Authenticator Data Structure (minimum 37 bytes) ``` Bytes 0-31: rpIdHash (32 bytes) Byte 32: flags (1 byte) - Bit 0 (0x01): User Presence (UP) - must be set Bytes 33-36: signCount (4 bytes) ``` ##### Verification Steps ```python def verify_webauthn(tx_hash: bytes32, signature: bytes, require_uv: bool) -> bool: # 1. Parse signature pubKeyY = signature[-32:] pubKeyX = signature[-64:-32] s = signature[-96:-64] r = signature[-128:-96] webauthn_data = signature[:-128] # Parse authenticatorData and clientDataJSON # Minimum authenticatorData is 37 bytes # Simple approach: try to decode clientDataJSON from different split points authenticatorData, clientDataJSON = split_webauthn_data(webauthn_data) # 2. Validate authenticator data if len(authenticatorData) < 37: return False flags = authenticatorData[32] if not (flags & 0x01): # UP bit must be set return False # 3. Validate client data JSON if not contains(clientDataJSON, '"type":"webauthn.get"'): return False challenge_b64url = base64url_encode(tx_hash) challenge_property = '"challenge":"' + challenge_b64url + '"' if not contains(clientDataJSON, challenge_property): return False # 4. Compute message hash clientDataHash = sha256(clientDataJSON) messageHash = sha256(authenticatorData || clientDataHash) # 5. Verify P256 signature return p256_verify(messageHash, r, s, pubKeyX, pubKeyY) ``` ##### What We Verify * Authenticator data minimum length (37 bytes) * User Presence (UP) flag is set * `"type":"webauthn.get"` in clientDataJSON * Challenge matches tx\_hash (Base64URL encoded) * P256 signature validity ##### What We Skip * Origin verification (not applicable to blockchain) * RP ID hash validation (no central RP in decentralized context) * Signature counter (anti-cloning left to application layer) * Backup flags (account policy decision) ##### Parsing authenticatorData and clientDataJSON Since authenticatorData has variable length, finding the split point requires: 1. Check if AT flag (bit 6) is set at byte 32 2. If not set, authenticatorData is exactly 37 bytes 3. If set, need to parse CBOR credential data (complex, see implementation) 4. Everything after authenticatorData is clientDataJSON (valid UTF-8 JSON) **Simplified approach:** For TempoTransactions, wallets should send minimal authenticatorData (37 bytes, no AT/ED flags) to minimize gas costs and simplify parsing. #### Access Keys A sender can choose to authorize an Access Key to sign transactions on the sender's behalf. This is useful to enable flows where a root key (e.g. a passkey) would provision a short-lived (scoped) Access Key to be able to sign transactions on the sender's behalf without inducing another passkey prompt. More information about Access Keys can be found in the [Account Keychain Specification](./AccountKeychain). A sender can authorize a key by signing over a "key authorization" item that contains the following information: * **Chain ID** for replay protection (0 = valid on any chain) * **Key type** (Secp256k1, P256, or WebAuthn) * **Key ID** (address derived from the public key) * **Expiration** timestamp of when the key should expire (optional - None means never expires) * TIP20 token **spending limits** for the key (optional - None means unlimited spending): * Limits deplete as tokens are spent * Root key can update limits via `updateSpendingLimit()` without revoking the key * Note: Spending limits only apply to TIP20 token transfers, not ETH or other asset transfers ##### RLP Encoding **Unsigned Format:** The root key signs over the keccak256 hash of the RLP encoded `KeyAuthorization`: ``` key_authorization_digest = keccak256(rlp([chain_id, key_type, key_id, expiry?, limits?])) chain_id = u64 (0 = valid on any chain) key_type = 0 (Secp256k1) | 1 (P256) | 2 (WebAuthn) key_id = Address (derived from the public key) expiry = Option (unix timestamp, None = never expires, stored as u64::MAX in precompile) limits = Option> (None = unlimited spending) ``` **Signed Format:** The signed format (`SignedKeyAuthorization`) includes all fields with the `signature` appended: ``` signed_key_authorization = rlp([chain_id, key_type, key_id, expiry?, limits?, signature]) ``` The `signature` is a `PrimitiveSignature` (secp256k1, P256, or WebAuthn) signed by the root key. Note: `expiry` and `limits` use RLP trailing field semantics - they can be omitted entirely when None. ##### Keychain Precompile The Account Keychain precompile (deployed at address `0xAAAAAAAA00000000000000000000000000000000`) manages authorized access keys for accounts. It enables root keys to provision scoped access keys with expiry timestamps and per-TIP20 token spending limits. **See the [Account Keychain Specification](./AccountKeychain) for complete interface details, storage layout, and implementation.** ##### Protocol Behavior The protocol enforces Access Key authorization and spending limits natively. ##### Transaction Validation When a TempoTransaction is received, the protocol: 1. **Identifies the signing key** from the transaction signature * If signature is a `Keychain` variant: extracts the `keyId` (address) of the Access Key * Otherwise: treats it as the Root Key (keyId = address(0)) 2. **Validates KeyAuthorization** (if present in transaction) * The `key_authorization` field in `TempoTransaction` provisions a NEW Access Key * Root Key MUST sign: * The `key_authorization` digest: `keccak256(rlp([key_type, key_id, expiry, limits]))` * Access Key (being authorized) CAN sign the same tx which it is authorized in. * This enables "authorize and use" in a single transaction 3. **Sets transaction context** * Stores `transactionKey[account] = keyId` in protocol state * Used to enforce authorization hierarchy during execution, can also be used by DApps to see which key authorized the current tx. 4. **Validates Key Authorization** (for Access Keys) * Queries precompile: `getKey(account, keyId)` returns `KeyInfo` * Checks key is active (not revoked) * Checks expiry: `current_timestamp < expiry` (or `expiry == 0` for never expires) * Rejects transaction if validation fails ##### Authorization Hierarchy Enforcement The protocol enforces a strict two-tier hierarchy: **Root Key** (keyId = address(0)): * The account's primary key (address matches account address) * Can call ALL precompile functions * No spending limits * Can authorize, revoke, and update Access Keys **Access Keys** (keyId != address(0)): * Secondary keys authorized by Root Key * CANNOT call mutable precompile functions (`authorizeKey`, `revokeKey`, `updateSpendingLimit`) * Precompile functions check: `transactionKey[msg.sender] == 0` before allowing mutations * Subject to per-TIP20 token spending limits * Can have expiry timestamps When an Access Key attempts to call `authorizeKey()`, `revokeKey()`, or `updateSpendingLimit()`: 1. Transaction executes normally until the precompile call 2. Precompile checks `getTransactionKey()` returns non-zero (Access Key) 3. Call reverts with `UnauthorizedCaller` error 4. Entire transaction is reverted ##### Spending Limit Enforcement The protocol tracks and enforces spending limits for TIP20 token transfers: **Scope:** Only TIP20 `transfer()` and `approve()` calls are tracked * Native value transfers are NOT limited * NFT transfers are NOT limited * Other asset types are NOT limited **Tracking:** During transaction execution, when an Access Key's transaction calls TIP20 methods: 1. Protocol intercepts `transfer(to, amount)` and `approve(spender, amount)` calls 2. For `transfer`, the full `amount` is checked against the remaining limit 3. For `approve`, only **increases** in approval (new approval minus previous allowance) are checked and counted against the limit 4. Queries: `getRemainingLimit(account, keyId, token)` 5. Checks: relevant amount (transfer amount or approval increase) `<= remaining_limit` 6. If check fails: reverts with `SpendingLimitExceeded` 7. If check passes: decrements the limit by the relevant amount 8. Updates are stored in precompile state **Root Key Behavior:** Spending limit checks are skipped entirely (no limits apply) **Limit Updates:** * Limits deplete as tokens are spent * Root Key can call `updateSpendingLimit(keyId, token, newLimit)` to set new limits * Setting a new limit REPLACES the current remaining amount (does not add to it) * Limits do not reset automatically (no time-based periods) ##### Creating and Using KeyAuthorization **First-Time Authorization Flow:** 1. **Generate Access Key** ```typescript // Generate a new P256 or secp256k1 key pair const accessKey = generateKeyPair("p256"); // or "secp256k1" const keyId = deriveAddress(accessKey.publicKey); ``` 2. **Create Authorization Message** ```typescript // Define key parameters const keyAuth = { key_type: SignatureType.P256, // 1 key_id: keyId, // address derived from public key expiry: timestamp + 86400, // 24 hours from now (or 0 for never) limits: [ { token: USDC_ADDRESS, amount: 1000000000 }, // 1000 USDC (6 decimals) { token: DAI_ADDRESS, amount: 500000000000000000000 } // 500 DAI (18 decimals) ] }; // Compute digest: keccak256(rlp([key_type, key_id, expiry, limits])) const authDigest = computeAuthorizationDigest(keyAuth); ``` 3. **Root Key Signs Authorization** ```typescript // Sign with Root Key (e.g., passkey prompt) const rootSignature = await signWithRootKey(authDigest); ``` 4. **Build TempoTransaction** ```typescript const tx = { chain_id: 1, nonce: await getNonce(account), nonce_key: 0, calls: [{ to: recipient, value: 0, input: "0x" }], gas_limit: 200000, max_fee_per_gas: 1000000000, max_priority_fee_per_gas: 1000000000, key_authorization: { key_type: keyAuth.key_type, expiry: keyAuth.expiry, limits: keyAuth.limits, key_id: keyAuth.key_id, signature: rootSignature // Root Key's signature on authDigest }, // ... other fields }; ``` 5. **Access Key Signs Transaction** ```typescript // Sign transaction with the NEW Access Key being authorized const txHash = computeTxSignatureHash(tx); const accessSignature = await signWithAccessKey(txHash, accessKey); // Wrap in Keychain signature const finalSignature = { Keychain: { user_address: account, signature: { P256: accessSignature } // or Secp256k1 } }; ``` 6. **Submit Transaction** * Protocol validates Root Key signed the `key_authorization` * Protocol calls `authorizeKey()` on the precompile to store the key * Protocol validates Access Key signature on transaction * Transaction executes with spending limits enforced **Subsequent Usage (Key Already Authorized):** ```typescript // Access Key is already authorized, just sign transactions directly const tx = { chain_id: 1, nonce: await getNonce(account), calls: [{ to: recipient, value: 0, input: calldata }], key_authorization: null, // No authorization needed // ... other fields }; const txHash = computeTxSignatureHash(tx); const accessSignature = await signWithAccessKey(txHash, accessKey); const finalSignature = { Keychain: { user_address: account, signature: { P256: accessSignature } } }; // Submit - protocol validates key is authorized and not expired ``` ##### Key Management Operations **Revoking an Access Key:** ```typescript // Must be signed by Root Key const tx = { chain_id: 1, nonce: await getNonce(account), calls: [{ to: ACCOUNT_KEYCHAIN_ADDRESS, value: 0, input: encodeCall("revokeKey", [keyId]) }], // ... sign with Root Key }; ``` **Updating Spending Limits:** ```typescript // Must be signed by Root Key const tx = { chain_id: 1, nonce: await getNonce(account), calls: [{ to: ACCOUNT_KEYCHAIN_ADDRESS, value: 0, input: encodeCall("updateSpendingLimit", [ keyId, USDC_ADDRESS, 2000000000 // New limit: 2000 USDC ]) }], // ... sign with Root Key }; ``` **Note:** After updating, the remaining limit is set to the `newLimit` value, not added to the current remaining amount. ##### Querying Key State Applications can query key information and spending limits: ```typescript // Check if key is authorized and get info const keyInfo = await precompile.getKey(account, keyId); // Returns: { signatureType, keyId, expiry } // Check remaining spending limit for a token const remaining = await precompile.getRemainingLimit(account, keyId, USDC_ADDRESS); // Returns: uint256 amount remaining // Get which key signed current transaction (callable from contracts) const currentKey = await precompile.getTransactionKey(); // Returns: address (0x0 for Root Key, keyId for Access Key) ``` ### Rationale #### Signature Type Detection by Length Using signature length for type detection avoids adding explicit type fields while maintaining deterministic parsing. The chosen lengths (65, 129, variable) are naturally distinct. #### Linear Gas Scaling for Nonce Keys The progressive pricing model prevents state bloat while keeping initial keys affordable. The 20,000 gas increment approximates the long-term state cost of maintaining each additional nonce mapping. #### No Nonce Expiry Avoiding expiry simplifies the protocol and prevents edge cases where in-flight transactions become invalid. Wallets handle nonce key allocation to prevent conflicts. #### Backwards Compatibility This spec introduces a new transaction type and does not modify existing transaction processing. Legacy transactions continue to work unchanged. We special case `nonce key = 0` (also referred to as the protocol nonce key) to maintain compatibility with existing nonce behavior. ### Gas Costs #### Signature Verification Gas Schedule Different signature types incur different base transaction costs to reflect their computational complexity: | Signature Type | Base Gas Cost | Calculation | Rationale | | -------------- | --------------------------- | ------------------------------------------ | ------------------------------------------------------------------------- | | **secp256k1** | 21,000 | Standard | Includes 3,000 gas for ecrecover precompile | | **P256** | 26,000 | 21,000 + 5,000 | Base 21k + additional 5k for P256 verification | | **WebAuthn** | 26,000 + variable data cost | 26,000 + (calldata gas for clientDataJSON) | Base P256 cost plus variable cost for clientDataJSON based on size | | **Keychain** | Inner signature + 3,000 | primitive\_sig\_cost + 3,000 | Inner signature cost + key validation overhead (2,100 SLOAD + 900 buffer) | **Rationale:** * The base 21,000 gas for standard transactions already includes the cost of secp256k1 signature verification via ecrecover (3,000 gas) * [EIP 7951](https://eips.ethereum.org/EIPS/eip-7951) sets P256 verification cost at 6,900 gas. We add 1,100 gas to account for the additional 65 bytes of signature size (129 bytes total vs 64 bytes for secp256k1), giving 8,000 gas total. Since the base 21k already includes 3,000 gas for ecrecover (which P256 doesn't use), the net additional cost is 8,000 - 3,000 = **5,000 gas**. * WebAuthn signatures require additional computation to parse and validate the clientDataJSON structure. We cap the total signature size at 2kb. The signature is also charged using the same gas schedule as calldata (16 gas per non-zero byte, 4 gas per zero byte) to prevent the use of this signature space from spam. * Keychain signatures wrap a primitive signature and are used by access keys. They add 3,000 gas to cover key validation during transaction validation (cold SLOAD to verify key exists + processing overhead). * Individual per-signature-type gas costs allow us to add more advanced verification methods in the future like multisigs, which could have dynamic gas pricing. #### Nonce Key Gas Schedule Transactions using parallelizable nonces incur additional costs based on the nonce key usage pattern: ##### Case 1: Protocol Nonce (Key 0) * **Additional Cost:** 0 gas * **Total:** 21,000 gas (base transaction cost) * **Rationale:** Maintains backward compatibility with existing transaction flow ##### Case 2: Existing User Nonce Key (nonce > 0) * **Additional Cost:** 5,000 gas * **Total:** 26,000 gas * **Rationale:** Cold SLOAD (2,100) + warm SSTORE reset (2,900) for incrementing an existing nonce ##### Case 3: New User Nonce Key (nonce == 0) * **Additional Cost:** 22,100 gas * **Total:** 43,100 gas * **Rationale:** Cold SLOAD (2,100) + SSTORE set (20,000) for writing to a new storage slot **Rationale for Fixed Pricing:** 1. **Simplicity:** Fixed costs based on actual EVM storage operations are straightforward to reason about 2. **Storage Pattern Alignment:** Costs directly mirror EVM cold SSTORE costs for new vs existing slots 3. **State Growth:** Creating new nonce keys incurs the higher cost naturally through SSTORE set pricing #### Key Authorization Gas Schedule When a transaction includes a `key_authorization` field to provision a new access key, additional intrinsic gas is charged to cover signature verification and storage operations. This gas is charged **before execution** as part of the transaction's intrinsic gas cost. ##### Gas Components | Component | Gas Cost | Notes | | -------------------------- | -------------------------------------------------------------- | ------------------------------------------------------------ | | **Signature verification** | 3,000 (secp256k1) / 8,000 (P256) / 8,000 + calldata (WebAuthn) | Verifying the root key's signature on the authorization | | **Key storage** | 22,000 | Cold SSTORE to store new key (0→non-zero) | | **Overhead buffer** | 5,000 | Buffer for event emission, storage reads, and other overhead | | **Per spending limit** | 22,000 each | Cold SSTORE per token limit (0→non-zero) | **Signature verification rationale:** KeyAuthorization requires an *additional* signature verification beyond the transaction signature. Unlike the transaction signature (where ecrecover cost is included in the base 21k), KeyAuthorization must pay the full verification cost: * **secp256k1**: 3,000 gas (ecrecover precompile cost) * **P256**: 8,000 gas (6,900 from EIP-7951 + 1,100 for signature size). Note: the transaction signature schedule charges only 5,000 additional gas for P256 because it subtracts the 3,000 ecrecover "savings" already in base 21k. KeyAuthorization pays the full 8,000. * **WebAuthn**: 8,000 + calldata gas for webauthn\_data ##### Gas Formula ``` KEY_AUTH_BASE_GAS = 30,000 # For secp256k1 signature (3,000 + 22,000 + 5,000) KEY_AUTH_BASE_GAS = 35,000 # For P256 signature (5,000 + 3,000 + 22,000 + 5,000) KEY_AUTH_BASE_GAS = 35,000 + webauthn_calldata_gas # For WebAuthn signature PER_LIMIT_GAS = 22,000 # Per spending limit entry total_key_auth_gas = KEY_AUTH_BASE_GAS + (num_limits * PER_LIMIT_GAS) ``` ##### Examples | Configuration | Gas Cost | Calculation | | -------------------- | -------- | --------------------------- | | secp256k1, no limits | 30,000 | Base only | | secp256k1, 1 limit | 52,000 | 30,000 + 22,000 | | secp256k1, 3 limits | 96,000 | 30,000 + (3 × 22,000) | | P256, no limits | 35,000 | Base with P256 verification | | P256, 2 limits | 79,000 | 35,000 + (2 × 22,000) | ##### Rationale 1. **Pre-execution charging**: KeyAuthorization is validated and executed during transaction validation (before the EVM runs), so its gas must be included in intrinsic gas 2. **Storage cost alignment**: The 22,000 gas per storage slot approximates EVM cold SSTORE costs for new slots 3. **DoS prevention**: Progressive cost based on number of limits prevents abuse through excessive limit creation #### Reference Pseudocode ```python def calculate_calldata_gas(data: bytes) -> uint256: """ Calculate gas cost for calldata based on zero and non-zero bytes Args: data: bytes to calculate cost for Returns: gas_cost: uint256 """ CALLDATA_ZERO_BYTE_GAS = 4 CALLDATA_NONZERO_BYTE_GAS = 16 gas = 0 for byte in data: if byte == 0: gas += CALLDATA_ZERO_BYTE_GAS else: gas += CALLDATA_NONZERO_BYTE_GAS return gas def calculate_signature_verification_gas(signature: PrimitiveSignature) -> uint256: """ Calculate gas cost for verifying a primitive signature. Returns the ADDITIONAL gas beyond the base 21k transaction cost. - secp256k1: 0 (already included in base 21k via ecrecover) - P256: 5,000 (8,000 full cost - 3,000 ecrecover already in base 21k) - WebAuthn: 5,000 + calldata gas for webauthn_data """ # P256 full verification cost is 8,000 (6,900 from EIP-7951 + 1,100 for signature size) # But base 21k already includes 3,000 for ecrecover, so additional cost is 5,000 P256_ADDITIONAL_GAS = 5_000 if signature.type == Secp256k1: return 0 # Already included in base 21k elif signature.type == P256: return P256_ADDITIONAL_GAS elif signature.type == WebAuthn: webauthn_data_gas = calculate_calldata_gas(signature.webauthn_data) return P256_ADDITIONAL_GAS + webauthn_data_gas else: revert("Invalid signature type") def calculate_key_authorization_gas(key_auth: SignedKeyAuthorization) -> uint256: """ Calculate the intrinsic gas cost for a KeyAuthorization. This is charged BEFORE execution as part of transaction validation. Args: key_auth: SignedKeyAuthorization with fields: - signature: PrimitiveSignature (root key's signature) - limits: Optional[List[TokenLimit]] Returns: gas_cost: uint256 """ # Constants - KeyAuthorization pays FULL signature verification costs # (not the "additional" costs used for transaction signatures) ECRECOVER_GAS = 3_000 # Full ecrecover cost P256_FULL_GAS = 8_000 # Full P256 cost (6,900 + 1,100) COLD_SSTORE_SET_GAS = 22_000 # Storage cost for new slot OVERHEAD_BUFFER = 5_000 # Buffer for event emission, storage reads, etc. gas = 0 # Step 1: Signature verification cost (full cost, not additional) if key_auth.signature.type == Secp256k1: gas += ECRECOVER_GAS # 3,000 elif key_auth.signature.type == P256: gas += P256_FULL_GAS # 8,000 elif key_auth.signature.type == WebAuthn: webauthn_data_gas = calculate_calldata_gas(key_auth.signature.webauthn_data) gas += P256_FULL_GAS + webauthn_data_gas # 8,000 + calldata # Step 2: Key storage gas += COLD_SSTORE_SET_GAS # 22,000 - store new key (0 → non-zero) # Step 3: Overhead buffer gas += OVERHEAD_BUFFER # 5,000 # Step 4: Per-limit storage cost num_limits = len(key_auth.limits) if key_auth.limits else 0 gas += num_limits * COLD_SSTORE_SET_GAS # 22,000 per limit return gas def calculate_tempo_tx_base_gas(tx): """ Calculate the base gas cost for a TempoTransaction Args: tx: TempoTransaction object with fields: - signature: TempoSignature (variable length) - nonce_key: uint192 - nonce: uint64 - sender_address: address - key_authorization: Optional[SignedKeyAuthorization] Returns: total_gas: uint256 """ # Constants BASE_TX_GAS = 21_000 EXISTING_NONCE_KEY_GAS = 5_000 # Cold SLOAD (2,100) + warm SSTORE reset (2,900) NEW_NONCE_KEY_GAS = 22_100 # Cold SLOAD (2,100) + SSTORE set (20,000) KEYCHAIN_VALIDATION_GAS = 3_000 # 2,100 SLOAD + 900 processing buffer # Step 1: Determine signature verification cost # For Keychain signatures, use the inner primitive signature if tx.signature.type == Keychain: inner_sig = tx.signature.inner_signature else: inner_sig = tx.signature signature_gas = BASE_TX_GAS + calculate_signature_verification_gas(inner_sig) # Add keychain validation overhead if using access key if tx.signature.type == Keychain: signature_gas += KEYCHAIN_VALIDATION_GAS # Step 2: Calculate nonce key cost if tx.nonce_key == 0: # Protocol nonce (backward compatible) nonce_gas = 0 else: # User nonce key current_nonce = get_nonce(tx.sender_address, tx.nonce_key) if current_nonce > 0: # Existing nonce key - cold SLOAD + warm SSTORE reset nonce_gas = EXISTING_NONCE_KEY_GAS else: # New nonce key - cold SLOAD + SSTORE set nonce_gas = NEW_NONCE_KEY_GAS # Step 3: Calculate key authorization cost (if present) if tx.key_authorization is not None: key_auth_gas = calculate_key_authorization_gas(tx.key_authorization) else: key_auth_gas = 0 # Step 4: Calculate total base gas total_gas = signature_gas + nonce_gas + key_auth_gas return total_gas ``` ### Security Considerations #### Mempool DOS Protection Transaction pools perform pre-execution validation checks before accepting transactions. These checks are performed for free by the nodes, making them potential DOS vectors. The three primary validation checks are: 1. **Signature verification** - Must be valid 2. **Nonce verification** - Must match current account nonce 3. **Balance check** - Account must have sufficient balance to pay for transaction This transaction type impacts all three areas: ##### Signature Verification Impact * **P256 signatures**: Fixed computational cost similar to ecrecover. * **WebAuthn signatures**: Variable cost due to clientDataJSON parsing, but **capped at 2KB total signature size** to prevent abuse * **Mitigation**: All signature types have bounded computational costs that are in the same ballpark as standard ecrecover. ##### Nonce Verification Impact * **2D nonce lookup**: Requires additional storage read from nonce precompile * **Cost**: Equivalent to a cold SLOAD (\~2,100 gas worth of free computation) * **Mitigation**: Cost is bounded to a manageable value. ##### Fee Payer Impact * **Additional account read**: When fee payer is specified, must fetch fee payer's account to verify balance * **Cost**: Effectively doubles the free account access work for sponsored transactions * **Mitigation**: Cost is still bounded to a single additional account read. ##### Comparison to Ethereum The introduction of 7702 delegated accounts already created complex cross-transaction dependencies in the mempool, which prevents any static pool checks from being useful. Because a single transaction can invalidate multiple others by spending balances of multiple accounts **Assessment:** While this transaction type introduces additional pre-execution validation costs, all costs are bounded to reasonable limits. The mempool complexity issues around cross-transaction dependencies already exist in Ethereum due to 7702 and accounts with code, making static validation inherently difficult. So the incremental cost from this transaction type is acceptable given these existing constraints. import LucideFileText from '~icons/lucide/file-text' import LucideShield from '~icons/lucide/shield' import LucideUsers from '~icons/lucide/users' import LucideLock from '~icons/lucide/lock' import LucideSettings from '~icons/lucide/settings' import * as Card from "../../../components/Card.tsx" ## TIP-403 Policy Registry ### What is TIP-403? TIP-403 is Tempo's policy registry system that enables TIP-20 tokens to enforce access control. Instead of each token implementing its own logic, TIP-403 provides a registry where policies can be created once and shared across multiple tokens. ### Links ## Overview ### Abstract TIP-403 provides a policy registry system that allows TIP-20 tokens to inherit access control and compliance policies. The registry supports two types of policies (whitelist and blacklist) and includes special built-in policies for common use cases. Policies can be shared across multiple tokens, enabling consistent compliance enforcement. ### Motivation Token issuers often need to implement compliance policies such as KYC/AML requirements, access control, and risk management. Without a standardized system, each token would need to implement its own policy logic, making policy management more difficult and inconsistent across the ecosystem. TIP-403 addresses this by providing a centralized registry that tokens can reference for authorization decisions. This enables consistent policy enforcement across multiple tokens and reduces implementation complexity for token issuers. *** ## Specification The TIP-403 registry stores policies that TIP-20 tokens check against on any token transfer. Policies are associated with a unique `policyId`, can either be a blacklist or a whitelist policy, and contain a list of addresses. This list of addresses can be updated by the policy `admin`. The TIP403Registry is deployed at address `0x403c000000000000000000000000000000000000`. ### Built-in Policies Custom policies start with `policyId = 2`. The registry reserves the first two ids for built-in policies: * `policyId = 0` is the `always-reject` policy and rejects all token transfers * `policyId = 1` is the `always-allow` policy and allows all token transfers The `policyIdCounter` starts at `2` and increments with each new policy creation. ### Policy Types TIP-403 supports two policy types: * **Whitelist Policies:** Only addresses in the whitelist can transfer tokens. All other addresses are blocked * **Blacklist Policies:** Addresses in the blacklist are blocked from transferring tokens. All other addresses can transfer ### Storage and State The registry maintains the following state: * `policyIdCounter`: Starts at `2`, increments with each new policy creation. Returns the next policy ID that will be assigned. * `policyData`: Mapping from `policyId` to `PolicyData` struct containing policy type and admin address. * `policySet`: Internal mapping from `policyId` to address to boolean, tracking which addresses are in each policy's set. ### Interface Definition The complete TIP403Registry interface is defined below: ```solidity interface ITIP403Registry { // ========================================================================= // Types and Enums // ========================================================================= enum PolicyType { WHITELIST, BLACKLIST } struct PolicyData { PolicyType policyType; address admin; } // ========================================================================= // Policy Creation // ========================================================================= /// @notice Creates a new policy with the specified admin and type /// @param admin Address that can modify this policy /// @param policyType Type of policy (whitelist or blacklist) /// @return newPolicyId ID of the newly created policy /// @dev Anyone can create a policy. The creator specifies an admin address that can modify the policy. /// Assigns the next available policyId starting from 2, sets the policy admin, and initializes an empty policy set. /// Emits PolicyCreated and PolicyAdminUpdated events. function createPolicy( address admin, PolicyType policyType ) external returns (uint64 newPolicyId); /// @notice Creates a policy and immediately adds the provided accounts to the policy set /// @param admin Address that can modify this policy /// @param policyType Type of policy (whitelist or blacklist) /// @param accounts Initial addresses to add to the policy /// @return newPolicyId ID of the newly created policy /// @dev For whitelist policies: adds accounts as authorized. For blacklist policies: adds accounts as restricted. /// Emits PolicyCreated, PolicyAdminUpdated, and either WhitelistUpdated or BlacklistUpdated events for each account added. function createPolicyWithAccounts( address admin, PolicyType policyType, address[] calldata accounts ) external returns (uint64 newPolicyId); // ========================================================================= // Policy Administration // ========================================================================= /// @notice Transfers admin rights to another address /// @param policyId ID of the policy to update /// @param admin New admin address for the policy /// @dev Only the current policy admin can call this function. The new admin immediately gains full control over the policy. /// Emits PolicyAdminUpdated event. function setPolicyAdmin(uint64 policyId, address admin) external; /// @notice Adds or removes addresses from a whitelist policy /// @param policyId ID of the whitelist policy /// @param account Address to add or remove /// @param allowed true to allow, false to block /// @dev Only the policy admin can call this function. allowed = true adds the address to the whitelist (authorized to transfer). /// allowed = false removes the address from the whitelist (not authorized). Reverts if policy is not a whitelist. /// Emits WhitelistUpdated event. function modifyPolicyWhitelist( uint64 policyId, address account, bool allowed ) external; /// @notice Adds or removes addresses from a blacklist policy /// @param policyId ID of the blacklist policy /// @param account Address to add or remove /// @param restricted true to block, false to allow /// @dev Only the policy admin can call this function. restricted = true adds the address to the blacklist (not authorized to transfer). /// restricted = false removes the address from the blacklist (authorized). Reverts if policy is not a blacklist. /// Emits BlacklistUpdated event. function modifyPolicyBlacklist( uint64 policyId, address account, bool restricted ) external; // ========================================================================= // Policy Queries // ========================================================================= /// @notice Returns whether the provided user is allowed to transfer tokens under the provided policy ID /// @param policyId Policy ID to check against /// @param user Address to check /// @return True if authorized, false if blocked /// @dev For policyId = 0 (always-reject): Always returns false /// For policyId = 1 (always-allow): Always returns true /// For whitelist policies: Returns true if address is in the whitelist, false otherwise /// For blacklist policies: Returns true if address is NOT in the blacklist, false if it is function isAuthorized(uint64 policyId, address user) external view returns (bool); /// @notice Returns the next policy ID that will be assigned to a newly created policy /// @return The current policyIdCounter value /// @dev Starts at 2 and increments with each policy creation function policyIdCounter() external view returns (uint64); /// @notice Returns whether a policy exists (available from Allegretto hardfork) /// @param policyId ID of the policy to check /// @return True if the policy exists, false otherwise /// @dev Policy IDs 0 and 1 (built-in policies) always exist. For custom policies (ID >= 2), /// checks if the policy ID is within the range of created policies based on policyIdCounter. function policyExists(uint64 policyId) external view returns (bool); /// @notice Returns the policy type and admin address of the policy associated with the provided policy ID /// @param policyId ID of the policy to query /// @return policyType Type of the policy (whitelist or blacklist) /// @return admin Admin address of the policy function policyData(uint64 policyId) external view returns (PolicyType policyType, address admin); // ========================================================================= // Events // ========================================================================= /// @notice Emitted when a new policy is created /// @param policyId ID of the newly created policy /// @param updater Address that created the policy /// @param policyType Type of policy created event PolicyCreated( uint64 indexed policyId, address indexed updater, PolicyType policyType ); /// @notice Emitted when a policy's admin is changed /// @param policyId ID of the policy /// @param updater Address that made the change /// @param admin New admin address event PolicyAdminUpdated( uint64 indexed policyId, address indexed updater, address indexed admin ); /// @notice Emitted when an address is added to or removed from a whitelist policy /// @param policyId ID of the whitelist policy /// @param updater Address that made the change /// @param account Account that was added or removed /// @param allowed true if added, false if removed event WhitelistUpdated( uint64 indexed policyId, address indexed updater, address indexed account, bool allowed ); /// @notice Emitted when an address is added to or removed from a blacklist policy /// @param policyId ID of the blacklist policy /// @param updater Address that made the change /// @param account Account that was added or removed /// @param restricted true if blocked, false if unblocked event BlacklistUpdated( uint64 indexed policyId, address indexed updater, address indexed account, bool restricted ); // ========================================================================= // Errors // ========================================================================= /// @notice Caller is not the policy admin error Unauthorized(); /// @notice Wrong policy type for the operation error IncompatiblePolicyType(); } ``` ### Usage with TIP-20 Tokens TIP-20 tokens store the current TIP403 registry policy ID they adhere to in their storage. On any token transfer, they perform a TIP-403 policy check by calling `isAuthorized()` for both sender and recipient addresses. The policy to use for the token can only be set by the admin of the token. **Default Policy:** New tokens start with `transferPolicyId = 1` (always-allow policy). **Policy Changes:** When a token's transfer policy is changed via `changeTransferPolicyId()`, all future transfers are immediately subject to the new policy. #### Example Usage Creating and setting a policy: ```solidity address admin = address(this); // Create policy with registry uint64 policyId = tip403Registry.createPolicy(admin, PolicyType.WHITELIST); // Add authorized addresses to whitelist tip403Registry.modifyPolicyWhitelist(policyId, authorizedUser, true); // Set policy on the token token.changeTransferPolicyId(policyId); ``` ### Authorization Logic The `isAuthorized()` function implements the following logic: ```solidity if (policyId < 2) { return policyId == 1; // 0 = reject, 1 = allow } PolicyData memory data = policyData[policyId]; return data.policyType == PolicyType.WHITELIST ? policySet[policyId][user] : !policySet[policyId][user]; ``` ## Invariants * When policyId = 0, all authorization checks must return false for every address. * When policyId = 1, all authorization checks must return true for every address. * Only the policy’s current admin may update the admin address for that policy. import LucideFileText from '~icons/lucide/file-text' import LucideGift from '~icons/lucide/gift' import LucideTrendingUp from '~icons/lucide/trending-up' import * as Card from "../../../components/Card.tsx" ## TIP-20 Rewards TIP-20 Rewards is a built-in mechanism that allows for efficient distribution of rewards to opted-in token holders proportional to their holdings, while maintaining low gas costs at scale and complying with [TIP-403 transfer policies](/protocol/tip403/spec). Traditional reward mechanisms require tokens to be staked in separate contracts, which fragments user holdings and adds complexity to wallet implementations. TIP-20 Rewards solves this by: * **Built-in Distribution**: Rewards are integrated directly into the token contract, no separate staking required * **Opt-in Participation**: Users choose whether to participate by setting a reward recipient * **Proportional Distribution**: Rewards accrue based on token holdings automatically * **Instant Rewards**: Distribute rewards immediately to opted-in holders * **Efficient at Scale**: Constant-time updates regardless of the number of token holders * **Policy Compliant**: All reward transfers respect TIP-403 transfer policies Note: Time-based streaming rewards are planned for a future upgrade. Until then, attempting to create a timed distribution will revert (calling `startReward(amount, seconds_)` with `seconds_ > 0` reverts with `ScheduledRewardsDisabled()`). ### Links ## TIP-20 Rewards Distribution ### Abstract An opt-in, scalable, pro-rata reward distribution mechanism built into TIP-20 tokens. The system uses a "reward-per-token" accumulator pattern to distribute rewards proportionally to opted-in holders without requiring staking or per-holder iteration. Rewards are distributed instantly; time-based streaming distributions are planned for a future upgrade. ### Motivation Many applications require pro-rata distribution of tokens to existing holders (incentive programs, deterministic inflation, staking rewards). Building this into TIP-20 allows efficient distribution without forcing users to stake tokens elsewhere or requiring distributors to loop over all holders. ### Specification The rewards mechanism allows anyone to distribute token rewards to opted-in holders proportionally based on holdings. Users must opt in to receiving rewards and may delegate rewards to a recipient address. ### TIP-20 Rewards Functions These functions are part of the [ITIP20](/protocol/tip20/spec) interface: ```solidity /// @notice Distribute rewards to opted-in token holders /// @param amount Amount of tokens to distribute /// @param seconds_ Must be 0; passing > 0 reverts with ScheduledRewardsDisabled() /// @return Always returns 0 for an instant distribution function startReward(uint256 amount, uint32 seconds_) external returns (uint64); /// @notice Set the reward recipient for the caller (opt in/out of rewards) /// @param newRewardRecipient Recipient address (address(0) to opt out) function setRewardRecipient(address newRewardRecipient) external; /// @notice Claim all pending rewards for the caller /// @return maxAmount Amount claimed function claimRewards() external returns (uint256 maxAmount); /// @notice Get user reward info function userRewardInfo(address user) external view returns ( address rewardRecipient, uint256 rewardPerToken, uint256 rewardBalance ); // State variables function globalRewardPerToken() external view returns (uint256); function optedInSupply() external view returns (uint128); ``` ### Accrual Mechanism The system uses an accumulator pattern: * `globalRewardPerToken`: Cumulative rewards per token (scaled by 1e18) * Each user stores a `rewardPerToken` snapshot; pending rewards = `(globalRewardPerToken - snapshot) * balance` Instant distributions (`seconds_ == 0`) add directly to `globalRewardPerToken` as: `deltaRPT = amount * 1e18 / optedInSupply`. ### Opt-In Model Users must call `setRewardRecipient(recipient)` to opt in. When opted in: * User's balance contributes to `optedInSupply` * Rewards accrue to `rewardBalance` on balance-changing operations * Users can delegate rewards to another address Setting recipient to `address(0)` opts out. ### TIP-403 Integration All token movements must pass TIP-403 policy checks: * `startReward`: Validates funder authorization * `setRewardRecipient`: Validates holder and recipient * `claimRewards`: Validates msg.sender ### Invariants * `globalRewardPerToken` must monotonically increase * `optedInSupply` must equal the sum of balances for all opted-in users * All token movements must comply with TIP-403 policies import { Callout } from 'vocs/components' import LucideCircleHelp from '~icons/lucide/circle-help' import LucideRoute from '~icons/lucide/route' import LucideBanknote from '~icons/lucide/banknote' import LucideWallet from '~icons/lucide/wallet' import LucideShield from '~icons/lucide/shield' import LucideFileCheck from '~icons/lucide/file-check' import LucideSettings from '~icons/lucide/settings' import LucideGift from '~icons/lucide/gift' import LucideMessageSquare from '~icons/lucide/message-square' import LucideFileText from '~icons/lucide/file-text' import LucideSend from '~icons/lucide/send' import LucideRocket from '~icons/lucide/rocket' import LucideArrowLeftRight from '~icons/lucide/arrow-left-right' import * as Card from "../../../components/Card.tsx" ## TIP-20 Token Standard TIP-20 is Tempo's native token standard for stablecoins and payment tokens. TIP-20 is designed for stablecoin payments, and is the foundation for many token-related functions on Tempo including transaction fees, payment lanes, DEX quote tokens, and optimized routing for DEX liquidity on Tempo.

This means ERC-20 functions works with TIP-20 out of the box.

All TIP-20 tokens are created by interacting with the [TIP-20 Factory contract](/protocol/tip20/spec#tip20factory), calling the `createToken` function. If you're issuing a stablecoin on Tempo, we **strongly recommend** using the TIP-20 standard. Learn more about the benefits, or follow the guide on issuance [here](/guide/issuance). ### Benefits & Features of TIP-20 Tokens Below are some of the key benefits and features of TIP-20 tokens: #### Payments #### Exchange #### Compliance & Controls #### Pay Fees in Any Stablecoin Any USD-denominated TIP-20 token can be used to pay transaction fees on Tempo. The [Fee AMM](/protocol/fees/spec-fee-amm) automatically converts your token to the validator's preferred fee token, eliminating the need for users to hold a separate gas token. This feature works natively: no additional infrastructure or integration required. Full specification of this feature can be found in the [Payment Lanes Specification](/protocol/blockspace/payment-lane-specification). #### Get Predictable Payment Fees Tempo has dedicated payment lanes: reserved blockspace for payment TIP-20 transactions that other applications cannot consume. Even if there are extremely popular applications on the chain competing for blockspace, payroll runs or customer disbursements execute predictably. Learn more about the [payments lane](/protocol/blockspace/payment-lane-specification). #### Role-Based Access Control (RBAC) TIP-20 includes a built-in [RBAC system](/protocol/tip403/spec#tip-20-token-roles) that separates administrative responsibilities: * **ISSUER\_ROLE**: Grants permission to mint and burn tokens, enabling controlled token issuance * **PAUSE\_ROLE** / **UNPAUSE\_ROLE**: Allows pausing and unpausing token transfers for emergency controls * **BURN\_BLOCKED\_ROLE**: Permits burning tokens from blocked addresses (e.g., for compliance actions) Roles can be granted, revoked, and delegated without custom contract changes. This enables issuers to separate operational roles (e.g., who can mint) from administrative roles (e.g., who can pause). Learn more in the [TIP-20 specification](/protocol/tip20/spec#roles). #### TIP-403 Transfer Policies TIP-20 tokens integrate with the [TIP-403 Policy Registry](/protocol/tip403/overview) to enforce compliance policies. Each token can reference a policy that controls who can send and receive tokens: * **Whitelist policies**: Only addresses in the whitelist can transfer tokens * **Blacklist policies**: Addresses in the blacklist are blocked from transferring tokens Policies can be shared across multiple tokens, enabling consistent compliance enforcement across your token ecosystem. See the [TIP-403 specification](/protocol/tip403/spec) for details. #### Operational Controls TIP-20 tokens can set **supply caps**, which allow you to set a maximum token supply to control issuance. TIP-20 tokens also have **pause/unpause** commands, which provide emergency controls to halt transfers when needed. #### Transfer Memos **Transfer memos** enable you to attach 32-byte memos to transfers for payment references, invoice IDs, or transaction notes. #### Reward Distribution TIP-20 supports an opt-in [reward distribution system](/protocol/tip20-rewards/overview) that allows issuers to distribute rewards to token holders. Rewards can be claimed by holders or automatically forwarded to designated recipient addresses. #### Currency Declaration A TIP-20 token can declare a currency identifier (e.g., `"USD"`, `"EUR"`) that identifies the real-world asset backing the token. This enables proper routing and pricing in Tempo's [stablecoin exchange](/protocol/exchange). USD-denominated TIP-20 tokens can be used to pay transaction fees and serve as quote tokens in the DEX. #### DEX Quote Tokens TIP-20 tokens can serve as quote tokens in Tempo's decentralized exchange (DEX). When creating trading pairs on the [stablecoin exchange](/protocol/exchange), TIP-20 tokens function as the quote currency against which other tokens are priced and traded. This enables efficient stablecoin-to-stablecoin trading and provides optimized routing for liquidity. For example, a USDC TIP-20 token can be paired with other stablecoins, allowing traders to swap between different USD-denominated tokens with minimal slippage through concentrated liquidity pools. By using TIP-20 tokens as quote tokens, the DEX benefits from the same payment-optimized features like deterministic addresses, currency identifiers, and compliance policies, ensuring secure and efficient exchange operations. ### Additional Links ## TIP20 ### Abstract TIP20 is a suite of precompiles that provide a built-in optimized token implementation in the core protocol. It extends the ERC-20 token standard with built-in functionality like memo fields and reward distribution. ### Motivation All major stablecoins today use the ERC-20 token standard. While ERC-20 provides a solid foundation for fungible tokens, it lacks features critical for stablecoin issuers today such as memos, transfer policies, and rewards distribution. Additionally, since each ERC-20 token has its own implementation, integrators can't depend on consistent behavior across tokens. TIP-20 extends ERC-20, building these features into precompiled contracts that anyone can permissionlessly deploy on Tempo. This makes token operations much more efficient, allows issuers to quickly set up on Tempo, and simplifies integrations since it ensures standardized behavior across tokens. It also enables deeper integration with token-specific Tempo features like paying gas in stablecoins and payment lanes. ### Specification TIP-20 tokens support standard fungible token operations such as transfers, mints, and burns. They also support transfers, mints, and burns with an attached 32-byte memo; a role-based access control system for token administrative operations; and a system for opt-in [reward distribution](/protocol/tip20-rewards/spec). ### TIP20 The core TIP-20 contract exposes standard ERC-20 functions for balances, allowances, transfers, and delegated transfers, and also adds: * 32-byte memo support on transfers, mints, and burns. * A `TIP20Roles` module for permissioned actions like issuing, pausing, unpausing, and burning blocked balances. * Configuration options for currencies, quote tokens, and transfer policies. The complete TIP20 interface is defined below: ```solidity interface ITIP20 { // ========================================================================= // ERC-20 standard functions // ========================================================================= /// @notice Returns the name of the token /// @return The token name function name() external view returns (string memory); /// @notice Returns the symbol of the token /// @return The token symbol function symbol() external view returns (string memory); /// @notice Returns the number of decimals for the token /// @return Always returns 6 for TIP-20 tokens function decimals() external pure returns (uint8); /// @notice Returns the total amount of tokens in circulation /// @return The total supply of tokens function totalSupply() external view returns (uint256); /// @notice Returns the token balance of an account /// @param account The address to check the balance for /// @return The token balance of the account function balanceOf(address account) external view returns (uint256); /// @notice Transfers tokens from caller to recipient /// @param to The recipient address /// @param amount The amount of tokens to transfer /// @return True if successful function transfer(address to, uint256 amount) external returns (bool); /// @notice Returns the remaining allowance for a spender /// @param owner The token owner address /// @param spender The spender address /// @return The remaining allowance amount function allowance(address owner, address spender) external view returns (uint256); /// @notice Approves a spender to spend tokens on behalf of caller /// @param spender The address to approve /// @param amount The amount to approve /// @return True if successful function approve(address spender, uint256 amount) external returns (bool); /// @notice Transfers tokens from one address to another using allowance /// @param from The sender address /// @param to The recipient address /// @param amount The amount to transfer /// @return True if successful function transferFrom(address from, address to, uint256 amount) external returns (bool); /// @notice Mints new tokens to an address (requires ISSUER_ROLE) /// @param to The recipient address /// @param amount The amount of tokens to mint function mint(address to, uint256 amount) external; /// @notice Burns tokens from caller's balance (requires ISSUER_ROLE) /// @param amount The amount of tokens to burn function burn(uint256 amount) external; // ========================================================================= // TIP-20 extended functions // ========================================================================= /// @notice Transfers tokens from caller to recipient with a memo /// @param to The recipient address /// @param amount The amount of tokens to transfer /// @param memo A 32-byte memo attached to the transfer function transferWithMemo(address to, uint256 amount, bytes32 memo) external; /// @notice Transfers tokens from one address to another with a memo using allowance /// @param from The sender address /// @param to The recipient address /// @param amount The amount to transfer /// @param memo A 32-byte memo attached to the transfer /// @return True if successful function transferFromWithMemo(address from, address to, uint256 amount, bytes32 memo) external returns (bool); /// @notice Mints new tokens to an address with a memo (requires ISSUER_ROLE) /// @param to The recipient address /// @param amount The amount of tokens to mint /// @param memo A 32-byte memo attached to the mint function mintWithMemo(address to, uint256 amount, bytes32 memo) external; /// @notice Burns tokens from caller's balance with a memo (requires ISSUER_ROLE) /// @param amount The amount of tokens to burn /// @param memo A 32-byte memo attached to the burn function burnWithMemo(uint256 amount, bytes32 memo) external; /// @notice Burns tokens from a blocked address (requires BURN_BLOCKED_ROLE) /// @param from The address to burn tokens from (must be unauthorized by transfer policy) /// @param amount The amount of tokens to burn function burnBlocked(address from, uint256 amount) external; /// @notice Returns the quote token used for DEX pairing /// @return The quote token address function quoteToken() external view returns (ITIP20); /// @notice Returns the next quote token staged for update /// @return The next quote token address (zero if none staged) function nextQuoteToken() external view returns (ITIP20); /// @notice Returns the currency identifier for this token /// @return The currency string function currency() external view returns (string memory); /// @notice Returns whether the token is currently paused /// @return True if paused, false otherwise function paused() external view returns (bool); /// @notice Returns the maximum supply cap for the token /// @return The supply cap (checked on mint operations) function supplyCap() external view returns (uint256); /// @notice Returns the current transfer policy ID from TIP-403 registry /// @return The transfer policy ID function transferPolicyId() external view returns (uint64); // ========================================================================= // Admin Functions // ========================================================================= /// @notice Pauses the contract, blocking transfers (requires PAUSE_ROLE) function pause() external; /// @notice Unpauses the contract, allowing transfers (requires UNPAUSE_ROLE) function unpause() external; /// @notice Changes the transfer policy ID (requires DEFAULT_ADMIN_ROLE) /// @param newPolicyId The new policy ID from TIP-403 registry /// @dev From Allegretto hardfork onwards, validates that the policy exists using TIP403Registry.policyExists() /// Built-in policies (ID 0 = always-reject, ID 1 = always-allow) are always valid. /// For custom policies (ID >= 2), the policy must exist in the TIP-403 registry. /// Reverts with InvalidTransferPolicyId if the policy does not exist. function changeTransferPolicyId(uint64 newPolicyId) external; /// @notice Stages a new quote token for update (requires DEFAULT_ADMIN_ROLE) /// @param newQuoteToken The new quote token address function setNextQuoteToken(ITIP20 newQuoteToken) external; /// @notice Completes the quote token update process (requires DEFAULT_ADMIN_ROLE) function completeQuoteTokenUpdate() external; /// @notice Sets the maximum supply cap (requires DEFAULT_ADMIN_ROLE) /// @param newSupplyCap The new supply cap (cannot be less than current supply) function setSupplyCap(uint256 newSupplyCap) external; // ========================================================================= // Role Management // ========================================================================= /// @notice Returns the BURN_BLOCKED_ROLE constant /// @return keccak256("BURN_BLOCKED_ROLE") function BURN_BLOCKED_ROLE() external view returns (bytes32); /// @notice Returns the ISSUER_ROLE constant /// @return keccak256("ISSUER_ROLE") function ISSUER_ROLE() external view returns (bytes32); /// @notice Returns the PAUSE_ROLE constant /// @return keccak256("PAUSE_ROLE") function PAUSE_ROLE() external view returns (bytes32); /// @notice Returns the UNPAUSE_ROLE constant /// @return keccak256("UNPAUSE_ROLE") function UNPAUSE_ROLE() external view returns (bytes32); /// @notice Grants a role to an account (requires role admin) /// @param role The role to grant (keccak256 hash) /// @param account The account to grant the role to function grantRole(bytes32 role, address account) external; /// @notice Revokes a role from an account (requires role admin) /// @param role The role to revoke (keccak256 hash) /// @param account The account to revoke the role from function revokeRole(bytes32 role, address account) external; /// @notice Allows an account to remove a role from itself /// @param role The role to renounce (keccak256 hash) function renounceRole(bytes32 role) external; /// @notice Changes the admin role for a specific role (requires current role admin) /// @param role The role whose admin is being changed /// @param adminRole The new admin role function setRoleAdmin(bytes32 role, bytes32 adminRole) external; // ========================================================================= // System Functions // ========================================================================= /// @notice System-level transfer function (restricted to precompiles) /// @param from The sender address /// @param to The recipient address /// @param amount The amount to transfer /// @return True if successful function systemTransferFrom(address from, address to, uint256 amount) external returns (bool); /// @notice Pre-transaction fee transfer (restricted to precompiles) /// @param from The account to charge fees from /// @param amount The fee amount function transferFeePreTx(address from, uint256 amount) external; /// @notice Post-transaction fee handling (restricted to precompiles) /// @param to The account to refund /// @param refund The refund amount /// @param actualUsed The actual fee used function transferFeePostTx(address to, uint256 refund, uint256 actualUsed) external; // ========================================================================= // Events // ========================================================================= /// @notice Emitted when a new allowance is set by `owner` for `spender` /// @param owner The account granting the allowance /// @param spender The account being approved to spend tokens /// @param amount The new allowance amount event Approval(address indexed owner, address indexed spender, uint256 amount); /// @notice Emitted when tokens are burned from an address /// @param from The address whose tokens were burned /// @param amount The amount of tokens that were burned event Burn(address indexed from, uint256 amount); /// @notice Emitted when tokens are burned from a blocked address /// @param from The blocked address whose tokens were burned /// @param amount The amount of tokens that were burned event BurnBlocked(address indexed from, uint256 amount); /// @notice Emitted when new tokens are minted to an address /// @param to The address receiving the minted tokens /// @param amount The amount of tokens that were minted event Mint(address indexed to, uint256 amount); /// @notice Emitted when a new quote token is staged for this token /// @param updater The account that staged the new quote token /// @param nextQuoteToken The quote token that has been staged event NextQuoteTokenSet(address indexed updater, ITIP20 indexed nextQuoteToken); /// @notice Emitted when the pause state of the token changes /// @param updater The account that changed the pause state /// @param isPaused The new pause state; true if paused, false if unpaused event PauseStateUpdate(address indexed updater, bool isPaused); /// @notice Emitted when the quote token update process is completed /// @param updater The account that completed the quote token update /// @param newQuoteToken The new quote token that has been set event QuoteTokenUpdate(address indexed updater, ITIP20 indexed newQuoteToken); /// @notice Emitted when a holder sets or updates their reward recipient address /// @param holder The token holder configuring the recipient /// @param recipient The address that will receive claimed rewards event RewardRecipientSet(address indexed holder, address indexed recipient); /// @notice Emitted when a reward distribution is scheduled /// @param funder The account funding the reward distribution /// @param id The identifier of the reward (0 for instant distributions) /// @param amount The total amount of tokens allocated to the reward /// @param durationSeconds The duration in seconds (must be 0 in current version) event RewardScheduled( address indexed funder, uint64 indexed id, uint256 amount, uint32 durationSeconds ); /// @notice Emitted when the token's supply cap is updated /// @param updater The account that updated the supply cap /// @param newSupplyCap The new maximum total supply event SupplyCapUpdate(address indexed updater, uint256 indexed newSupplyCap); /// @notice Emitted for all token movements, including mints and burns /// @param from The address sending tokens (address(0) for mints) /// @param to The address receiving tokens (address(0) for burns) /// @param amount The amount of tokens transferred event Transfer(address indexed from, address indexed to, uint256 amount); /// @notice Emitted when the transfer policy ID is updated /// @param updater The account that updated the transfer policy /// @param newPolicyId The new transfer policy ID from the TIP-403 registry event TransferPolicyUpdate(address indexed updater, uint64 indexed newPolicyId); /// @notice Emitted when a transfer, mint, or burn is performed with an attached memo /// @param from The address sending tokens (address(0) for mints) /// @param to The address receiving tokens (address(0) for burns) /// @param amount The amount of tokens transferred /// @param memo The 32-byte memo associated with this movement event TransferWithMemo( address indexed from, address indexed to, uint256 amount, bytes32 indexed memo ); /// @notice Emitted when the membership of a role changes for an account /// @param role The role being granted or revoked /// @param account The account whose membership was changed /// @param sender The account that performed the change /// @param hasRole True if the role was granted, false if it was revoked event RoleMembershipUpdated( bytes32 indexed role, address indexed account, address indexed sender, bool hasRole ); /// @notice Emitted when the admin role for a role is updated /// @param role The role whose admin role was changed /// @param newAdminRole The new admin role for the given role /// @param sender The account that performed the update event RoleAdminUpdated( bytes32 indexed role, bytes32 indexed newAdminRole, address indexed sender ); // ========================================================================= // Errors // ========================================================================= /// @notice The token operation is blocked because the contract is currently paused error ContractPaused(); /// @notice The spender does not have enough allowance for the attempted transfer error InsufficientAllowance(); /// @notice The account does not have the required token balance for the operation /// @param currentBalance The current balance of the account /// @param expectedBalance The required balance for the operation to succeed /// @param token The address of the token contract error InsufficientBalance(uint256 currentBalance, uint256 expectedBalance, address token); /// @notice The provided amount is zero or otherwise invalid for the attempted operation error InvalidAmount(); /// @notice The provided currency identifier is invalid or unsupported error InvalidCurrency(); /// @notice The specified quote token is invalid, incompatible, or would create a circular reference error InvalidQuoteToken(); /// @notice The recipient address is not a valid destination for this operation /// (for example, another TIP-20 token contract) error InvalidRecipient(); /// @notice The specified transfer policy ID does not exist in the TIP-403 registry error InvalidTransferPolicyId(); /// @notice The new supply cap is invalid, for example lower than the current total supply error InvalidSupplyCap(); /// @notice A rewards operation was attempted when no opted-in supply exists error NoOptedInSupply(); /// @notice The configured transfer policy denies authorization for the sender or recipient error PolicyForbids(); /// @notice Attempted to start a timed reward distribution; streaming is disabled error ScheduledRewardsDisabled(); /// @notice The attempted operation would cause total supply to exceed the configured supply cap error SupplyCapExceeded(); /// @notice The caller does not have the required role or permission for this operation error Unauthorized(); } ``` :::warning When interacting with precompiles, **always use the provided ABI** rather than reading directly from storage slots. Direct storage access may lead to undefined behavior. ::: ### Memos Memo functions `transferWithMemo`, `transferFromWithMemo`, `mintWithMemo`, and `burnWithMemo` behave like their ERC-20 equivalents but additionally emit memo data in dedicated events. The memo is always a fixed 32-byte field. Callers should pack shorter strings or identifiers directly into this field, and use hashes or external references when the underlying payload exceeds 32 bytes. ### TIP-403 Transfer Policies All operations that move tokens: `transfer`, `transferFrom`, `transferWithMemo`, `transferFromWithMemo`, `mint`, `burn`, `mintWithMemo`, and `burnWithMemo` — enforce the token’s configured TIP-403 transfer policy. Internally, this is implemented via a `transferAuthorized` modifier that: * Calls `TIP403_REGISTRY.isAuthorized(transferPolicyId, from)` for the sender. * Calls `TIP403_REGISTRY.isAuthorized(transferPolicyId, to)` for the recipient. Both checks must return `true`, otherwise the call reverts with `PolicyForbids`. Reward operations (`startReward`, `setRewardRecipient`, `claimRewards`) also perform the same TIP-403 authorization checks before moving any funds. ### Invalid Recipient Protection TIP-20 tokens cannot be sent to other TIP-20 token contract addresses. The implementation uses a `validRecipient` guard that rejects recipients whose address is zero, or has the TIP-20 prefix (`0x20c000000000000000000000`). Any attempt to transfer to a TIP-20 token address must revert with `InvalidRecipient`. This prevents accidental token loss by sending funds to token contracts instead of user accounts. ### Currencies and Quote Tokens Each TIP-20 token declares a currency identifier and a corresponding `quoteToken` used for pricing and routing in the Stablecoin DEX. Tokens with `currency == "USD"` must pair with a USD-denominated TIP-20 token. Updating the quote token occurs in two phases: 1. `setNextQuoteToken` stages a new quote token. 2. `completeQuoteTokenUpdate` finalizes the change. The implementation must validate that the new quote token is a TIP-20 token, matches currency rules, and does not create circular quote-token chains. :::note While quote tokens can be changed, choose carefully as the update process requires careful coordination with the DEX. ::: ### Pause Controls Pause controls `pause` and `unpause` govern all transfer operations and reward related flows. When paused, transfers and memo transfers halt, but administrative and configuration functions remain allowed. The `paused()` getter reflects the current state and must be checked by all affected entrypoints. ### TIP-20 Roles TIP-20 uses a role-based authorization system. The main roles are: * `ISSUER_ROLE`: controls minting and burning. * `PAUSE_ROLE` / `UNPAUSE_ROLE`: controls the token’s paused state. * `BURN_BLOCKED_ROLE`: allows burning balances belonging to addresses that fail TIP-403 authorization. Roles are assigned and managed through `grantRole`, `revokeRole`, `renounceRole`, and `setRoleAdmin`, via the contract admin. ### System Functions System level functions `systemTransferFrom`, `transferFeePreTx`, and `transferFeePostTx` are only callable by other Tempo protocol precompiles. These entrypoints power transaction fee collection, refunds, and internal accounting within the Fee AMM and Stablecoin DEX. They must not be callable by general contracts or users. ### Token Rewards Distribution See [rewards distribution](/protocol/tip20-rewards/spec) for more information. ### TIP20Factory The `TIP20Factory` contract is the canonical entrypoint for creating new TIP-20 tokens on Tempo. The factory maintains an internal `tokenIdCounter` that increments with each deployment, and uses this counter to derive deterministic “vanity” deployment addresses under a fixed 12-byte TIP-20 prefix. This ensures that every TIP-20 token exists at a predictable, collision-free address, and that integrators can infer a token’s identifier directly from its address. The `TIP20Factory` precompile is deployed at 0x20Fc000000000000000000000000000000000000`. Newly created TIP-20 addresses are deployed a vanity address derived from `TIP20\_PREFIX || tokenId\`, where: * `TIP20_PREFIX` is the 12-byte prefix `0x20C0000000000000000000000000` * `tokenId` is the current monotonically increasing counter value, encoded into the least significant bytes of the address (eg. `0x20C0000000000000000000000000000000000001`) When creating a token, the factory performs several checks to guarantee consistency across the TIP-20 ecosystem: * The specified Quote token must be a currently deployed TIP20. * Tokens that specify their currency as USD must also specify a quote token that is denoted in USD. * At deployment, the factory initializes defaults on the TIP-20:\ `transferPolicyId = 1`, `supplyCap = type(uint128).max`, `paused = false`, and `totalSupply = 0`. * The provided `admin` address receives `DEFAULT_ADMIN_ROLE`, enabling it to manage roles and token configurations. The complete `TIP20Factory` interface is defined below: ```solidity /// @title TIP-20 Factory Interface /// @notice Deploys and initializes new TIP-20 tokens at deterministic vanity addresses interface ITIP20Factory { /// @notice Creates and deploys a new TIP-20 token /// @param name The token's ERC-20 name /// @param symbol The token's ERC-20 symbol /// @param currency The token's currency identifier (e.g. "USD") /// @param quoteToken The TIP-20 quote token used for exchange pricing /// @param admin The address to receive DEFAULT_ADMIN_ROLE on the new token /// /// @return token The deployed TIP-20 token address /// @dev /// - Computes the TIP-20 deployment address as TIP20_PREFIX || tokenId /// - Ensures the provided quote token is itself a valid TIP-20 /// - Enforces USD-denomination rules (USD tokens must use USD quote tokens) /// - Rejects configurations that would form circular quote-token chains /// - Initializes the token with default settings: /// transferPolicyId = 1 (always-allow) /// supplyCap = type(uint128).max /// paused = false /// totalSupply = 0 /// - Grants DEFAULT_ADMIN_ROLE on the new token to `admin` /// - Emits a {TokenCreated} event function createToken( string memory name, string memory symbol, string memory currency, ITIP20 quoteToken, address admin ) external returns (address token); // ========================================================================= // Helpers // ========================================================================= /// @notice Returns true if `token` is a valid TIP-20 address /// @param token The address to check /// @return True if the address is a well-formed TIP-20 /// @dev Checks the TIP-20 prefix and ensures its embedded ID <= tokenIdCounter function isTIP20(address token) external view returns (bool); /// @notice Returns the next token ID that will be assigned on creation /// @return The current tokenIdCounter value function tokenIdCounter() external view returns (uint256); // ========================================================================= // Events // ========================================================================= /// @notice Emitted when a new TIP-20 token is created /// @param token The newly deployed TIP-20 address /// @param id The assigned token ID used in address construction /// @param name The token name /// @param symbol The token symbol /// @param currency The token currency /// @param quoteToken The token's assigned quote token /// @param admin The address receiving DEFAULT_ADMIN_ROLE event TokenCreated( address indexed token, uint256 indexed id, string name, string symbol, string currency, ITIP20 indexed quoteToken, address admin ); // ========================================================================= // Errors // ========================================================================= /// @notice The provided quote token address is invalid or not a TIP-20 error InvalidQuoteToken(); } ``` ### Invariants * `totalSupply()` must always equal to the sum of all `balanceOf(account)` over all accounts. * `totalSupply()` must always be `<= supplyCap` * When `paused` is `true`, no functions that move tokens (`transfer`, `transferFrom`, memo variants, `systemTransferFrom`, `startReward`, `setRewardRecipient`, `claimRewards`) can succeed. * TIP20 tokens cannot be transferred to another TIP20 token contract address. * `systemTransferFrom`, `transferFeePreTx`, and `transferFeePostTx` never change `totalSupply()`. import LucideDroplet from '~icons/lucide/droplet' import LucideFileText from '~icons/lucide/file-text' import LucideWallet from '~icons/lucide/wallet' import LucideShieldCheck from '~icons/lucide/shield-check' import * as Card from "../../../components/Card.tsx" ## Transaction Fees Tempo has no native token. Instead, transaction fees—including both gas fees and priority fees—can be paid directly in stablecoins. When you send a transaction, you can choose which supported stablecoin to use for fees. For a stablecoin to be accepted, it must be USD-denominated, issued as a native TIP-20 contract, and have sufficient liquidity on the native Fee AMM. Tempo uses a fixed base fee (rather than a variable base fee as in EIP-1559), set so that a TIP-20 transfer costs less than $0.001. All fees accrue to the validator who proposes the block. ### Learn More import { Callout } from 'vocs/components' ## Fee AMM Specification ### Abstract This specification defines a system of one-way Automated Market Makers (AMMs) designed to facilitate gas fee payments from a user using one stablecoin (the `userToken`) to a validator who prefers a different stablecoin (the `validatorToken`). Each AMM handles fee swaps from a `userToken` to a `validatorToken` at one price (0.9970 `validatorToken` per `userToken`), and allows rebalancing in the other direction at another fixed price (0.9985 `validatorToken` per `userToken`). ### Motivation Current blockchain fee systems typically require users to hold native tokens for gas payments. This creates friction for users who prefer to transact in stablecoins. The Fee AMM is a dedicated AMM for trading between stablecoins, which can only be used by the protocol (and by arbitrageurs rebalancing it to keep it balanced). The protocol automatically collects fees in many different coins during the block, and then sells them all at the end of the block (paying a constant price) into the token preferred by the validator. The system is designed to minimize several forms of MEV: * **No Probabilistic MEV**: The fixed fee swap rate and batch settlement prevent profitable backrunning of fee swaps. There is no way to profitably spam the chain with transactions hoping an opportunity might arise. * **No Sandwich Attacks**: Fee swaps execute at a fixed rate and settle atomically at block end, eliminating sandwich attack vectors. * **Top-of-Block Auction**: The main MEV in the AMM (from rebalancing) occurs as a single race at the top of the next block rather than creating probabilistic spam throughout. ### Specification #### Overview The Fee AMM implements two distinct swap mechanisms: 1. **Fee Swaps**: Fixed-rate swaps at a price of `0.9970` (validator token per user token) from `userToken` to `validatorToken` 2. **Rebalancing Swaps**: Fixed-rate swaps at a price of `0.9985` (validator token per user token) from `validatorToken` to `userToken` #### Core Components ##### 1. FeeAMM Contract The primary AMM contract managing liquidity pools and swap operations. ##### Pool Structure ```solidity struct Pool { uint128 reserveUserToken; // Reserve of userToken uint128 reserveValidatorToken; // Reserve of validatorToken } ``` Each pool is directional: `userToken` → `validatorToken`. For a pair of tokens A and B, there are two separate pools: * Pool(A, B): for swapping A to B at fixed rate of 0.997 (fee swaps) and B to A at fixed rate of 0.9985 (rebalancing) * Pool(B, A): for swapping B to A at fixed rate of 0.997 (fee swaps) and A to B at fixed rate of 0.9985 (rebalancing) ##### Constants * `M = 9970` (scaled by 10000, representing 0.9970) * `N = 9985` (scaled by 10000, representing 0.9985) * `SCALE = 10000` * `MIN_LIQUIDITY = 1000` ##### Key Functions ```solidity function getPool( address userToken, address validatorToken ) external view returns (Pool memory) ``` Returns the pool structure for a given token pair. ```solidity function getPoolId( address userToken, address validatorToken ) external pure returns (bytes32) ``` Returns the pool ID for a given token pair (used internally for pool lookup). ```solidity function rebalanceSwap( address userToken, address validatorToken, uint256 amountOut, address to ) external returns (uint256 amountIn) ``` Executes rebalancing swaps from `validatorToken` to `userToken` at fixed rate of 0.9985 (validator token per user token). Can be executed by anyone. Calculates `amountIn = (amountOut * N) / SCALE + 1` (rounds up). Updates reserves immediately. Emits `RebalanceSwap` event. ```solidity function mint( address userToken, address validatorToken, uint256 amountUserToken, uint256 amountValidatorToken, address to ) external returns (uint256 liquidity) ``` Adds liquidity to a pool with both tokens. First provider sets initial reserves and must burn `MIN_LIQUIDITY` tokens. Subsequent providers must provide proportional amounts. Receives fungible LP tokens representing pro-rata share of pool reserves. ```solidity function mintWithValidatorToken( address userToken, address validatorToken, uint256 amountValidatorToken, address to ) external returns (uint256 liquidity) ``` Single-sided liquidity provision with validator token only. Treats the deposit as equivalent to performing a hypothetical `rebalanceSwap` first at rate `n = 0.9985` until the ratio of reserves match, then minting liquidity by depositing both. Formula: `liquidity = amountValidatorToken * _totalSupply / (V + n * U)`, where `n = N / SCALE`. Rounds down to avoid over-issuing LP tokens. Updates reserves by increasing only `validatorToken` by `amountValidatorToken`. Emits `Mint` event with `amountUserToken = 0`. ```solidity function burn( address userToken, address validatorToken, uint256 liquidity, address to ) external returns (uint256 amountUserToken, uint256 amountValidatorToken) ``` Burns LP tokens and receives pro-rata share of reserves. Reverts if withdrawal would prevent pending swaps at the end of the block. Emits `Burn` event. ```solidity function executePendingFeeSwaps( address userToken, address validatorToken ) internal returns (uint256 amountOut) ``` Settles all pending fee swaps by updating reserves. Calculates `amountOut = (amountIn * M) / SCALE`. Only executed by the protocol, at the end of each block. Emits `FeeSwap` event. ```solidity function reserveLiquidity( address userToken, address validatorToken, uint256 maxAmount ) internal returns (bool) ``` Reserves liquidity for a pending fee swap. Calculates `maxAmountOut = (maxAmount * M) / SCALE`. Verifies sufficient validator token reserves (accounting for pending swaps). Tracks pending swap input. ```solidity function releaseLiquidityPostTx( address userToken, address validatorToken, uint256 refundAmount ) internal ``` Releases reserved liquidity when fees are refunded. Decreases pending swap input by refund amount. ##### 2. FeeManager Contract Tempo introduces a precompiled contract, the `FeeManager`, at the address `0xfeec000000000000000000000000000000000000`. The `FeeManager` is a singleton contract that implements all the functions of the Fee AMM for every pool. It also handles the collection and refunding of fees during each transaction, stores fee token preferences for users and validators, and implements the `executeBlock()` function that is called by a system transaction at the end of each block. ##### Key Functions ```solidity function setUserToken(address token) external ``` Sets the default fee token preference for the caller (user). Requires token to be a USD TIP-20 token. Emits `UserTokenSet` event. Access: Direct calls only (not via delegatecall). ```solidity function setValidatorToken(address token) external ``` Sets the fee token preference for the caller (validator). Requires token to be a USD TIP-20 token. Cannot be called during a block built by that validator. Emits `ValidatorTokenSet` event. Access: Direct calls only (not via delegatecall). ```solidity function collectFeePreTx( address user, address userToken, uint256 maxAmount ) external ``` Called by the protocol before transaction execution. The fee token (`userToken`) is determined by the protocol before calling using logic that considers: explicit tx fee token, setUserToken calls, stored user preference, tx.to if TIP-20. Reserves AMM liquidity if user token differs from validator token. Collects maximum possible fee from user. Access: Protocol only (`msg.sender == address(0)`). ```solidity function collectFeePostTx( address user, uint256 maxAmount, uint256 actualUsed, address userToken ) external ``` Called by the protocol after transaction execution. The validator token and fee recipient are inferred from `block.coinbase`. Calculates refund amount: `refundAmount = maxAmount - actualUsed`. Refunds unused tokens to user. Releases reserved liquidity for refunded amount. Tracks collected fees for block-end settlement. Access: Protocol only (`msg.sender == address(0)`). ```solidity function executeBlock() external ``` Called once in a system transaction at the end of each block. Processes all collected fees and executes pending swaps. For each token with collected fees: if token differs from validator token, executes pending fee swaps via AMM and updates reserves and calculates output amount. Transfers all validator tokens to the validator (`block.coinbase`). Clears fee tracking arrays. Access: Protocol only (`msg.sender == address(0)`). #### Swap Mechanisms ##### Fee Swaps * **Rate**: Fixed at m=0.9970 (validator receives 0.9970 of their preferred token per 1 user token that user pays) * **Direction**: User token to validator token * **Purpose**: Convert tokens paid by users as fees to tokens preferred by validators * **Settlement**: Batched at block end via `executePendingFeeSwaps` * **Access**: Protocol only ##### Rebalancing Swaps * **Rate**: Fixed at n=0.9985 (swapper receives 1 of the user token for every 0.9985 that they put in of the validator's preferred token) * **Direction**: Validator token to user token * **Purpose**: Refill reserves of validator token in the pool * **Settlement**: Immediate * **Access**: Anyone #### Fee Collection Flow 1. **Pre-Transaction**: * Protocol determines user's fee token using logic that considers: explicit tx fee token, setUserToken calls, stored user preference, tx.to if TIP-20 * Protocol calculates maximum gas needed (`maxAmount = gasLimit * maxFeePerGas`) * `FeeManager.collectFeePreTx(user, userToken, maxAmount)` is called: * If user token differs from validator token, reserves AMM liquidity via `reserveLiquidity()` * Collects maximum fee from user using `transferFeePreTx()` * If any check fails (insufficient balance, insufficient liquidity), transaction is invalid 2. **Post-Transaction**: * Calculate actual gas used (`actualUsed = gasUsed * gasPrice`) * `FeeManager.collectFeePostTx(user, maxAmount, actualUsed, userToken)` is called: * Validator token and fee recipient are inferred from `block.coinbase` * Calculates refund: `refundAmount = maxAmount - actualUsed` * Refunds unused tokens to user via `transferFeePostTx()` * Releases reserved liquidity for refunded amount via `releaseLiquidityPostTx()` * Tracks collected fees (actual used amount) for block-end settlement 3. **Block End**: * System transaction calls `FeeManager.executeBlock()`: * For each token with collected fees: * If token differs from validator token, executes pending fee swaps via `executePendingFeeSwaps()` * Updates pool reserves (adds userToken, subtracts validatorToken) * Transfers all validator tokens to validator (`block.coinbase`) * Clears fee tracking arrays #### Events ```solidity event RebalanceSwap( address indexed userToken, address indexed validatorToken, address indexed swapper, uint256 amountIn, uint256 amountOut ) event FeeSwap( address indexed userToken, address indexed validatorToken, uint256 amountIn, uint256 amountOut ) event Mint( address indexed sender, address indexed userToken, address indexed validatorToken, uint256 amountUserToken, uint256 amountValidatorToken, uint256 liquidity ) event Burn( address indexed sender, address indexed userToken, address indexed validatorToken, uint256 amountUserToken, uint256 amountValidatorToken, uint256 liquidity, address to ) event UserTokenSet(address indexed user, address indexed token) event ValidatorTokenSet(address indexed validator, address indexed token) ``` `Transfer` events are emitted as usual for transactions, with the exception of paying gas fees via TIP20 tokens. For fee payments, a single `Transfer` event is emitted post execution to represent the actual fee amount consumed (i.e. `gasUsed * gasPrice`). #### System transactions This specification introduces **system transactions**, with the first being the `executeBlock()` call to the `FeeManager` contract at the end of each block. A system transaction is a legacy transaction with an empty signature (`r = 0`, `s = 0`, `yParity = false`) and with the sender as the 0 address (`0x0000000000000000000000000000000000000000`). System transactions are only allowed when there is a specific consensus rule allowing them. A block is invalid if any required system transaction is missing or if any extra system transaction is present. System transactions do not consume block gas, do not increment a sender nonce, do not contribute to block gas limit, and do not pay fees. They may set any gas price and gas limit (as specified by a specific rule), regardless of their execution gas or the block base fee. System transactions must not revert. ##### Execution transaction Under this specification, exactly one system transaction must appear at the end of every block. It must have the following parameters: | Field | Value / Requirement | Notes / Validation | | --------------------- | -------------------------------------------- | ------------------------------------------------- | | **Type** | Legacy transaction | | | **Position in Block** | **Last transaction** | Block is **invalid** if absent or not last. | | **From (sender)** | `0x0000000000000000000000000000000000000000` | Zero address | | **To (recipient)** | `0xfeec000000000000000000000000000000000000` | FeeManager precompile. | | **Calldata** | `0xb306cc70` | ABI-encoded `executeBlock()`, no arguments. | | **Value** | `0` | No native token transfer. | | **Nonce** | 0 | | | **Gas Limit** | 0 | Does **not** contribute to block gas accounting. | | **Gas Price** | 0 | Independent of block base fee; does not pay fees. | | **Signature** | `r = 0`, `s = 0`, `yParity = false` | Empty signature designates system transaction. | The proposer **must** construct and include this transaction when building the block. A block is invalid if the transaction is absent or not in the final position. #### Gas Fee swaps are designed to be gas-free from the user perspective. The pre-tx and post-tx steps in each transaction do not cost any gas; nor does the system transaction at the end of each block. ## Fees ### Abstract This spec lays out how fees work on Tempo, including how fees are calculated, who pays them, and how the default fee token for a transaction is determined. ### Motivation On Tempo, users can pay gas fees in any [TIP-20](/protocol/tip20/spec) token whose currency is USD, as long as that stablecoin has sufficient liquidity on the enshrined [fee AMM](/protocol/fees/spec-fee-amm.mdx) against the token that the current validator wants to receive. In determining *which* token a user pays fees in, we want to maximize customizability (so that wallets or users can implement more sophisticated UX than is possible at the protocol layer), minimize surprise (particularly surprises in which a user pays fees in a stablecoin they did not expect to), and have sane default behavior so that users can begin using basic functions like payments even using wallets that are not customized for Tempo support. ### Fee units Fees in the `max_base_fee_per_gas` and `max_fee_per_gas` fields of transactions, as well as in the block's `base_fee_per_gas` field, are specified in units of **USD per 10^18 gas**. Since TIP-20 tokens have 6 decimal places, that means the fee for a transaction can be calculated as `ceil(base_fee * gas_used / 10^12)`. This unit is chosen to provide sufficient precision for low-fee transactions. Since TIP-20 tokens have only 6 decimal places (as opposed to the 18 decimal places of ETH), expressing fees directly in tokens per gas would not provide enough precision for transactions with very low gas costs. By scaling the fee paid by 10^-12, the protocol ensures that even small fee amounts can be accurately represented and calculated. ### Fee payment Before the execution of each transaction, the protocol takes the following steps: * Determine the [`fee_payer`](#fee-payer) of the transaction. * Determine the `fee_token` of the transaction, according to the [rules for fee token preferences](#fee-token-preferences). If the fee token cannot be determined, the transaction is invalid. * Compute the `max_fee` of the transaction as `gas_limit * gas_price`. * Deduct `max_fee` from the `fee_payer`'s balance of `fee_token`. If `fee_payer` does not have sufficient balance in `fee_token`, the transaction is invalid. * Reserve `max_fee` of liquidity on the [fee AMM](/protocol/fees/spec-fee-amm) between the `fee_token` and the validator's preferred fee token. If there is insufficient liquidity, the transaction is invalid. After the execution of each transaction: * Compute the `refund_amount` as `(gas_limit - gas_used) * gas_price`. * Credit the `fee_payer`'s address with `refund_amount` of `fee_token`. * Log a `Transfer` event from the user to the [fee manager contract](/protocol/fees/spec-fee-amm) for the net amount of the fee payment. ### Fee payer Tempo supports *sponsored transactions* in which the `fee_payer` is a different address from the `tx.origin` of the transaction. This is supported by Tempo's [new transaction type](/protocol/transactions/spec-tempo-transaction.mdx), which has a `fee_payer_signature` field. If no `fee_payer_signature` is provided, then the `fee_payer` of the transaction is its sender (`tx.origin`). If the `fee_payer_signature` field is set, then it is used to derive the `fee_payer` for the transaction, as described in the [transaction spec](/protocol/transactions/spec-tempo-transaction.mdx). For purposes of [fee token preferences](#fee-token-preferences), the `fee_payer` is the account that chooses the fee token. #### Fee sponsorship flow Presence of the `fee_payer_signature` field authorizes a third party to pay the transaction's gas costs while the original sender executes the transaction logic. :::steps ##### Sender signs the transaction The sender signs the transaction with their private key, signing over a blank fee token field. This means the sender delegates the choice of which fee token to use to the fee payer. ##### Fee payer selects and signs The fee payer selects which fee token to use, then signs over the transaction. ##### Transaction submission The fee token and fee payer signature is added to the transaction using the `fee_payer_signature` field and is then submitted. ##### Network validation The network validates both signatures and executes the transaction. ::: ##### Validation When `feePayerSignature` is present: * Both sender and fee payer signatures must be valid * Fee payer must have sufficient balance in the fee token * Transaction is rejected if either signature fails or fee payer's balance is insufficient ### Fee token preferences The protocol checks for token preferences in five ways, with this order of precedence: 1. Transaction (set by the `fee_token` field of the transaction) 2. Account (set on the FeeManager contract by the `fee_payer` of the transaction) 3. TIP-20 contract (if the transaction is calling any function on a TIP-20 contract, the transaction uses that token as its fee token) 4. Stablecoin Exchange (for certain swap calls, the transaction uses the `tokenIn` argument as its fee token) 5. PathUSD (as a fallback) The protocol checks preferences at each of these levels, stopping at the first one at which a preference is specified. At that level, the protocol performs the following checks. If any of the checks fail, the transaction is invalid (without looking at any further levels): * The token must be a TIP-20 token whose currency is USD. * The user must have sufficient balance in that token to pay the `gasLimit` on the transaction at the transaction's `gasPrice`. * There must be sufficient liquidity on the [fee AMM](/protocol/fees/spec-fee-amm.mdx), as discussed in that specification. If no preference is specified at the transaction, account, or contract level, the protocol falls back to [pathUSD](#pathusd). #### Transaction level Tempo's [new transaction type](/protocol/transactions/spec-tempo-transaction.mdx), allows transactions to specify a `fee_token` on the transaction. This overrides any preferences set at the account, contract, or validator level. For [sponsored transactions](#fee-payer), the `tx.origin` address does not sign over the `fee_token` field (allowing the `fee_payer` to choose the fee token). #### Account level An account can specify a fee token preference for all transactions for which it is the `fee_payer` (including both transactions it sponsors as well as non-sponsored transactions for which it is the `tx.origin`). This overrides any preference set at the contract or validator level. To set its preference, the account can call the `setUserToken` function on the FeeManager precompile. At this step, the protocol does one more check: * If the transaction is not a [Tempo transaction](/protocol/transactions/spec-tempo-transaction.mdx) *and* the transaction is a top-level call to the `setUserToken` function on the FeeManager, then the protocol checks the `token` argument to the function: * If that token is a TIP-20 whose currency is USD, that token is used as the fee token (unless the transaction specifies a `fee_token` at the [transaction level](#transaction-level)). * If that token is not a TIP-20 or its currency is not USD, the transaction is invalid. #### TIP-20 contracts If the top-level call of a transaction is to a TIP-20 contract for which the currency is USD, or *all* of the top-level calls of a TempoTransaction are to the same TIP-20 contract for which the currency is USD, that token is used as the user's fee token for that transaction (unless there is a preference specified at the [transaction](#transaction-level) or [account](#account-level) level). #### Stablecoin Exchange contract If the top-level call of a transaction is to the [Stablecoin Exchange](/protocol/exchange/spec.mdx) contract, the function being called is either `swapExactAmountIn` or `swapExactAmountOut`, and the `tokenIn` argument to that function is the address of a TIP-20 token for which the currency is USD, then the `tokenIn` argument is used as the user's fee token for the transaction (unless there is a preference specified at the [transaction](#transaction-level) or [account](#account-level) level). For [Tempo transactions](/protocol/transactions/spec-tempo-transaction.mdx), this rule applies only if there is only one top-level call in the transaction. #### pathUSD If no fee preference is set at the transaction, account, or contract level, the protocol falls back to [pathUSD](/protocol/exchange/pathUSD.mdx) as the user's fee token preference. ### Validator preferences Validators can set a default fee token preference that determines which stablecoin they receive for transaction fees. When users pay in different tokens, the Fee AMM automatically converts to the validator's preferred token. #### Setting validator preference To set their preference, validators call the `setValidatorToken` function on the FeeManager precompile: ```solidity // Set your preferred fee token feeManager.setValidatorToken(preferredTokenAddress); ``` After setting a validator token preference, all fees collected in blocks the validator proposes will be automatically converted to the chosen token (if needed) and transferred to the validator's account. On the Andantino testnet, validators currently expect alphaUSD (one of the tokens distributed by the faucet) as their fee token. If validators have not specified a fee token preference, the protocol falls back to expecting pathUSD as their fee token. #### Removing validator preference To remove a validator token preference, set it to the zero address: ```solidity // Remove validator token preference feeManager.setValidatorToken(address(0)); ``` ### Fee lifecycle This section describes the complete flow of how fees are collected, converted, and distributed from user to validator. #### Fee flow steps When a user submits a transaction on Tempo, fees are paid in their chosen stablecoin (determined by the [fee token preferences](#fee-token-preferences) hierarchy). If the validator prefers a different stablecoin, the Fee AMM automatically converts the user's payment to the validator's preferred token. ##### 1. User submits transaction The transaction is submitted with the fee token determined by the preference hierarchy. ##### 2. Pre-transaction collection Before the transaction executes, the `FeeManager` contract collects the maximum possible fee amount from the user: * Verifies the user has sufficient balance in their chosen fee token * Checks if the Fee AMM has enough liquidity (if conversion is needed) * Collects the maximum fee amount based on the transaction's gas limit If either check fails, the transaction is rejected before execution. ##### 3. Transaction execution The transaction executes normally. The actual gas consumed may be less than the maximum that was collected. ##### 4. Post-transaction refund After execution, the `FeeManager`: * Calculates the actual fee owed based on gas used * Refunds any unused tokens to the user * Queues the actual fee amount for conversion (if needed) ##### 5. Fee swap queuing If the user's fee token differs from the validator's preferred token, the fee is added to a pending fee swap queue for that token pair. The swap doesn't execute immediately—it's batched with all other fees collected during the block. If the user's fee token matches the validator's preference, no conversion is needed and the fee goes directly to the validator. ##### 6. End-of-block settlement At the end of each block, the protocol: 1. Calls `executePendingFeeSwaps()` on the Fee AMM for each token pair 2. Executes all pending fee swaps at a fixed rate of **0.9970** (validator receives 0.9970 of their token per 1.0 user token paid) 3. Updates the AMM pool reserves 4. Transfers the converted tokens to the validator's account This batched settlement prevents MEV attacks like sandwiching or backrunning individual fee payments. #### Fee swap mechanics Fee swaps always execute at a fixed rate of **0.9970**: ``` validatorTokenOut = userTokenIn × 0.9970 ``` This means: * User pays 1.0 USDC for fees * Validator receives 0.9970 USDT (if that's their preferred token) * The 0.003 (0.3%) difference goes to liquidity providers as a fee #### Example flow Here's a complete example of the fee lifecycle: 1. **Alice** wants to send a transaction and pays fees in **USDC** (her preferred token) 2. **Validator** prefers to receive fees in **USDT** 3. Alice's transaction has a max fee of 1.0 USDC 4. The FeeManager collects 1.0 USDC from Alice before execution 5. Transaction executes and uses 0.8 USDC worth of gas 6. The FeeManager refunds 0.2 USDC to Alice 7. The remaining 0.8 USDC is queued for conversion 8. At block end, the Fee AMM swaps 0.8 USDC → 0.7976 USDT (0.8 × 0.9970) 9. Validator receives 0.7976 USDT 10. Liquidity providers earn 0.0024 USDT from the 0.3% fee #### Gas costs The fee conversion process adds minimal overhead to transactions: * **Pre-transaction**: \~5,000 gas for balance and liquidity checks * **Post-transaction**: \~3,000 gas for refund and queue operations * **Block settlement**: Amortized across all transactions in the block For complete technical specifications on the Fee AMM mechanism, see the [Fee AMM Protocol Specification](/protocol/fees/spec-fee-amm). import LucideDroplet from '~icons/lucide/droplet' import LucideFileText from '~icons/lucide/file-text' import LucideCircleDollarSign from '~icons/lucide/circle-dollar-sign' import * as Card from "../../../../components/Card.tsx" ## Fee AMM Overview The Fee AMM (Automated Market Maker) is a dedicated system for converting transaction fees between different stablecoins. It enables users to pay fees in any supported stablecoin while allowing validators to receive fees in their preferred token. ### How It Works When a user pays fees in a stablecoin that differs from the validator's preference, the Fee AMM automatically converts the payment: * **User pays**: 1.0 of their chosen stablecoin * **Validator receives**: 0.9970 of their preferred stablecoin * **Liquidity providers earn**: 0.003 (0.3%) as fees This conversion happens automatically at the end of each block through batched swaps, preventing MEV attacks like sandwiching. ### Learn More import { Callout } from 'vocs/components' ## DEX Balance The Stablecoin DEX allows you to hold token balances directly using the DEX contract. This eliminates the need for token transfers on every trade, significantly reducing gas costs for active traders and liquidity providers. ### Why DEX Balances? When you trade or provide liquidity on the DEX, constantly transferring tokens between your wallet and the DEX contract wastes gas. By maintaining a balance via the DEX contract, you can: * **Save on gas costs** - Avoid ERC-20 transfer costs for each trade * **Trade more efficiently** - Execute multiple swaps without transfers between each trade * **Receive maker proceeds automatically** - When your limit orders are filled, proceeds are credited to your DEX balance instead of requiring a transfer for each fill ### Checking Your Balance Use the DEX contract to view your balance of any token held on the DEX: ```solidity function balanceOf( address user, address token ) external view returns (uint128) ``` **Example:** ```solidity uint128 balance = exchange.balanceOf(msg.sender, USDC_ADDRESS); ``` ### Using Your DEX Balance Each transaction that you authorize will use your DEX balance before using funds you approve from your wallet. When you execute a swap or place an order, the DEX contract automatically: 1. Checks if you have sufficient balance in the DEX 2. If insufficient, transfers the needed amount from your wallet to your DEX balance 3. Uses your DEX balance for the operation ### Withdrawing from the DEX Transfer tokens from your DEX balance back to your wallet: ```solidity function withdraw( address token, uint128 amount ) external ``` **Parameters:** * `token` - The token address to withdraw * `amount` - The amount to withdraw **Example:** ```solidity // Withdraw 1000 USDC from exchange to your wallet exchange.withdraw(USDC_ADDRESS, 1000e6); ``` The withdraw function will revert if you attempt to withdraw more than your available balance on the exchange. ### How Balances Work #### When Swapping * **Before swap**: Exchange checks your balance, transfers from wallet if needed * **After swap**: Output tokens are transferred directly to your wallet (not kept on exchange) #### When Placing Orders * **On placement**: Required tokens are debited from your exchange balance (or transferred from wallet if insufficient) * **When filled**: Proceeds are credited to your exchange balance * **On cancellation**: Unfilled portion is refunded to your exchange balance import { Callout } from 'vocs/components' ## Executing Swaps ### Swap Functions The exchange provides two primary swap functions: #### Swap Exact Amount In Specify the exact amount of tokens you want to sell, and receive at least a minimum amount: ```solidity function swapExactAmountIn( address tokenIn, address tokenOut, uint128 amountIn, uint128 minAmountOut ) external returns (uint128 amountOut) ``` **Parameters:** * `tokenIn` - The token address you're selling * `tokenOut` - The token address you're buying * `amountIn` - The exact amount of `tokenIn` to sell * `minAmountOut` - Minimum amount of `tokenOut` you'll accept (slippage protection) **Returns:** * `amountOut` - The actual amount of `tokenOut` received **Example:** Swap exactly 1000 USDC for at least 998 USDT: ```solidity uint128 amountOut = exchange.swapExactAmountIn( USDC_ADDRESS, USDT_ADDRESS, 1000e6, // Sell exactly 1000 USDC 998e6 // Receive at least 998 USDT ); ``` #### Swap Exact Amount Out Specify the exact amount of tokens you want to receive, and pay at most a maximum amount: ```solidity function swapExactAmountOut( address tokenIn, address tokenOut, uint128 amountOut, uint128 maxAmountIn ) external returns (uint128 amountIn) ``` **Parameters:** * `tokenIn` - The token address you're selling * `tokenOut` - The token address you're buying * `amountOut` - The exact amount of `tokenOut` to receive * `maxAmountIn` - Maximum amount of `tokenIn` you'll pay (slippage protection) **Returns:** * `amountIn` - The actual amount of `tokenIn` spent **Example:** Receive exactly 1000 USDT by spending at most 1002 USDC: ```solidity uint128 amountIn = exchange.swapExactAmountOut( USDC_ADDRESS, USDT_ADDRESS, 1000e6, // Receive exactly 1000 USDT 1002e6 // Pay at most 1002 USDC ); ``` ### Quoting Prices Before executing a swap, you can query the expected price using view functions that simulate the swap without executing it: #### Quote Exact Amount In ```solidity function quoteSwapExactAmountIn( address tokenIn, address tokenOut, uint128 amountIn ) external view returns (uint128 amountOut) ``` Returns how much `tokenOut` you would receive for a given `amountIn`. #### Quote Exact Amount Out ```solidity function quoteSwapExactAmountOut( address tokenIn, address tokenOut, uint128 amountOut ) external view returns (uint128 amountIn) ``` Returns how much `tokenIn` you would need to spend to receive a given `amountOut`. **Example: Getting a price quote** ```solidity // Check how much USDT you'd get for 1000 USDC uint128 expectedOut = exchange.quoteSwapExactAmountIn( USDC_ADDRESS, USDT_ADDRESS, 1000e6 ); // Only execute if the price is acceptable if (expectedOut >= 998e6) { exchange.swapExactAmountIn(USDC_ADDRESS, USDT_ADDRESS, 1000e6, 998e6); } ``` ### How Swaps Execute When you call a swap function: 1. **Balance Check**: The contract first checks your balance on the DEX 2. **Transfer if Needed**: If your DEX balance is insufficient, tokens are transferred from your wallet 3. **Order Matching**: The DEX walks through orders at each price tick, from best to worst: * Orders are consumed in price-time priority order * Each filled order credits the maker's balance on the DEX * Continues until your swap is complete or limit price is reached 4. **Slippage Check**: Reverts if `minAmountOut` (or `maxAmountIn`) constraints aren't met 5. **Settlement**: Your output tokens are transferred to your wallet Swaps will revert with an `InsufficientLiquidity` error if there isn't enough liquidity in the orderbook to satisfy your slippage constraints. ### Gas Costs Swap gas costs scale with the number of orders and ticks your trade crosses: * Base swap cost (transfers and setup) * Per-order cost (for each order filled) * Per-tick cost (for each price level crossed) * Per-flip cost (if any flip orders are triggered) Larger swaps that cross more orders will cost more gas, but the cost per unit of volume decreases. ### Token Balances on the DEX The DEX allows you to track token balances directly within the DEX contract, which saves gas by avoiding ERC-20 transfers on every trade. When you execute a swap, the contract first checks your DEX balance and only transfers from your wallet if needed. For complete details on checking balances, depositing, withdrawing, and managing your DEX balance, see the [DEX Balance](/protocol/exchange/exchange-balance) page. import { Callout } from 'vocs/components' import LucideArrowLeftRight from '~icons/lucide/arrow-left-right' import LucideDroplet from '~icons/lucide/droplet' import LucideWallet from '~icons/lucide/wallet' import * as Card from "../../../components/Card.tsx" ## Exchanging Stablecoins Tempo features an enshrined decentralized exchange (DEX) designed specifically for trading between stablecoins of the same underlying asset (e.g., USDC to USDT). The exchange provides optimal pricing for cross-stablecoin payments while minimizing chain load from excessive market activity. The exchange operates as a singleton precompiled contract at address `0xdec0000000000000000000000000000000000000`. It maintains an orderbook with separate queues for each price tick, using price-time priority for order matching. Trading pairs are determined by each token's quote token. All TIP-20 tokens specify a quote token for trading on the exchange. Tokens can choose [pathUSD](/protocol/exchange/pathUSD) as their quote token. See the [Stablecoin DEX Specification](/protocol/exchange/spec) for detailed information on the exchange structure. The exchange supports three types of orders, each with different execution behavior: | Order Type | Description | | ----------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [**Limit Orders**](/protocol/exchange/providing-liquidity#limit-orders) | Place orders at specific price levels that wait in the book until matched or cancelled. New orders are queued and added to the book at the end of the block. | | [**Flip Orders**](/protocol/exchange/providing-liquidity#flip-orders) | Special orders that automatically reverse to the opposite side when completely filled, acting like a perpetual liquidity pool. Filled flip orders automatically create new orders on the opposite side during end-of-block settlement. | | [**Market Orders**](/protocol/exchange/executing-swaps#swap-functions) | Execute immediately against the best available orders in the book (via swap functions). Swaps and cancellations execute immediately within the transaction. | This execution model prevents MEV by making it impossible to backrun new orders or perform JIT liquidity attacks. For the complete execution mechanics, see the [Stablecoin DEX Specification](/protocol/exchange/spec). To get started with the exchange, explore these guides: For a more complete technical specification including design decisions and details of execution semantics, see the [Stablecoin DEX Specification](/protocol/exchange/spec). ## pathUSD ### Abstract pathUSD is a USD-denominated stablecoin that can be used as a quote token on Tempo's decentralized exchange. It is the first stablecoin deployed to the chain, and is used as a fallback gas token when the user or validator does not specify a gas token. Use of pathUSD is optional. ### Motivation Each USD TIP-20 on Tempo can choose any other USD TIP-20 as its [quote token](/protocol/exchange/spec.mdx#quote-tokens)—the token it is paired against on the [native decentralized exchange](/protocol/exchange/spec.mdx). This guarantees that there is one path between any two tokens, which reduces fragmentation of liquidity and simplifies routing. While on other chains, most liquidity accrues to a few stablecoins, or even one, Tempo offers a USD-denominated stablecoin, pathUSD, that other stablecoins can choose as their quote token. PathUSD is not meant to compete as a consumer-facing stablecoin. Use of pathUSD is optional, and tokens are able to list any other token as their quote token if they choose. PathUSD can also be accepted as a fee token by validators. ### Specification #### Contract PathUSD is a predeployed [TIP-20](/protocol/tip20/spec.mdx) at genesis. Note that since it is the first TIP-20 contract deployed, its quote token is the zero address. | Property | Value | | -------------- | -------------------------------------------- | | address | `0x20c0000000000000000000000000000000000000` | | `name()` | "pathUSD" | | `symbol()` | "pathUSD" | | `currency()` | "USD" | | `decimals()` | 6 | | `quoteToken()` | `address(0)` | ### How It Works When you create a USD stablecoin on Tempo, you can set pathUSD as its quote token: ```solidity TIP20 token = factory.createToken( "My Company USD", "MCUSD", "USD", TIP20(0x20c0000000000000000000000000000000000000), // pathUSD msg.sender ); ``` This means: * Your token trades against pathUSD on the decentralized exchange * Users can swap between your token and other USD stablecoins that also use pathUSD, or ones that are connected to it by a multi-hop path ##### Tree Structure This creates a tree structure where all USD stablecoins are connected via multi-hop paths. ``` USDX | pathUSD -- USDY -- USDZ | USDA ``` The tree structure guarantees that there is a single path between any two USD stablecoins, ensuring simple routing, concentrated liquidity, and efficient pricing, even for thinly-traded pairs. ##### Example: Cross-Stablecoin Payment 1. Market makers provide liquidity for USDX/pathUSD and USDY/pathUSD pairs 2. User wants to send USDX to a merchant who prefers USDY 3. DEX atomically routes: User's USDX → pathUSD → Merchant's USDY 4. Single action, no manual swaps This is critical for payments between parties with different stablecoin preferences. The user and merchant never touch pathUSD; it is used only as a routing mechanism. import { Callout } from 'vocs/components' ## Providing Liquidity Provide liquidity to the DEX by placing limit orders or flip orders in the onchain orderbook. When your orders are filled, you earn the spread between bid and ask prices while helping facilitate trades for other users. You can only place orders on pairs between a token and its designated quote token. All TIP-20 tokens specify a quote token for trading pairs. [PathUSD](/protocol/exchange/pathUSD) can be used as a simple choice for a quote token. ### Overview The DEX uses an onchain orderbook where you can place orders at specific price ticks. Orders are matched using price-time priority, meaning better-priced orders fill first, and within the same price, earlier orders fill first. Unlike traditional AMMs, you specify exact prices where you want to buy or sell, giving you more precise control over your liquidity provision strategy. ### Order Types #### Limit Orders Standard orders that remain in the book at a specific price until filled or cancelled. ```solidity function place( address token, uint128 amount, bool isBid, int16 tick ) external returns (uint128 orderId) ``` **Parameters:** * `token` - The token address you're trading (must trade against its quote token) * `amount` - The amount of the token denominated in `token` * `isBid` - `true` for a buy order, `false` for a sell order * `tick` - The price tick: `(price - 1) * 100_000` where price is in quote token per token **Returns:** * `orderId` - Unique identifier for this order **Example: Place a bid to buy 1000 USDC at $0.9990** ```solidity // tick = (0.9990 - 1) * 100_000 = -10 uint128 orderId = exchange.place( USDC_ADDRESS, 1000e6, // Amount: 1000 USDC true, // isBid: buying USDC -10 // tick: price = $0.9990 ); ``` **Example: Place an ask to sell 1000 USDC at $1.0010** ```solidity // tick = (1.0010 - 1) * 100_000 = 10 uint128 orderId = exchange.place( USDC_ADDRESS, 1000e6, // Amount: 1000 USDC false, // isBid: selling USDC 10 // tick: price = $1.0010 ); ``` #### Flip Orders Special orders that automatically reverse to the opposite side when completely filled, creating perpetual liquidity similar to an automated market maker pool. ```solidity function placeFlip( address token, uint128 amount, bool isBid, int16 tick, int16 flipTick ) external returns (uint128 orderId) ``` **Parameters:** * All parameters from `place()`, plus: * `flipTick` - The price where the order will flip to when filled * Must be greater than `tick` if `isBid` is true * Must be less than `tick` if `isBid` is false **Returns:** * `orderId` - Unique identifier for this flip order **Example: Place a flip order providing liquidity on both sides** ```solidity // Place a bid at $0.9990 that flips to an ask at $1.0010 uint128 orderId = exchange.placeFlip( USDC_ADDRESS, 1000e6, // Amount: 1000 USDC true, // isBid: start as a buy order -10, // tick: buy at $0.9990 10 // flipTick: sell at $1.0010 after filled ); ``` When this order is completely filled: 1. You buy 1000 USDC at $0.9990 2. A new order automatically sells 1000 USDC at $1.0010 3. When that fills, it flips back to a bid at $0.9990 4. This continues indefinitely, earning the spread each time Flip orders act like a liquidity pool position, automatically providing liquidity on both sides of the market as they're filled back and forth. ### Understanding Ticks Prices are specified using ticks with 0.1 basis point (0.001%) precision: **Tick Formula:** `tick = (price - 1) × 100_000` **Price Formula:** `price = 1 + (tick / 100_000)` Where `price` is the token price in quote token units. #### Example Tick Calculations | Price | Tick | Calculation | | ------- | ---- | ------------------------------ | | $0.9990 | -100 | (0.9990 - 1) × 100\_000 = -100 | | $0.9998 | -20 | (0.9998 - 1) × 100\_000 = -20 | | $1.0000 | 0 | (1.0000 - 1) × 100\_000 = 0 | | $1.0002 | 20 | (1.0002 - 1) × 100\_000 = 20 | | $1.0010 | 100 | (1.0010 - 1) × 100\_000 = 100 | Price ticks are limited to ±2% from peg (±2000 ticks). Orders outside this range will be rejected. ### Bid vs Ask * **Bid (isBid = true)**: An order to *buy* the token using its quote token * **Ask (isBid = false)**: An order to *sell* the token for its quote token For a USDC/USD pair where USD is the quote: * A bid buys USDC with USD at your specified price * An ask sells USDC for USD at your specified price ### Order Execution Timeline Orders follow a specific lifecycle: 1. **Placement**: When you call `place()` or `placeFlip()`: * Tokens are debited from your DEX balance (or transferred if insufficient) * Order is queued but **not yet visible** to other contracts * Returns an order ID immediately 2. **End of Block**: All queued orders are added to the book: * Processed in the order they were placed * Filled flip orders from this block are added first * Orders become visible and matchable 3. **Filling**: As market orders execute against your order: * Your order fills partially or completely * Proceeds are credited to your DEX balance * If a flip order fills completely, it creates a new order on the opposite side **MEV Protection**: The delayed execution prevents backrunning and JIT (Just-In-Time) liquidity attacks, since orders aren't visible until the block ends. ### Cancelling Orders Remove an order from the book before it's filled: ```solidity function cancel( uint128 orderId ) external ``` **Example:** ```solidity // Cancel order #12345 exchange.cancel(12345); ``` Cancellations execute immediately, and any unfilled portion of your order is refunded to your [DEX balance](/protocol/exchange/exchange-balance). You can only cancel your own orders. Attempting to cancel another user's order will revert. ## Stablecoin DEX ### Abstract This specification defines an enshrined decentralized exchange for trading between TIP-20 stablecoins. The exchange currently only supports trading between TIP-20 stablecoins with USD as their currency. By only allowing each stablecoin to be paired against its designated "quote token" the exchange enforces that there is only one route for trading between any two tokens. The exchange maintains price‑time priority at each discrete price tick, executes swaps immediately against the active book, and supports auto‑replenishing “flip orders” that recreate themselves on the opposite side after being fully filled. Users maintain internal balances per token on the exchange. Order placement escrows funds from these balances (or transfers from the user if necessary), fills credit makers internally, and withdrawals transfer tokens out. ### Motivation Tempo aims to provide high‑quality execution for cross‑stablecoin payments while avoiding unnecessary chain load and minimizing mid‑block MEV surfaces. A simple, on‑chain, price‑time‑priority orderbook tailored to stable pairs encourages passive liquidity to rest on chain and allows takers to execute deterministically at the best available ticks. Another design goal is to avoid fragmentation of liquidity across many different pairs. By enforcing that each stablecoin only trades against a single quote token, the system guarantees that there is only one path between any two tokens. ### Specification #### Contract and scope The exchange is a singleton contract deployed at `0xdec0000000000000000000000000000000000000`. It exposes functions to create trading pairs, place and cancel orders (including flip orders), execute swaps, produce quotes, manage internal balances, and process end‑of‑block placement. #### Key concepts ##### Internal balances The contract maintains per‑user, per‑token internal balances. Order placement escrows funds from these balances (or transfers any shortfall from the user). When an order fills, the maker is credited internally with the counter‑asset at the order’s tick price. Users can withdraw available balances at any time. ##### Flip orders A flip order behaves like a normal resting order until it is fully filled. When filled, the exchange places a new order for the same maker on the opposite side at a configured `flipTick` (which must be greater than `tick` for bids and less for asks). This enables passive liquidity with flexible strategies. ##### Pairs, ticks, and prices Pairs are identified deterministically from the two token addresses (the base token is any TIP‑20, and its `quoteToken()` function points to the quote token). Prices are discretized into integer ticks with a tick size of 0.1 bps: with `PRICE_SCALE = 100_000`, `price = PRICE_SCALE + tick`. Orders may only be placed at ticks divisible by `TICK_SPACING = 10` (effectively setting a 1 bp tick size). The orderbook tracks best bid (highest active bid tick) and best ask (lowest active ask tick), and uses bitmaps over tick words for efficient discovery of the next initialized tick. ##### Quote tokens Each TIP‑20 token specifies a single quote token in its metadata via `quoteToken()`. A trading pair on the stablecoin exchange exists only between a base token and its designated quote token, and prices for the pair are denominated in units of the quote token. This design reduces liquidity fragmentation by giving every token exactly one paired asset. It also simplifies routing. We require that: 1. each token picks a single other stablecoin as its quote token, and, 2. quote token relationships cannot have circular dependencies. This forces liquidity into a tree structure, which in turn implies that there is only one path between any two stablecoins USD tokens can only choose USD tokens as their quote token. Non-USD TIP-20 tokens can pick any token as their quote token, but currently there is no support for cross-currency trading, or same-currency trading of non-USD tokens, on the DEX. The platform offers a neutral USD stablecoin, [`pathUSD`](/protocol/exchange/pathUSD), as an option for quote token. PathUSD is the first stablecoin deployed on the chain, which means it has no quote token. Use of pathUSD is optional. ##### Swaps Swaps execute immediately against the active book. Selling base for quote starts at the current best bid and walks downward as ticks are exhausted; selling quote for base starts at the best ask and walks upward. Within a tick, fills are FIFO and decrement the tick’s total liquidity. When a tick empties, it is de‑initialized. Callers can swap between any two USD TIP-20 tokens. If `tokenIn` and `tokenOut` are not directly paired, the implementation finds the unique path between them through quote‑token relationships, and performs a multi‑hop swap/quote. ##### Crossed books Crossed books are permitted; the implementation does not enforce that best bid ≤ best ask. This primarily supports flip‑order scenarios. ##### Constraints * Only USD‑denominated tokens are supported, and their quotes must also be USD * Orders must specify ticks within the configured bounds (±2000) * Tick spacing is 10: `tick % 10 == 0` for orders and flip orders * Withdrawals require sufficient internal balance #### Interface Below is the complete on‑chain interface, organized by function. Behavior notes and constraints are included with each function where relevant. ##### Constants and pricing ```solidity function PRICE_SCALE() external view returns (uint32); ``` Scaling factor for tick‑based prices. One tick equals 1/PRICE\_SCALE above or below the peg. Current value: `100_000` (0.001% per tick). ```solidity function TICK_SPACING() external view returns (int16); ``` Orders must be placed on ticks divisible by `TICK_SPACING`. Current value: `10` (i.e., 1 bp grid). ```solidity function MIN_TICK() external view returns (int16); function MAX_TICK() external view returns (int16); ``` Inclusive tick bounds for order placement. Current range: ±2000 ticks (±2%). ```solidity function MIN_PRICE() external view returns (uint32); function MAX_PRICE() external view returns (uint32); ``` Price bounds implied by tick bounds and `PRICE_SCALE`. ```solidity function tickToPrice(int16 tick) external pure returns (uint32 price); function priceToTick(uint32 price) external pure returns (int16 tick); ``` Convert between discrete ticks and scaled prices. `priceToTick` reverts if `price` is out of bounds. ##### Pairing and orderbook ```solidity function pairKey(address tokenA, address tokenB) external pure returns (bytes32 key); ``` Deterministic key for a pair derived from the two token addresses (order‑independent). ```solidity function createPair(address base) external returns (bytes32 key); ``` Creates the pair between `base` and its `quoteToken()` (from TIP‑20). Both must be USD‑denominated. Reverts if the pair already exists or tokens are not USD. ```solidity function books(bytes32 pairKey) external view returns (address base, address quote, int16 bestBidTick, int16 bestAskTick); ``` Returns pair metadata and current best‑of‑side ticks. Best ticks may be sentinel values when no liquidity exists. ```solidity function getTickLevel(address base, int16 tick, bool isBid) external view returns (uint128 head, uint128 tail, uint128 totalLiquidity); ``` Returns FIFO head/tail order IDs and aggregate liquidity for a tick on a side, allowing indexers to reconstruct the active book. ##### Internal balances ```solidity function balanceOf(address user, address token) external view returns (uint128); ``` Returns a user’s internal balance for `token` held on the exchange. ```solidity function withdraw(address token, uint128 amount) external; ``` Transfers `amount` of `token` from the caller’s internal balance to the caller. Reverts if insufficient internal balance. ##### Order placement and lifecycle ```solidity function place(address token, uint128 amount, bool isBid, int16 tick) external returns (uint128 orderId); ``` Places a limit order against the pair of `token` and its quote, immediately adding it to the active book. Escrows funds: bids escrow quote at tick price; asks escrow base. Notes: * `tick` must be within `[MIN_TICK, MAX_TICK]` and divisible by `TICK_SPACING` (10). ```solidity function placeFlip(address token, uint128 amount, bool isBid, int16 tick, int16 flipTick) external returns (uint128 orderId); ``` Like `place`, but marks the order as a flip order. When fully filled, a new order for the same maker is scheduled on the opposite side at `flipTick` (which must be greater than `tick` for bids and less for asks). Notes: * Both `tick` and `flipTick` must be within `[MIN_TICK, MAX_TICK]` and divisible by `TICK_SPACING` (10). ```solidity function cancel(uint128 orderId) external; ``` Cancels an order owned by the caller. When canceled, the order is removed from the tick queue, liquidity is decremented, and remaining escrow is refunded to the order owner's exchange balance which can then be withdrawn. ```solidity function nextOrderId() external view returns (uint128); ``` Monotonic counter for next orderId. ##### Swaps and quoting ```solidity function quoteSwapExactAmountIn(address tokenIn, address tokenOut, uint128 amountIn) external view returns (uint128 amountOut); ``` Simulates an exact‑in swap walking initialized ticks and returns the expected output. Reverts if the pair path lacks sufficient liquidity. ```solidity function quoteSwapExactAmountOut(address tokenIn, address tokenOut, uint128 amountOut) external view returns (uint128 amountIn); ``` Simulates an exact‑out swap and returns the required input. Reverts if insufficient liquidity. ```solidity function swapExactAmountIn(address tokenIn, address tokenOut, uint128 amountIn, uint128 minAmountOut) external returns (uint128 amountOut); ``` Executes an exact‑in swap against the active book. Deducts `amountIn` from caller’s internal balance (transferring any shortfall) and transfers output to the caller. Reverts if resulting `amountOut` is below `minAmountOut` or liquidity is insufficient. ```solidity function swapExactAmountOut(address tokenIn, address tokenOut, uint128 amountOut, uint128 maxAmountIn) external returns (uint128 amountIn); ``` Executes an exact‑out swap. Deducts the actual input from the caller’s internal balance (transferring any shortfall from the user) and transfers `amountOut` to the caller. Reverts if required input exceeds `maxAmountIn` or liquidity is insufficient. ##### Events ```solidity event PairCreated(bytes32 indexed key, address indexed base, address indexed quote); event OrderPlaced(uint128 indexed orderId, address indexed maker, address indexed token, uint128 amount, bool isBid, int16 tick); event FlipOrderPlaced(uint128 indexed orderId, address indexed maker, address indexed token, uint128 amount, bool isBid, int16 tick, int16 flipTick); event OrderCancelled(uint128 indexed orderId); event OrderFilled(uint128 indexed orderId, address indexed maker, address indexed taker, uint128 amountFilled, bool partialFill); ``` ##### Errors ```solidity error Unauthorized(); ``` * Pair creation or usage: `PAIR_EXISTS`, `PAIR_NOT_EXISTS`, `ONLY_USD_PAIRS` * Bounds: `TICK_OUT_OF_BOUNDS`, `FLIP_TICK_OUT_OF_BOUNDS`, `FLIP_TICK_MUST_BE_GREATER_FOR_BID`, `FLIP_TICK_MUST_BE_LESS_FOR_ASK`, "Price out of bounds" * Tick spacing: `TICK_NOT_MULTIPLE_OF_SPACING`, `FLIP_TICK_NOT_MULTIPLE_OF_SPACING` * Liquidity and limits: `INSUFFICIENT_LIQUIDITY`, `MAX_IN_EXCEEDED`, `INSUFFICIENT_OUTPUT` * Authorization: `UNAUTHORIZED` (cancel not by maker) * Balance: `INSUFFICIENT_BALANCE` (withdraw) ## Blockspace Overview ### Abstract This specification defines the structure of valid blocks in the Tempo blockchain. ### Motivation Tempo blocks extend the Ethereum block format in multiple ways: there are new header fields to account for payment lanes and sub-blocks, and system transactions are added to the block body for the fee AMM and other protocol operations. This specification contains all the modifications to the block format. ### Specification #### Header fields Tempo extends an Ethereum header with three extra scalars. ```rust title="Header struct" pub struct Header { pub general_gas_limit: u64, pub shared_gas_limit: u64, pub timestamp_millis_part: u64, pub inner: Header, } ``` * `inner` is the canonical Ethereum header (parent\_hash, state\_root, gas\_limit, etc.). * `general_gas_limit` and `shared_gas_limit` carve up the canonical `gas_limit` for payment and sub-block gas (see [payment lane specification](/protocol/blockspace/payment-lane-specification) and [sub-block specification](/protocol/blockspace/sub-block-specification)). * `timestamp_millis_part` stores the sub‑second component; the full timestamp is `inner.timestamp * 1000 + timestamp_millis_part` . #### Block body The block body in Tempo retains the canonical Ethereum block body structure, with the addition of new system transactions. Transactions are ordered in the following sections: 1. Start-of-block system transaction(s) (must begin with the rewards registry call). 2. Proposer lane transactions, subject to `general_gas_limit` on non-payment transactions. 3. Sub-block transactions, grouped by proposer and prefixed with the reserved nonce key. 4. Gas incentive transactions that consume leftover shared gas. 5. End-of-block system transactions (see below). #### System transactions A valid tempo block must contain the following new system transactions * **Rewards Registry (start-of-block)** — must be the first transaction in the block body; refreshes validator rewards metadata before user transactions begin. Detailed specification [here](/protocol/tip20-rewards/spec). * **Fee Manager (end-of-block 1/3)** — settles block fee accounting. Detailed specification [here](/protocol/fees/spec-fee-amm). * **Stablecoin DEX (end-of-block 2/3)** — settles stablecoin exchange balances. Detailed specification [here](/protocol/exchange/spec). * **Subblock Metadata (end-of-block 3/3)** — contains metadata about the sub-blocks included in the block. Detailed specification [here](/protocol/blockspace/sub-block-specification). import { Callout } from 'vocs/components' ## Payment Lane Specification ### Abstract This specification introduces a second consensus gas constraint for **non-payment** transactions. Transactions are classified as either payments or non-payments based solely on their transaction data, without requiring any access to blockchain state. For a block to be valid, total `gas_used` by the block must be less than the `gas_limit`. Non-payment transactions executed in the proposer's lane (i.e. before the gas incentive section) must consume at most `general_gas_limit`, a new field added to the header. Once that budget is exhausted, any additional inclusion must come via the gas incentive lane defined in the [sub-blocks specification](/protocol/blockspace/sub-block-specification). ### Motivation Tempo ensures that payment transactions always have available blockspace, even during periods of high network congestion from DeFi activity or complex smart contracts. No action is required by the user to take advantage of this feature. This is achieved through **separate gas limits** for payment and non-payment transactions. When blocks are constructed, validators enforce two separate gas constraints: 1. **`gas_limit`** — The total gas available for all transactions (standard Ethereum behavior) 2. **`general_gas_limit`** — The maximum gas that non-payment transactions can consume Non-payment transactions in the proposer's lane can only fill up to `general_gas_limit`, payment transactions can still use the remaining capacity up. ### Terminology * **Payment transaction:** Determined by a function, `is_payment(tx) -> bool`. This function returns true if the transaction is a payment transaction, false otherwise. * **Non-payment transaction:** `!is_payment(tx)`. ### Specification #### 1. Transaction classification A transaction is classified as a **payment transaction** when: 1. the recipient address (`tx.to`) starts with the TIP-20 payment prefix `0x20c0000000000000000000000000`, or, 2. for TempoTransactions, every entry in `tx.calls` targets an address starting with the TIP-20 payment prefix `0x20c0000000000000000000000000`. This classification is performed entirely on the transaction payload, no account state is consulted. Later upgrades may enable other kinds of transactions to be classified as payment transactions as well. #### 2. Ordering of Transactions The specification does not require any specific ordering of transactions: payment and non-payment transactions can be intermixed. #### 3. Gas accounting & validity (consensus) Validity of a block requires that, ``` general_gas_limit >= Σ gas_consumed(tx[i]) for all i such that !is_payment(tx[i]) and tx[i] is in the proposer's lane ``` Where `gas_consumed` includes intrinsic gas and gas burned by reverts, as in the existing protocol. import { Callout } from 'vocs/components' ## Sub-block Specification ### Abstract This proposal allows non-proposing validators to propose a limited set of transactions in each block through signed **sub-blocks**. Sub-blocks are sent directly to the main proposer and their transactions are included in the block as described below. Consensus does not enforce inclusion. The proposer is incentivized to include sub-blocks by provisioning additional gas upon sub-block inclusion, which permits them to include additional transactions at the bottom of the block as described below. ### Motivation In traditional blockchains, only the current block proposer can include transactions. This means validators must wait for their scheduled slot to provide fast inclusion for their users. Tempo changes this by letting **all validators** contribute transactions to every block through sub-blocks. For validators, this is good as they no longer have to wait for their turn as proposer to provide low-latency inclusion for their users. They have guaranteed access to blockspace in every block, allowing them to include transactions whenever needed. Validators can also ensure a specific transaction execution order within their sub-block, giving them controlled ordering of their transactions. For users, this is good because transactions can be included faster since they can go through any validator, not just the current proposer. Access to blockspace becomes more predictable as it is smoothed across all validators rather than being concentrated with a single proposer. Time-sensitive transactions benefit from lower latency and can be included more quickly. This proposal smooths access to blockspace across validators. It enables every validator to provide low-latency inclusion for themselves, their users, or their partners, without waiting for their turn as proposer. ### Specification This specification describes the process in temporal order. #### 0. Definitions * The gas limit of the whole block is `G`. There are `n` validators: 1 proposer and `n-1` other non-proposers. * `f` fraction of the gas limit of the block, `0 < f < 1` is reserved for the main proposer. #### 1. Sub-blocks * Each validator can construct a sub-block. Sub-blocks follow this structure: ``` sub-block = rlp([version, parent_hash, fee_recipient, [transactions], signature]) ``` where: * `version = 1`, * `parent_hash` is the parent hash of the previous block. * `fee_recipient` is the EOA at which this validator wants to receive the fees included in this block. * `[transactions]` is an ordered list of transactions. Transactions in a sub-block must satisfy additional conditions described below in [Section 1.1](#11-sub-block-transactions). We explicitly allow for this list to be empty: a validator with no transactions to propose may still send a sub-block so that the proposer gets extra gas for the gas incentive region, described below. * The `signature` field is the validator signing over a hash computed as\ `keccak256(magic_byte || rlp([version, parent_hash, fee_recipient, [transactions]]))`, where `magic_byte = 0x78`, The signature ensures that this sub-block is valid only for the declared slot, and that the proposer cannot alter the order or set of transactions included in a sub-block. * The validator sends this sub-block directly to the next proposer. For each validator `i`, define `unreservedGas[i] = (1 - f) * G / n - Σ(gasLimit of transactions in sub-block[i])` ##### 1.1 Sub-block Transactions We use the two-dimensional nonce sequence to simplify transaction validity. In this construction, the nonce\_key is a `u256` value. Let `validatorPubKey` be the public key of the validator proposing a given sub-block. Let `validatorPubKey120` be the most significant 120 bits of the validator's public key. We reserve sequence keys to each validator by requiring that the first (most significant) byte of the `sequence key` is the constant byte `0x5b`, and the next 15 bytes (120 bits) encode `validatorPubKey120`. Formally, we require that: 1. The `sequence key` of any transaction in the sub-block is of the form `(0x5b << 248) + (validatorPubKey120 << 128) + x`, where `x` is a value between `0` and `2**128 - 1`. In other words, the most significant byte of the sequence key is always `0x5b`, the next 15 bytes are the most significant 120 bits of the validator's public key, and the final 32 bytes (128 bits) still allow for 2D-nonces. 2. No two validators share the same `validatorPubKey120`; each validator's reserved space is distinct. This explicit prefixing with `0x5b` ensures the reserved sequence key space is unambiguous and disjoint across validators. Sub-block proposers control all sequence keys of the form above, and can ensure that nonces are sequential within their space. **Reserved Nonce Space** To prevent transaction conflicts, each validator has a reserved nonce space. Transactions in sub-blocks use special nonce sequence keys that identify which validator proposed them. This ensures that validators can't interfere with each other's transactions. Further, we require that sub-block transactions are signed solely by the root EOA key of the address sending the transaction. #### 2. Block Construction The proposer collects sub-blocks from other validators. It now constructs a block with the following contents: ``` transactions = [list of own transactions] | [sub-block transactions] | [gas incentive transactions] ``` * `list of own transactions` are regular transactions from the proposer with `f * G` gas limit. * `sub-block transactions` are transactions from the included sub-blocks. **This includes a sub-block from the proposer itself if the proposer desires.** Nonce sequence keys with prefix `0x5b` should only appear in this section. * `gas incentive transactions` are additional transactions that the proposer can include after the sub-block transactions, with additional gas defined below. We have the following new **header field**: ``` shared_gas_limit // The total gas limit allocated for the sub-blocks and gas incentive transactions ``` ##### 2.1 System transaction The block includes a **new system transaction**, whose call data contains, for each included sub-block, the public key of the validator proposing, the `feeRecipient` for that sub-block and the signature of the sub-block. It is a no-op, and is there for execution layer blocks to be self-contained/carry all context. | Field | Value / Requirement | Notes / Validation | | --------------------- | ------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------- | | **Type** | Legacy transaction | | | **Position in Block** | **Last transaction** | Block is **invalid** if absent. | | **From (sender)** | `0x0000000000000000000000000000000000000000` | Zero address | | **To (recipient)** | `0x0000000000000000000000000000000000000000` | No-op | | **Calldata** | `rlp([[version, validator_pubkey, fee_recipient, signature], ...])` | Sub-block version (currently = 1), each included sub-block's validator public key, fee\_recipient, and signature. | | **Value** | `0` | No native token transfer. | | **Nonce** | 0 | | | **Gas Limit** | 0 | Does **not** contribute to block gas accounting. | | **Gas Price** | 0 | Independent of block base fee; does not pay fees. | | **Signature** | `r = 0`, `s = 0`, `yParity = false` | Empty signature designates system transaction. | #### 3. Proposer Behavior * Construct Main Block in the usual way. * Collect sub-blocks from validators, including from self. Verify signatures and gas bounds of sub-blocks. Skip (i.e., do not include) invalid or missing sub-blocks; include valid ones. Transactions from a sub-block must be contiguous in the block, but sub-blocks can be included in any order. * Compute proposer Gas Incentive section limit: ``` gasIncentiveLimit = Σ(unreservedGas[i]) for all included sub-blocks [i] ``` * Append transactions at the bottom up to this gas limit. * Construct and include the [system transaction](#21-system-transaction) at the bottom of the block. ##### 3.1 Proposer Incentives * We do not enforce censorship-resistance for the transactions at consensus layer. * Proposer is incentivized by additional gas from sub-blocks included and reciprocity. * Additional gas is unrestricted so it could include backruns etc from sub-block transactions. #### 4. Block Validity Rules: We can now define what a valid block is: 1. Gas Limits: * `[list of own transactions]` uses gas at most `f * G`. * `[sub-block transactions]`: the sum of `gas_limits` of all transactions in each sub-block is lower than the per-sub block gas limit: `Σ(gasLimit of transactions in sub-block[i]) <= (1-f) * G / n`. * `[gas incentive transactions]` use total gas `<= gasIncentiveLimit`. * General transactions gas limit from payments lane spec applies to `[list of own transactions]`. 2. Transactions with nonce sequence key prefix `0x5b` appear only in the `[sub-block transactions]`. Transactions are contiguous by validator. The `[list of own transactions]` and `[gas incentive transactions]` can use any un-reserved `sequence key`. 3. [System transaction](#21-system-transaction) is present, in the correct position, and valid (matches contents of the block). 4. Transactions in the main proposers's section and the gas incentive section are valid in the standard way (signature, nonce, can pay fees). ##### 4.1 Failures for Sub-block Transactions Even if a transaction can pay its fees when the sub-block is created (i.e., when the sub-block is sent to the proposer), it may not be able to pay its fees when the sub-block is included and the block is processed. Here is a list of possible scenarios: * **Fee Failure Scenarios**: - The Fee AMM liquidity for the user's `fee_token` is insufficient (e.g., it was used up by previous transactions in the block). - The user's balance of the `fee_token` is insufficient (e.g., the user spent that balance in previous transactions in the block). - The user or validator changed their `fee_token` preference in the block and the transaction cannot pay its fees because of the new preference. In all these scenarios, transaction is considered valid, increments the nonce, skips fee payment and execution, and results in an exceptional halt. #### 5. Transaction Fee Accounting The fee manager is updated to handle fee accounting across sub-blocks: * For the main proposer transactions, fees are paid to the main proposer's `fee_recipient` as usual. * For the sub-block transactions, fees are paid to the `fee_recipient` of the sub-block (available from the system transaction). * For the gas incentive transactions, fees are paid to the proposer's `fee_recipient`. In all cases, the fee is paid in the preferred `fee_token` of the `fee_recipient`, using liquidity from the fee AMM as necessary (i.e., `validatorTokens[fee_recipient]` from the FeeManager contract). If the `fee_recipient` has not set a preferred `fee_token`, then we use pathUSD as a fallback. import LucideDollarSign from '~icons/lucide/dollar-sign' import LucideInfo from '~icons/lucide/info' import LucideSend from '~icons/lucide/send' import LucideGlobe from '~icons/lucide/globe' import LucideWallet from '~icons/lucide/wallet' import LucideLandmark from '~icons/lucide/landmark' import LucideActivity from '~icons/lucide/activity' import LucideBot from '~icons/lucide/bot' import * as Card from "../../components/Card.tsx" ## Learn \[Notes on stablecoin use cases and Tempo's architecture] Tempo is a general-purpose blockchain optimized for payments. Tempo is designed to be a low-cost, high-throughput blockchain with user and developer features that we believe should be core to a modern payment system. Tempo was designed in close collaboration with an exceptional group of [design partners](https://tempo.xyz/ecosystem) who are helping to validate the system against real payment workloads. Here, we have written about what stablecoins are and how Tempo is designed from the ground up for the use cases they enable. #### Stablecoin use cases Stablecoins enable a wide range of payment and financial use cases across industries: import LucideExternalLink from '~icons/lucide/external-link' import LucideHammer from '~icons/lucide/hammer' import LucideMail from '~icons/lucide/mail' import * as Card from "../../components/Card.tsx" ### Partners Tempo is currently in development, with the mainnet launch coming in early 2026. Over the coming weeks, we're bringing online all the core infrastructure needed for stablecoin use cases like [remittances](/learn/use-cases/remittances), [global payouts](/learn/use-cases/global-payouts), [embedded finance](/learn/use-cases/embedded-finance), [tokenized deposits](/learn/use-cases/tokenized-deposits), [microtransactions](/learn/use-cases/microtransactions), and [agentic commerce](/learn/use-cases/agentic-commerce) so that they're available on Day 1 of the mainnet launch. The Tempo ecosystem is being built with a diverse range of best-in-class partners across stablecoin issuance, wallets & custody, compliance tooling, fraud monitoring, interoperability protocols, analytics & monitoring, orchestration and ramps, and more. We're designing the ecosystem to be global from day one, with issuers across the globe and broad local currency support. If you're interested in becoming an ecosystem partner, get in touch with us today to ensure you're fully set up for the Tempo mainnet launch coming soon. If you're looking for local partners to work with on your stablecoin deployment and want to work with one of our ecosystem partners, visit our [ecosystem page](https://tempo.xyz/ecosystem) to see the full list or [get in touch](mailto\:partners@tempo.xyz) with us to discuss how you can best integrate with Tempo. See which [developer tools](/quickstart/developer-tools) are already live on testnet. import { Callout } from 'vocs/components' import LucideFileText from '~icons/lucide/file-text' import LucideMail from '~icons/lucide/mail' import LucideRocket from '~icons/lucide/rocket' import LucideCoins from '~icons/lucide/coins' import LucideGlobe from '~icons/lucide/globe' import LucideSend from '~icons/lucide/send' import LucideBook from '~icons/lucide/book' import LucideWallet from '~icons/lucide/wallet' import LucideLandmark from '~icons/lucide/landmark' import LucideZap from '~icons/lucide/zap' import LucideActivity from '~icons/lucide/activity' import LucideBot from '~icons/lucide/bot' import LucideInfo from '~icons/lucide/info' import * as Card from "../../components/Card.tsx" import { ZoomableImage } from "../../components/ZoomableImage.tsx" ## Stablecoins \[Room-temperature superconductors for financial services.] Stablecoins offer businesses a faster, cheaper, and more programmable way to move money globally. They eliminate many of the delays, costs, and operational constraints of legacy rails, enabling use cases ranging from remittances and global payouts to automated treasury operations and agentic commerce. ### What are stablecoins? Stablecoins are digital representations of money on blockchains designed to hold a steady value. Unlike volatile cryptocurrencies such as Bitcoin or Ether, whose prices fluctuate based on market conditions, stablecoins are pegged to established currencies like the U.S. dollar or Euro. Real-world utility, increasing regulatory clarity, and growing institutional adoption are driving rapid growth in stablecoin usage. The circulating supply of stablecoins has grown more than tenfold over the past five years, reaching roughly $300 billion today. The U.S. Treasury now projects that this figure could rise to $3 trillion by 2030. ### How stablecoins work Fully-reserved fiat-backed stablecoins are issued by regulated entities ("stablecoin issuers") and are backed 1:1 with reserves such as cash and short-term government securities held at licensed financial institutions. Stablecoin issuers use a mint-and-burn process to keep the supply aligned with underlying reserves and ensure that holders can always redeem stablecoins at face value. When a user deposits fiat currency with an issuer, the issuer mints the corresponding amount of stablecoins onchain and sends them to the user. When the user later redeems stablecoins for fiat, the issuer receives the tokens, burns them, and sends the equivalent amount of fiat from its reserves to the user. With the introduction of regulatory frameworks like MiCA (Markets in Crypto-Assets) in the EU and the GENIUS Act in the U.S., stablecoins now operate under clearer rules governing reserve management, audits, and disclosures. As a result, they have become compliant, transparent, and reliable instruments for modern payments and financial operations. ### Why stablecoins matter for businesses For financial institutions, corporations, and payment providers, fully-reserved fiat-backed stablecoins enable near-instant payments that operate 24/7, work across borders, and bypass much of the friction found in legacy payment rails. They support established use cases such as remittances, global payouts, and embedded finance, while also enabling newer applications made possible by blockchain rails, including microtransactions and agentic commerce. ### Programmable money Stablecoins also open the door to programmable money: smart contracts, programs that run on the blockchain, can execute payments automatically based on predefined rules or conditions, improving the efficiency and transparency of payment processing, liquidity management, and reconciliation. For example, a global enterprise can use a smart contract to automatically top up or sweep the wallets of its subsidiaries based on balance thresholds and predefined rules. This allows routine treasury actions, such as maintaining minimum operating balances or consolidating excess funds, to run automatically onchain. In practice, the smart contract replaces functionality that would otherwise require custom integrations with multiple banking partners. In short, stablecoins provide the stability and familiarity of fiat currency with the speed and innovation of blockchains, offering institutions and enterprises of all sizes a faster, more efficient way to move value globally. ### Stablecoin use cases Stablecoins enable a wide range of payment and financial use cases across industries: Email us to learn more about payments on Tempo at [partners@tempo.xyz](mailto\:partners@tempo.xyz). import { Callout } from 'vocs/components' import LucideFileText from '~icons/lucide/file-text' import LucideMail from '~icons/lucide/mail' import LucideRocket from '~icons/lucide/rocket' import * as Card from "../../../components/Card.tsx" import { ZoomableImage } from "../../../components/ZoomableImage.tsx" ## Power AI agents with programmable money \[Enable autonomous agents to purchase goods, services, and digital resources with real-time, programmable stablecoin payments.] As autonomous agents begin taking on everything from reordering groceries to buying digital services, they need real-time, programmable money. Stablecoins provide instant global settlement and built-in programmability, making stablecoins the natural financial infrastructure for the next generation of autonomous systems. ### The rise of autonomous agents Autonomous agents are increasingly able to purchase goods and services, negotiate discounts, and manage everyday tasks without human input. An agent might reorder groceries when supplies run low, find better deals on household items, pay for digital services, manage streaming or app subscriptions, or book travel based on preferences and schedules. Further, the agentic commerce ecosystem is evolving quickly. New protocols are emerging that enable agents to interact directly with merchants: browsing offers, comparing terms, and purchasing goods or services autonomously. These protocols will allow businesses to sell directly to autonomous agents, whether they offer physical goods, digital items, compute, APIs, or data streams. ### The challenge with traditional payment rails However, for autonomous agents to function reliably, they need real-time, digitally native money that matches the speed and autonomy of their decisions. This money must be available 24/7, settle instantly, and support frequent microtransactions without friction. It also needs to work seamlessly across borders and offer in-built programmability so agents can operate without human intervention. Traditional payment rails were not designed to meet these requirements. Although card tokenization is being explored as a way for agents to pay, cards were never intended for machine-to-machine interactions. The entire card ecosystem is built around human cardholders and fraud models designed to stop bots, not support them. ### How stablecoins solve this Stablecoins fill this gap. They provide a stable, programmable representation of money that agents can use autonomously. Stablecoins combine the familiarity of fiat value with the instant, global settlement of public blockchains. Agents can hold stablecoins, pay for goods or services, and transact with other agents without relying on intermediaries. Agents also need an easy way to access payment credentials. Creating cards or card tokens requires coordination with issuers, and, in many cases, manual workflows. In contrast, onchain wallets can be provisioned instantly, at massive scale, and without relying on banking partners. Wallets give agents a ready-to-use financial instrument the moment they are created. ### Benefits beyond speed and cost For developers building agentic platforms, stablecoins and wallets are far simpler and more flexible to work with than traditional payment instruments. Wallets can be created instantly and at scale, without issuer partnerships or card-provisioning workflows. Stablecoins also make it easy to top up agent balances instantly whenever additional funds are needed. Developers can also set spending limits, enforce policy rules, and implement automatic top-ups directly in code, ensuring agents always have the funds they need without human intervention. Stablecoin balances can be monitored and rebalanced programmatically, enabling precise liquidity management and predictable spending across large fleets of autonomous agents. As agentic commerce begins to scale, the need for a more native payment rail becomes unavoidable. Stablecoins provide exactly the properties agents require: real-time global settlement, programmable behavior, and the ability to operate without intermediaries or issuer dependencies. They offer payment infrastructure that aligns with how agents think, act, and transact. ### Building with Tempo Autonomous agents require payment rails that are as programmable and tireless as they are. Tempo offers the throughput and sub-second settlement needed to support agent fleets at scale, without the friction of traditional card networks. If you are architecting payment flows for autonomous systems, we can help you understand how to implement automated wallet provisioning and policy-based spending controls directly into your agent's code. import { Callout } from 'vocs/components' import LucideFileText from '~icons/lucide/file-text' import LucideMail from '~icons/lucide/mail' import LucideRocket from '~icons/lucide/rocket' import * as Card from "../../../components/Card.tsx" import { ZoomableImage } from "../../../components/ZoomableImage.tsx" ## Bring embedded finance to life with stablecoins \[Enable platforms and marketplaces to streamline partner payouts, lower payment costs, and launch more rewarding loyalty programs.] Stablecoins bring the true promise of embedded finance to life. Their real-time, global nature lets platforms and marketplaces streamline partner and merchant payouts, lower the cost of payment acceptance and launch more rewarding loyalty programs for consumers. This creates a better experience for users and more efficient backend processes for platforms and marketplaces. ### The challenge with traditional embedded finance Embedded finance was meant to help platforms and marketplaces offer smoother, more integrated user experiences. Yet its impact remains constrained by traditional payment rails, whose delays, fees, and operational complexity undermine much of the value embedded finance aims to provide. For example, gig economy and creator work happens around the clock, while traditional payout rails do not. ACH transfers, while inexpensive, operate only during weekday banking windows and cannot support real-time payouts. Even when platforms offer instant payouts via card networks, these transfers carry higher fees, and the costs are often passed on to partners. Merchant payouts on marketplaces face similar challenges. Settlement is often delayed by banking windows, regional cutoff times, and inconsistent payment rails across countries. Cross-border merchant payments frequently move through multiple intermediaries, adding cost and introducing unpredictability in when funds will arrive. ### How stablecoins solve this By embedding blockchain wallets directly into their applications, these platforms can move onto modern, always-on payment rails. Partners, creators, and merchants can receive earnings in stablecoins far faster than through traditional methods, with settlement occurring onchain in seconds. Stablecoins also make these payouts inherently global, removing many of the barriers of regional banking systems. Once partners, creators and merchants receive their earnings in the embedded wallet, they can manage those funds directly within the same application they use for work. The wallet can hold stablecoin balances, allow payouts to linked bank accounts, or support spending for goods and services through a stablecoin-linked payment card. Stablecoins and embedded wallets can support far more than payouts. Marketplaces can also use stablecoins to collect consumer payments, deliver instant refunds, and issue loyalty rewards. Stablecoin payments do not have the settlement delays and interchange fees of card networks, making them a faster and cheaper payment option. ### Benefits beyond speed and cost By significantly reducing the cost of collecting payments from consumers and paying out partners, creators, and merchants, marketplaces can redirect more value toward customer and merchant benefits. Lower payment costs give merchants more flexibility to reward loyal customers with better offers, reimagining their loyalty programs. After all, merchants ultimately fund card rewards through interchange fees. For platforms, embedded wallets and stablecoin rails replace a patchwork of payment processors, banking partners, and regional settlement rules with a single, consistent infrastructure. Reconciliation relies on unified onchain records rather than scattered bank statements, and operational teams spend far less time managing exceptions or coordinating across time zones. Faster payouts, lower-cost payment acceptance, and more dynamic loyalty programs are only the beginning of what stablecoins bring to embedded finance. As stablecoins become the foundation for agentic commerce, platforms will gain new opportunities to create value for customers and expand what embedded finance can offer. ### Building with Tempo By providing a low-cost, high-speed settlement layer, Tempo enables platforms to offer financial products that were previously cost-prohibitive on legacy rails. Whether you are looking to embed wallets for gig workers or streamline complex marketplace settlements, our team can guide you through the wallet integration patterns that best fit your user experience. We are available to help you evaluate the technical lift and commercial impact of moving your platform's payments onchain. import { Callout } from 'vocs/components' import LucideFileText from '~icons/lucide/file-text' import LucideMail from '~icons/lucide/mail' import LucideRocket from '~icons/lucide/rocket' import * as Card from "../../../components/Card.tsx" import { ZoomableImage } from "../../../components/ZoomableImage.tsx" ## Pay your global workforce instantly \[Deliver faster, cheaper, and more predictable cross-border payouts to employees and contractors around the world with stablecoins.] Stablecoins can help payroll platforms, freelancer marketplaces, and companies with distributed teams deliver faster, cheaper, and more predictable cross-border payouts by eliminating slow banking rails and expensive FX conversions. This improves the payout experience for employees and contractors while giving companies meaningful operational efficiencies at a global scale. ### The challenge with global payroll Managing global payroll is both complex and expensive. Businesses must either rely on slow, expensive, unpredictable cross-border transfers to pay employees directly, or first move liquidity to local subsidiaries to access domestic payment rails. Each domestic rail, in turn, comes with its own rules, banking holidays, cutoff times, formats, and fees. This complexity results in a patchwork of manual workflows that is burdensome for finance teams and often frustrating for employees waiting on delayed transfers. Stablecoins offer a way to simplify this process by reducing cost, improving predictability, and removing much of the operational overhead associated with traditional cross-border payments. ### How stablecoins solve this Blockchains are global by design, allowing companies to send stablecoin payouts directly to employees' wallets anywhere in the world without relying on local banks or intermediaries. These transfers typically cost less than a cent and arrive within seconds, offering far more consistency than traditional international payment rails. Companies can also choose to distribute funds through their subsidiaries. In this model, a business can convert funds into stablecoins at the headquarters level, such as in the United States, and distribute those funds to subsidiary wallets around the world. Liquidity moves to subsidiaries in seconds rather than days, removing the need to pre-fund subsidiary accounts in advance. Subsidiaries can then handle payouts to local employees. ### Benefits beyond speed and cost Employees receiving stablecoins can choose how they want to use their earnings. They can hold stablecoins and spend them directly through stablecoin-linked payment cards, or convert them into fiat and withdraw the funds to a local bank account whenever they choose. This gives workers flexibility and control over how they manage their income. Stablecoins also reduce the foreign exchange complexity that comes with global payroll. Instead of converting funds into multiple local currencies and dealing with unpredictable spreads and fees, companies can make payouts in a single currency, such as USD stablecoins. Employees can then convert stablecoins to their desired currency when it's most convenient for them. This simplifies treasury operations and provides more options for workers. Finally, reconciliation becomes significantly simpler. Because stablecoin payouts settle onchain, every transaction has a clear record. Companies no longer need to track separate reporting formats from multiple domestic banks or reconcile transactions that settle at different speeds. Instead, they rely on a single, unified ledger that provides immediate visibility into outgoing payments, balances, and settlement status. Global payouts with stablecoins already deliver meaningful benefits for both employers and employees. As familiarity grows and merchant acceptance expands, stablecoins are likely to become a preferred payment method not only for international payouts, but for domestic payroll as well. With lower costs, real-time settlement, and programmability, stablecoins bring payroll systems closer to the always-on, digital nature of today's workforce. ### Building with Tempo Designed for high-volume, global disbursement, Tempo allows organizations to bypass the fragmentation of local banking rails and reach employees and contractors directly. We work closely with payroll providers and platforms to design stablecoin payout flows that are compliant, efficient, and user-friendly. If you are interested in seeing how a unified onchain ledger can simplify your global payroll operations and remove FX friction, let's discuss the integration requirements and coverage capabilities. import { Callout } from 'vocs/components' import LucideFileText from '~icons/lucide/file-text' import LucideMail from '~icons/lucide/mail' import LucideRocket from '~icons/lucide/rocket' import * as Card from "../../../components/Card.tsx" import { ZoomableImage } from "../../../components/ZoomableImage.tsx" ## Enable true pay-per-use pricing \[Build usage-based billing, pay-per-use APIs, and machine-to-machine services with real-time, sub-cent stablecoin payments.] Stablecoins unlock microtransaction-based pricing models that legacy payment rails simply cannot support. With real-time, sub-cent payments and 24/7 global settlement, developers can build usage-based billing, pay-per-use APIs, and machine-to-machine services that settle instantly without the fixed fees or delays of traditional payment systems. ### The challenge with traditional payment rails Digital services are increasingly shifting toward usage-based models, where users pay only for what they consume. This includes everything from API calls and AI inference requests to streaming content, and IoT services. Yet traditional payment rails were never designed for extremely small, frequent payments, making microtransactions impractical or impossible for most businesses today. Card networks apply fixed fees to every transaction, making any payment under a dollar uneconomical. Even instant rails like FedNow, while cheaper than cards, cannot support usage-based billing where each action costs only a few cents. This forces many digital products into subscriptions or prepaid balances instead of offering the more user-friendly and transparent pay-as-you-go model. ### How stablecoins solve this Stablecoins change this dynamic by enabling payments that cost a fraction of a cent and settle in seconds, making true microtransactions economically feasible at scale. They achieve this by removing the chain of intermediaries found in traditional payment rails, eliminating the delays, costs, and failure points that make small, frequent payments impractical today. Programmability further expands what microtransactions can support. Smart contracts can meter usage, enforce payment rules, and top up wallet balances automatically. Developers can charge per API request, per compute cycle, or per any digital action, without building custom billing logic or relying on intermediaries. Microtransactions also unlock machine-to-machine payments. Autonomous agents, bots, and IoT devices can pay for data, services, or compute in real time without human intervention. A device can pay another device for sensor data; an AI agent can pay for inference or model access; a drone can pay for map segments or airspace permissions. Stablecoins also enable pay-as-you-go digital commerce for consumers. Instead of monthly subscriptions, consumers can pay per article, per minute of video, per chapter of a book, or per stream of a song. Creators and platforms can monetize content more flexibly, while users pay only for what they actually consume. ### Benefits beyond speed and cost From a developer's perspective, building microtransaction-powered services is becoming increasingly straightforward. Stablecoins provide a simple, programmable payment primitive. At the same time, new protocols are emerging that standardize usage-based payments, authorization, and settlement, making it even easier to launch pay-per-use applications on top of stablecoin rails. Finally, onchain microtransactions improve reconciliation. Instead of aggregating thousands of small events into batched invoices that must be reconciled manually, stablecoins provide a unified ledger of each individual payment. This reduces operational overhead and simplifies financial reporting for businesses handling large volumes of small-value transactions. Ultimately, stablecoin-powered microtransactions are not simply about reducing payment friction. They unlock new business models built around real-time data and usage. By enabling instant, sub-cent payments, stablecoins let companies price, deliver, and monetize digital services in ways that were never feasible before, creating meaningful competitive advantages for those who adopt them early. ### Building with Tempo True microtransactions require a blockchain that eliminates the economic floor of traditional payment fees. Tempo's architecture is designed to make sub-cent payments viable, unlocking entirely new business models for digital services, APIs, and content platforms. If you are calculating the economics of usage-based billing or machine-to-machine payments, we can help you run the numbers and explore the technical feasibility of building on Tempo. import { Callout } from 'vocs/components' import LucideFileText from '~icons/lucide/file-text' import LucideMail from '~icons/lucide/mail' import LucideRocket from '~icons/lucide/rocket' import * as Card from "../../../components/Card.tsx" import { ZoomableImage } from "../../../components/ZoomableImage.tsx" ## Send money home faster and cheaper \[Deliver instant cross-border payments to your customers around the world with stablecoins on Tempo.] Stablecoins can help financial institutions, neobanks, and remittance providers deliver faster, cheaper, and more predictable cross-border payments by removing dependence on correspondent banking networks and pre-funded accounts. This improves the customer experience while creating meaningful operational efficiencies for the organizations that move money across borders. ### The challenge with traditional remittances Cross-border payments are notoriously slow, expensive, and unpredictable. A single transfer often passes through multiple intermediaries, each adding cost, introducing delays, and increasing the risk of errors. Newer "instant" cross-border services improve the user experience, but typically require remittance companies to hold liquidity on both sides of a payment corridor, which increases operational and capital costs. ### How stablecoins make remittances better Stablecoins can address these challenges by enabling cheap and near-instant cross-border payments. Beyond peer-to-peer transfers, where users send stablecoins directly to each other, three stablecoin-based models are now widely used in the remittance industry: #### Direct transfers A sender, for example, in the United States, can onramp to stablecoins within the mobile banking app and transfer them directly to a recipient abroad. The recipient can choose to hold the funds in stablecoins, spend them with a stablecoin-linked card, or off-ramp into local currency and deposit into a bank account. #### Orchestrated payments A sender initiates a cross-border payment from a mobile app, and the recipient receives funds directly into their bank account. Stablecoins are routed through a stablecoin orchestration platform that automatically converts them into local currency, preserving the speed and low cost of stablecoin transfers while delivering a familiar, traditional cross-border payment experience for both sender and recipient. #### Backend settlement Stablecoins operate entirely behind the scenes. A remittance company uses stablecoins to move liquidity between its own entities across jurisdictions, eliminating the need for correspondent banks and removing the requirement to maintain expensive, pre-funded liquidity on each side of the corridor. In each case, blockchains and stablecoins help eliminate the patchwork of correspondent banks in between the sender and the recipient, or the need to hold liquidity to emulate "instant" payments. Stablecoin transfers typically cost less than a cent and arrive within seconds, introducing noticeable cost reduction and increasing speed. ### Benefits beyond speed and cost Beyond the speed and cost improvements, stablecoin-based remittances offer a far smoother user experience for both senders and recipients. With no correspondent banks or intermediate hops, there are fewer points of failure and no unexpected holds, returns, or error paths. Transfers settle onchain in seconds, at any time of day, and the recipient sees the funds immediately. Further, users around the world increasingly value being able to hold USD-denominated stablecoins. These provide a simple and affordable way to send and receive remittances and pay for global digital services such as LLMs, software subscriptions, and online content platforms. Onchain settlement also delivers major reconciliation benefits. Each transaction is recorded in real time on a single ledger, giving remittance providers instant visibility into balances and flows. This reduces reliance on delayed bank statements, minimizes reconciliation errors from intermediary hops, and streamlines audit and compliance through a single, authoritative onchain record. ### Building with Tempo Tempo is purpose-built to handle the volume and cost requirements of modern remittance corridors, enabling providers to move beyond the limitations of correspondent banking. We understand that transitioning to onchain settlement involves navigating complex liquidity and operational questions. If you are evaluating how to restructure your remittance corridors for higher speed and lower cost, our team can help you map out the architecture for your specific regions. We invite you to explore the technical and operational improvements stablecoins can bring to your flows. import { Callout } from 'vocs/components' import LucideFileText from '~icons/lucide/file-text' import LucideMail from '~icons/lucide/mail' import LucideRocket from '~icons/lucide/rocket' import * as Card from "../../../components/Card.tsx" import { ZoomableImage } from "../../../components/ZoomableImage.tsx" ## Move treasury liquidity instantly across borders \[Enable corporate treasury teams to improve liquidity management across banks, currencies, and regions with tokenized deposits.] Tokenized deposits, much like stablecoins, can help corporate treasury teams meaningfully improve liquidity management across banks, currencies, and regions by enabling near-instant movement of funds and real-time visibility into cash positions. As corporate treasury moves onchain, tokenized deposits represent a major opportunity for financial institutions to capture new market share. ### The challenge with traditional treasury management Operating across multiple geographies requires companies to maintain relationships with multiple banks, manage balances in several currencies, and navigate an array of local settlement systems, cutoff times, and time zones. For global treasury teams, this results in a fragmented operational landscape with inconsistent processes across regions. Moving liquidity between a company's own accounts can take days and require subsidiaries to hold excess cash "just in case." Visibility into cash positions is incomplete, workflows vary by region, and reconciling activity across dozens of accounts becomes an ongoing operational burden. The result is inefficient use of capital and a patchwork of manual processes for controls and compliance. ### How tokenized deposits and stablecoins solve this Tokenized deposits and stablecoins offer a path toward simplifying this complexity. Instead of managing dozens of accounts across multiple banks, companies can operate a single wallet per subsidiary. Sitting alongside traditional bank accounts, these digital wallets become a natural extension of corporate treasury operations and provide a more efficient way to manage global liquidity. Each wallet can hold stablecoins, tokenized deposits, and even tokenized money market funds on the same unified onchain infrastructure. Tokenized deposits and stablecoins introduce a shared set of benefits that transform how corporates store, move, and deploy liquidity: * **Liquidity can be moved 24/7**, across time zones, and across borders, removing the delays of local settlement systems and cutoff times; * **Reconciliation becomes simpler** through onchain settlement records instead of disparate bank statements and siloed reporting systems; * **Idle balances can be deployed more efficiently**, improving working-capital usage and enabling immediate access to interest-bearing tokenized assets; * **Treasury workflows such as approvals, sweeps, and controls can be automated** with smart contracts, reducing manual processes and operational overhead. ### Understanding tokenized deposits vs. stablecoins As digital wallets become integrated into corporate treasury operations, it is important to understand how stablecoins and tokenized deposits differ. They are distinct instruments with different issuers, obligations, and regulatory treatment: * **Tokenized deposits** are commercial bank deposits issued on a blockchain. They remain a liability of the issuing bank and sit within the existing banking regulatory framework, behaving much like traditional deposits, but with the added benefits of programmability and real-time settlement. * **Stablecoins**, by contrast, are issued by regulated non-bank stablecoin providers and backed 1:1 with reserves such as cash and short-term government securities. They are designed to maintain a stable value relative to currencies like the U.S. dollar or Euro and can move across blockchains unaffected by cutoff times, banking hours, or regional settlement windows. ### The opportunity for financial institutions For financial institutions, tokenized deposits represent a major opportunity to strengthen existing corporate relationships and win market share as treasury infrastructure moves onchain. Large enterprises are already adopting stablecoins because they provide the speed, global reach, and programmability that traditional banking infrastructure cannot match. Tokenized deposits give financial institutions a way to offer many of these same benefits while maintaining the trust and regulatory certainty that corporates rely on. Tokenized deposits are also far more familiar to large corporations: they behave like traditional deposits, remain a liability of the issuing bank, and fit naturally into existing accounting and compliance models. The main challenge for banks today is interoperability. Most tokenized deposit pilots run inside the closed perimeter of a single institution, limiting their usefulness in multi-bank, multi-region treasury setups. Corporations will only adopt tokenized deposits at scale if they can move funds seamlessly across banks and easily convert between tokenized deposits, stablecoins, and other tokenized assets. Public blockchains provide this missing bridge. They allow tokenized deposits from different banks to coexist on shared infrastructure, enabling frictionless swaps between tokenized deposits and stablecoins, and supporting cross-bank liquidity movement with the same speed as stablecoin rails. Banks that issue tokenized deposits on public chains gain the interoperability corporates require, while strengthening their role at the center of onchain financial flows. ### Building with Tempo Tempo provides the neutral, high-performance infrastructure required for tokenized deposits and stablecoins to operate side-by-side. For treasury teams looking to modernize their liquidity stack, the challenge is often interoperability between these assets and existing banking systems. We collaborate with financial institutions and enterprises to model how these assets can coexist within your current treasury operations. Let's examine how onchain rails can fit into your broader liquidity management strategy. import LucideMail from '~icons/lucide/mail' import LucideRocket from '~icons/lucide/rocket' import * as Card from "../../../components/Card.tsx" ## Onchain FX An overwhelming majority of cross-border payments facilitated by stablecoins use what is known as the stablecoin sandwich: the onchain leg is conducted in stablecoins, typically USD-denominated, with on- and off-ramps converting from/to a local currency. ### Accessing FX Liquidity Onchain Tempo is exploring a design to enable stablecoin users to access FX liquidity directly onchain, including via a set of regulated non-USD stablecoin issuers. This removes the need for off-chain currency conversion and enables seamless multi-currency flows entirely onchain. When available, users will be able to: * Exchange between USD and non-USD stablecoins directly onchain * Access competitive FX rates through decentralized liquidity pools * Execute cross-border payments without relying on traditional FX providers * Reduce settlement times and costs associated with currency conversion ### Multi-Currency Fee Payments When available, Tempo will also allow users to pay for network fees in currencies beyond USD. This means users would be able to interact with Tempo in their preferred currency without needing to hold USD stablecoins specifically for transaction fees. ### Coming Soon Onchain FX is currently in development and will be available in a future release. This feature is being designed in close collaboration with regulated stablecoin issuers to ensure it meets compliance requirements while providing the flexibility and efficiency that global payment flows demand. If you're interested in multi-currency payment flows and want to explore how onchain FX can benefit your use case, reach out to our team. ### Help design this feature import LucideCoins from '~icons/lucide/coins' import LucideZap from '~icons/lucide/zap' import LucideShield from '~icons/lucide/shield' import LucideRepeat from '~icons/lucide/repeat' import LucideArrowLeftRight from '~icons/lucide/arrow-left-right' import LucideTrendingUp from '~icons/lucide/trending-up' import LucideEyeOff from '~icons/lucide/eye-off' import LucideMail from '~icons/lucide/mail' import LucideRocket from '~icons/lucide/rocket' import * as Card from "../../../components/Card.tsx" ## Tempo \[The payments-first blockchain] Tempo is a general-purpose blockchain optimized for payments, built to deliver instant, deterministic settlement, predictably low fees, and a stablecoin-native experience. Tempo's public testnet launched on December 9, 2025, and is now available for anyone to start building on. Tempo was designed in close collaboration with an exceptional group of [design partners](https://tempo.xyz/ecosystem) who are helping to validate the system against real payment workloads. The general-purpose programmability of the blockchain provides functionality directly in support of our global payments mission: stablecoin interoperability, onchain FX, compliant privacy, and more. Tempo will be a permissionless, decentralized chain. The Tempo client is open source under the Apache license, and anyone can run a node or sync the chain. ### Core Features Explore the key features that make Tempo purpose-built for payments: import LucideMail from '~icons/lucide/mail' import LucideRocket from '~icons/lucide/rocket' import LucideLayers from '~icons/lucide/layers' import LucideHeartHandshake from '~icons/lucide/heart-handshake' import LucideClock from '~icons/lucide/clock' import LucideFingerprint from '~icons/lucide/fingerprint' import * as Card from "../../../components/Card.tsx" ## Tempo Transactions \[Modern, optimized, and highly scalable blockchain transactions] Tempo has built-in support for gas sponsorship, batch transactions, scheduled payments, and modern authentication through passkeys. These features are often grouped together as "smart accounts" or "account abstraction." On other chains, even when available, these are generally add-on functionalities that require third-party providers to unlock. By natively enabling these features at the protocol level, developers on Tempo can deploy payment logic without managing additional middleware or custom contracts, and can build to enshrined standards. ### Batched Payments Payment processors and platforms often need to send thousands of payments at once (e.g., payroll runs, merchant settlements, customer refunds). Tempo supports batch transactions where multiple operations execute atomically in a single transaction. This unlocks high-volume use cases: orchestrators can submit thousands of payouts as a single operation, rather than submitting them one-by-one and tracking individual success or failure. If any operation in the batch fails, the entire batch reverts, ensuring atomic execution across all payments. This is critical for payment operators who need guaranteed settlement guarantees for their workflows. Learn more in the [batched calls specification](/protocol/transactions#batch-calls). ### Fee Sponsorship Applications often want to pay transaction fees on behalf of their users. For instance, to simplify onboarding, to improve the user experience, or to remove friction from their payment flows. Tempo's protocol-level fee sponsorship allows an account to sign a transaction while a separate sponsor (typically the application) pays the gas fee. This means end users can interact with your application without holding any tokens for fees, dramatically lowering the barrier to entry. Learn more by following the [guide on sponsoring user fees](/guide/payments/sponsor-user-fees). ### Scheduled Payments The Tempo transaction type includes scheduling as a protocol feature. Users can specify a time window for transaction execution, and validators will include the transaction when it becomes valid. This enables "set and forget" payment operations directly at the protocol level, enabling recurring payments like subscriptions or scheduled disbursements. No need for external automation services or off-chain infrastructure to manage recurring transactions. Learn more in the [Tempo Transactions specification](/protocol/transactions#scheduled-transactions). ### Modern Authentication Tempo supports passkey authentication through WebAuthn/P256 signature validation, built directly into the protocol. Users can authenticate with the same biometrics (fingerprint, Face ID) they already use for other apps. Their keys are stored in their device's secure enclave, and passkeys sync across devices via services they already use such as iCloud Keychain or Google Password Manager. This way, users don't need to secure a 12 or 24-word seed phrase for traditional wallets. For payment applications, this means onboarding flows can be as simple as existing consumer apps, without sacrificing security. Tempo uses an [EIP-2718](https://eips.ethereum.org/EIPS/eip-2718) transaction type with native support for these features. Read the [access keys specs](/protocol/transactions#access-keys) or learn by [following a guide](/guide/use-accounts/embed-passkeys). import LucideMail from '~icons/lucide/mail' import LucideRocket from '~icons/lucide/rocket' import LucideLayout from '~icons/lucide/layout' import LucideDollarSign from '~icons/lucide/dollar-sign' import LucideFileText from '~icons/lucide/file-text' import LucideShield from '~icons/lucide/shield' import LucideArrowLeftRight from '~icons/lucide/arrow-left-right' import * as Card from "../../../components/Card.tsx" ## TIP-20 Tokens \[Tempo's native stablecoin token standard] Tempo extends the [ERC-20 standard](https://ethereum.org/en/developers/docs/standards/tokens/erc-20/) used on EVM chains (Ethereum, Base, Arbitrum) with additional features, and enshrines them in protocol as the TIP-20 contract suite. These features are purpose-built for payment use cases at scale. ### Predictable Payment Throughput Tempo has dedicated payment lanes: reserved blockspace for payment transactions (specifically, TIP-20 token transfers) that other applications cannot consume. Payments have guaranteed blockspace reserved at the protocol level and don't compete with other traffic like NFT mints, liquidations, or high-frequency contract calls. Even if there are extremely popular applications on the chain competing for blockspace, payroll runs or customer disbursements execute predictably. Fees stay low and stable even when other network activity spikes, with a target of one-tenth of a cent per payment transaction. For payment processors, that means no "downtime" from congestion, and predictable economics for high-volume flows. There is no "noisy neighbor problem" like on traditional blockchains, where blockspace can fill up or cost orders of magnitude more during times of intense activity. Learn more in the [payment lanes specification](/protocol/blockspace/payment-lane-specification). ### Low, Predictable Fees, in Stables Transaction fees can be paid directly in USD-denominated stablecoins. This removes the need for volatile gas tokens and lets payment applications operate entirely in the same currency as their underlying flows, ensuring predictable costs and simpler accounting. For wallets and custodians, this removes the need to hold a balance of new cryptoassets just to facilitate stablecoin payments. Users can pay fees in any USD stablecoin, and validators can receive fees in any USD stablecoin, with the protocol automatically converting between them using onchain liquidity through Tempo's built-in DEX. Costs are predictable and low: TIP-20 transfers target one-tenth of a cent per transaction. This removes a major barrier for mainstream adoption. Users can interact with Tempo using only the stablecoins they're already familiar with, without needing to understand or manage volatile crypto assets. Learn more in the [fees specification](/protocol/fees). ### Native Reconciliation Tempo's TIP-20 tokens can natively attach a short memo directly to each transfer. This mirrors traditional payment systems, where every transaction carries context (e.g., an invoice number, a customer ID, a cost center, or a simple reference note) for backend systems to automatically match payments to internal records. For larger memos, Tempo supports flexible approaches where only a commitment (like a hash or locator) travels onchain while the full data (including PII) lives off-chain. This means finance teams can automatically match payments to invoices and payment processors can embed the structured data their systems need without custom solutions or integration with third-party reconciliation infrastructure. Learn more in the [TIP-20 specification](/protocol/tip20/overview). ### Built-in Compliance Stablecoin (and other regulated asset) issuers operate under regulatory requirements. They need to enforce whitelists (only approved addresses can transact) or blacklists (sanctioned addresses cannot transact). Tempo provides a shared compliance infrastructure through the TIP-403 Policy Registry. An issuer can thus create a single policy with their compliance rules, and multiple tokens they issue can adopt that policy. When the compliance manager updates the policy, all tokens using it automatically enforce the new rules, unlike traditional blockchains where an issuer must update each contract one-by-one. Learn more in the [TIP-403 policy specification](/protocol/tip403/overview). ### Built-in Stable Asset DEX Tempo includes a native decentralized exchange optimized for stablecoins and tokenized deposits. This means users can pay fees in any USD stablecoin, and validators can receive fees in any USD stablecoin, with the protocol automatically converting between them using onchain liquidity. Learn more about the [stablecoin DEX](/protocol/exchange). import LucideMail from '~icons/lucide/mail' import LucideRocket from '~icons/lucide/rocket' import LucideGithub from '~icons/lucide/github' import LucideGauge from '~icons/lucide/gauge' import LucideCheckCircle from '~icons/lucide/check-circle' import * as Card from "../../../components/Card.tsx" ## Performance \[Tempo's performant blockchain architecture] All of Tempo's payments-first features are built on a foundation of a highly performant blockchain. Tempo delivers the throughput and finality characteristics that payment applications require. ### High Throughput Tempo is built on the [Reth](https://reth.rs/) SDK, the most performant and flexible EVM (Ethereum Virtual Machine) execution client. Reth is also relied upon by several other blockchains including Ethereum, Base and Arc. Tempo houses the team that built and maintains Reth, and several other pieces of core blockchain developer software such as [Foundry](https://getfoundry.sh/). We are already benchmarking 20,000 TPS on testnet with a clear line of sight to an order of magnitude higher by mainnet. This throughput is critical for payment use cases. Whether processing payroll for thousands of employees, settling marketplace transactions, or handling microtransactions at scale, Tempo's performance ensures that your payment flows won't be bottlenecked by blockchain capacity. Tempo is open source. Read the code on [GitHub](https://github.com/tempoxyz/tempo)! ### Fast Finality Public blockchains that support financial activity need to balance two contradictory demands. On the one hand, the blockchain needs fast finality: a payment made on the blockchain should be quickly confirmed as final, with no risk of being "re-orged" out as can happen on many blockchains today. On the other hand, the blockchain also needs to degrade gracefully under suboptimal network conditions. Tempo uses Simplex Consensus (via [Commonware](https://www.commonware.xyz/)), which provides fast, sub-second finality in normal conditions while maintaining graceful degradation under adverse networks. Tempo uses Byzantine-fault tolerant consensus with four validators on testnet. Blocks are finalized every \~0.5 seconds, and once a block is marked as final, transactions in that block are guaranteed to be included in the chain. This cutting-edge consensus algorithm optimally balances speed with resilience. For payment applications, this gives payment operators the same settlement certainty they expect from existing financial systems, with speed that matches best-in-class blockchains. This is critical for use cases like point-of-sale systems, instant settlements, and cross-border transfers where users expect immediate, irreversible confirmation. Learn more about consensus in the [blockspace specification](/protocol/blockspace/overview). import LucideMail from '~icons/lucide/mail' import LucideRocket from '~icons/lucide/rocket' import * as Card from "../../../components/Card.tsx" ## Privacy Tempo is also developing opt-in privacy features designed to coexist with issuer compliance requirements. This functionality will enable private balances and transfers while maintaining the auditability and reporting capabilities that regulated issuers need. ### Private Token Standard for Stablecoin Issuers Traditional blockchains make all transaction data publicly visible, which creates challenges for businesses and consumers who need confidentiality. At the same time, regulated stablecoin issuers must maintain compliance and auditability. We're currently working on multiple designs which provide: * **Private balances**: Account balances that are hidden from public view while remaining auditable by authorized parties * **Confidential transfers**: Transaction amounts and participants that can be shielded from the public ledger * **Selective disclosure**: Issuers and regulators that can maintain the visibility they need for compliance without exposing sensitive business data publicly ### Use Cases for Privacy When available, private tokens will enable: **Sensitive business transactions**: Companies will be able to conduct payroll, vendor payments, and treasury operations without revealing confidential financial information to competitors or the public. **Confidential consumer balances**: Users will be able to hold and transact with stablecoins without publicly broadcasting their account balances or spending patterns. **Privacy-preserving payment flows**: Platforms will be able to process payments while protecting user privacy and maintaining confidentiality in sensitive transactions. All of this is achieved while preserving the compliance features that make stablecoins viable in regulated markets. Issuers will be able to maintain the ability to monitor, report, and enforce policies as required by regulation. ### Coming Soon The native private token standard is currently in development and will be available in a future release. This feature is being designed in close partnership with regulated stablecoin issuers to ensure it meets both privacy needs and regulatory requirements. If you're interested in private payment flows and want to explore how privacy features can benefit your use case, reach out to our team. ### Help design this feature import * as Card from "../../components/Card.tsx" import * as Demo from '../../components/guides/Demo.tsx' import * as Step from '../../components/guides/steps' import LucideFile from '~icons/lucide/file' import LucideSignature from '~icons/lucide/signature' ## !Replace Me! {/* Short description of the guide. What we are building, why we are building it, and what we will learn. */} Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nullam elementum odio ante, sit amet tincidunt leo scelerisque vitae. Donec placerat imperdiet nibh in efficitur. Nam pharetra euismod tortor ac suscipit. Quisque nec ultrices nisl. Sed in magna sapien. Duis vel risus sed leo gravida volutpat a id libero. Pellentesque ut nunc vel turpis tristique bibendum ut eu mauris. Aliquam aliquet nunc orci, eu mattis nisi hendrerit sed. Donec volutpat dolor lectus, sit amet facilisis arcu pretium nec. ### Steps {/* Steps to follow to get the demo working and fully functioning end-to-end */} :::steps #### Lorem Lorem ipsum dolor sit amet, consectetur adipiscing elit. #### Ipsum Lorem ipsum dolor sit amet, consectetur adipiscing elit. ::: ### Recipes {/* Any peripheral things you can do beyond the above steps */} #### Foo Lorem ipsum dolor sit amet, consectetur adipiscing elit. #### Bar Lorem ipsum dolor sit amet, consectetur adipiscing elit. ### Best Practices {/* Any best practices or tips to follow when using this feature */} #### Foo Lorem ipsum dolor sit amet, consectetur adipiscing elit. #### Bar Lorem ipsum dolor sit amet, consectetur adipiscing elit. ### Learning Resources {/* Outlink to any useful links to read in /documentation/* */} import * as Demo from '../../../components/guides/Demo.tsx' import * as Step from '../../../components/guides/steps' import * as Token from '../../../components/guides/tokens' ## Add Funds to Your Balance Get test tokens to start building on Tempo testnet. ### Direct Access You can access the faucet directly here in the docs. ### Testnet Faucet RPC The public testnet also offers an RPC endpoint for requesting test tokens. The faucet endpoint is only available at the official Tempo testnet RPC endpoint. Request test tokens using the `tempo_fundAddress` RPC method: ```bash cast rpc tempo_fundAddress \ --rpc-url https://rpc.testnet.tempo.xyz ``` Replace `` with your wallet address. ### What You'll Receive The faucet provides test stablecoins: * **pathUSD** - `0x20c0000000000000000000000000000000000000` * **AlphaUSD** - `0x20c0000000000000000000000000000000000001` * **BetaUSD** - `0x20c0000000000000000000000000000000000002` * **ThetaUSD** - `0x20c0000000000000000000000000000000000003` Each request drips a sufficient amount for testing and development. ### Verify Your Balance After requesting tokens, verify your balance: ```bash # Check AlphaUSD balance cast erc20 balance 0x20c0000000000000000000000000000000000001 \ \ --rpc-url https://rpc.testnet.tempo.xyz ``` import { Callout } from 'vocs/components' ## Batch Transactions One of the most powerful features of the [Tempo Transaction](/protocol/transactions/spec-tempo-transaction) type is batching multiple operations into a single transaction. This allows you to execute several actions atomically (i.e., they all succeed or all fail together). This helps reduce gas costs, prevents partial failures, and creates better user experiences by combining multiple steps into one transaction. Batch transactions are a feature of Tempo's [TempoTransaction type](/protocol/transactions/spec-tempo-transaction). See the TempoTransaction spec for complete details on batching and other features. ### Example: Sending a Batch of Transactions :::code-group ```ts [batchTransactions.ts] const { address, hash, id } = await client.sendTransaction({ // [!code focus] calls: [{ // [!code focus] to: tokenAddress, // [!code focus] data: transferCalldata // Transfer tokens // [!code focus] }, // [!code focus] { // [!code focus] to: anotherTokenAddress, // [!code focus] data: approveCalldata // Approve spending // [!code focus] }, // [!code focus] { // [!code focus] to: dexAddress, // [!code focus] data: swapCalldata // Execute swap // [!code focus] }], // [!code focus] }) // [!code focus] ``` ```ts [viem.config.ts] // [!include ~/snippets/setup.ts:setup] ``` ::: ### How It Works Unlike traditional EVM transactions which only support a single call per transaction, the [Tempo Transaction](/protocol/transactions/spec-tempo-transaction) type natively supports a `calls` vector—enabling multiple operations in a single atomic transaction. #### Native Protocol Support Batching is built directly into the transaction type at the protocol level. This means: * **Atomic execution**: All calls succeed or all calls revert together—no partial failures * **Single signature**: Sign once for the entire batch, reducing UX friction * **Lower gas costs**: Avoid the overhead of multiple transaction submissions * **No smart contract required**: Works with any EOA, no need to deploy a separate batching contract #### Transaction Structure The `TempoTransaction` includes a `calls` field that accepts a list of operations: ```rust pub struct TempoTransaction { // ... other fields calls: Vec, // Batch of calls to execute atomically // ... } pub struct Call { to: TxKind, // Target address or Create for contract deployment value: U256, // ETH value to send input: Bytes, // Calldata for the call } ``` import * as Demo from '../../../components/guides/Demo.tsx' import * as Step from '../../../components/guides/steps' import { ConnectWallet } from '../../../components/ConnectWallet.tsx' ## Connect to Wallets It is possible to use Tempo with EVM-compatible wallets that support the Tempo network, or support adding custom networks (like MetaMask). You can use these wallets when building your application on Tempo. This guide will walk you through how to set up your application to connect to wallets. ### Wagmi Setup ::::steps #### Set up Wagmi Ensure that you have set up your project with Wagmi by following the [guide](/sdk/typescript#wagmi-setup). #### Configure Wagmi Next, let's ensure Wagmi is configured correctly to connect to wallets. Ensure we have [`multiInjectedProviderDiscovery`](https://wagmi.sh/react/api/createConfig#multiinjectedproviderdiscovery) set to `true` to display injected browser wallets. We can also utilize [wallet connectors](https://wagmi.sh/react/api/connectors) from Wagmi like `metaMask` to support mobile devices. ```tsx twoslash [config.ts] // @noErrors import { createConfig, http } from 'wagmi' import { tempoTestnet } from 'viem/chains' import { metaMask } from 'wagmi/connectors' // [!code ++] export const config = createConfig({ chains: [tempoTestnet], connectors: [metaMask()], // [!code ++] multiInjectedProviderDiscovery: true, // [!code ++] transports: { [tempo.id]: http(), }, }) ``` #### Display Connect Buttons After that, we will set up "Connect" buttons so that the user can connect to their wallet. We will create a new `ConnectWallet.tsx` component to work in. :::code-group

::: :::code-group ```tsx twoslash [Connect.tsx] // @noErrors import { useConnect, useConnectors } from 'wagmi' export function Connect() { const connect = useConnect() const connectors = useConnectors() return (

{connectors.map((connector) => ( ))}

::: :::code-group ```tsx twoslash [Account.tsx] // @noErrors import { useConnection, useDisconnect } from 'wagmi' export function Account() { const account = useConnection() const disconnect = useDisconnect() return (

{account.address?.slice(0, 6)}...{account.address?.slice(-4)}

::: :::code-group ```tsx twoslash [Account.tsx] // @noErrors import { useConnection, useDisconnect, useSwitchChain } from 'wagmi' import { tempoTestnet } from 'viem/chains' // [!code ++] export function Account() { const account = useConnection() const disconnect = useDisconnect() const switchChain = useSwitchChain() // [!code ++] return (

{account.address?.slice(0, 6)}...{account.address?.slice(-4)}

{/* // [!code ++] */}

) } ``` ```tsx twoslash [config.ts] filename="config.ts" // @noErrors import { createConfig, http } from 'wagmi' import { tempoTestnet } from 'viem/chains' import { metaMask } from 'wagmi/connectors' // [!code ++] export const config = createConfig({ chains: [tempoTestnet], connectors: [metaMask()], // [!code ++] multiInjectedProviderDiscovery: true, // [!code ++] transports: { [tempo.id]: http(), }, }) ``` ::: :::: ### Third-Party Libraries You can also use a third-party Wallet Connection library to handle the onboarding & connection of wallets. Such libraries include: [Privy](https://privy.io), [ConnectKit](https://docs.family.co/connectkit), [AppKit](https://reown.com/appkit), [Dynamic](https://dynamic.xyz), and [RainbowKit](https://rainbowkit.com). The above libraries are all built on top of Wagmi, handle all the edge cases around wallet connection. :::warning It is worth noting that some wallets that are included in the above libraries may not support Tempo yet. We are working on adding support for the majority of wallets. ::: ### Add to Wallet Manually You can add Tempo testnet to a wallet that supports custom networks (e.g. MetaMask) manually. For example, if you are using MetaMask: 1. Open MetaMask and click on the menu in the top right and select "Networks" 2. Click "Add a custom network" 3. Enter the network details: | **Name** | `Tempo Testnet (Andantino)` | | ------------------ | -------------------------------------------------------- | | **Currency** | `USD` | | **Chain ID** | `42429` | | **HTTP URL** | `https://rpc.testnet.tempo.xyz` | | **WebSocket URL** | `wss://rpc.testnet.tempo.xyz` | | **Block Explorer** | [`https://explore.tempo.xyz`](https://explore.tempo.xyz) | The official documentation from MetaMask on this process is also available [here](https://support.metamask.io/configure/networks/how-to-add-a-custom-network-rpc#adding-a-network-manually). :::warning Note that we recommend using the `symbol` "USD" for the currency symbol, despite there being no native gas token. Existing wallets like MetaMask don't natively support the Tempo network yet, so there are some quirks to the interface. You might also need to set `nativeCurrency.decimals` to `18` instead of `6` in some wallets. ::: import LucideSignature from '~icons/lucide/signature' import LucideFile from '~icons/lucide/file' import * as Card from "../../../components/Card.tsx" import * as Demo from '../../../components/guides/Demo.tsx' import { EmbedPasskeys, SignInButtons } from '../../../components/guides/EmbedPasskeys.tsx' ## Embed Passkey Accounts Create a domain-bound passkey account on Tempo using WebAuthn signatures for secure, passwordless authentication with [Tempo transactions](/protocol/transactions/spec-tempo-transaction). Passkeys enable users to authenticate with biometrics (fingerprint, Face ID, Touch ID) they already use for other apps. Keys are stored in the device's secure enclave and sync across devices via iCloud Keychain or Google Password Manager. :::info **What does "domain-bound" mean?** WebAuthn credentials are bound to a specific domain (the [Relying Party](https://en.wikipedia.org/wiki/Relying_party)). This means that credentials created for one domain (e.g., `example.com`) will only work on that domain (and its subdomains) and cannot be used to authenticate on other domains. This means your users won't be able to use the same passkey account on other applications. If this is not what you want, head to the [Connect to wallets](/guide/use-accounts/connect-to-wallets) guide that walks you through on how to connect your application to a universal wallet like MetaMask. ::: ### Demo By the end of this guide, you will be able to embed passkey accounts into your application. ### Steps ::::steps #### Set up Wagmi Ensure that you have set up your project with Wagmi by following the [guide](/sdk/typescript#wagmi-setup). #### Configure the WebAuthn Connector Next, we will need to configure the `webAuthn` connector in our Wagmi config. ```tsx twoslash [config.ts] // @noErrors import { createConfig, http } from 'wagmi' import { tempoTestnet } from 'viem/chains' import { KeyManager, webAuthn } from 'tempo.ts/wagmi' // [!code ++] export const config = createConfig({ chains: [tempoTestnet], connectors: [webAuthn({ // [!code ++] keyManager: KeyManager.localStorage(), // [!code ++] })], // [!code ++] multiInjectedProviderDiscovery: false, transports: { [tempo.id]: http(), }, }) ``` :::warning The `KeyManager.localStorage()` implementation is not recommended for production use as it stores public keys on the client device, meaning it cannot be re-extracted when the user's storage is cleared or if the user is on another device. For production, you should opt for a remote key manager such as [`KeyManager.http`](/sdk/typescript/wagmi/keyManagers/http). ::: :::tip This Wagmi configuration sets `multiInjectedProviderDiscovery` to `false` to prevent injected browser wallets from being detected, and to prefer the `webAuthn` connector. If you would like to allow connection to other wallets, set this property to `true`. ::: #### Display Sign In Buttons After that, we will set up "Sign in" and "Sign up" buttons so that the user can create or use a passkey with the application. We will create a new `Example.tsx` component to work in. :::code-group

::: :::code-group ```tsx twoslash [Example.tsx] // @noErrors import { useConnect, useConnectors } from 'wagmi' export function Example() { const connect = useConnect() const [connector] = useConnectors() return (

::: :::code-group ```tsx twoslash [Example.tsx] // @noErrors import { useConnection, useConnect, useConnectors, useDisconnect } from 'wagmi' export function Example() { const account = useConnection() // [!code ++] const connect = useConnect() const [connector] = useConnectors() const disconnect = useDisconnect() // [!code ++] if (account.address) // [!code ++] return ( // [!code ++]

{/* // [!code ++] */}

{account.address.slice(0, 6)}...{account.address.slice(-4)}

{/* // [!code ++] */} {/* // [!code ++] */}

// [!code ++] ) // [!code ++] return (

Check prompt...

// [!code ++] return (/* ... */) } ``` :::tip Wagmi exposes [React Query's](https://tanstack.com/query/latest/docs/framework/react/overview) interfaces on all Hooks to extract asynchronous states such as loading (e.g. `isPending`) and error (e.g. `isError`, `error`) states. ::: #### Error Handling If an error unexpectedly occurs, we should display an error message to the user. We can use the `error` property from the `useConnect` hook to show error state to the user. ```tsx twoslash [Example.tsx] // @noErrors import { useConnection, useConnect, useConnectors, useDisconnect } from 'wagmi' export function Example() { const account = useConnection() const connect = useConnect() const [connector] = useConnectors() const disconnect = useDisconnect() if (connect.error) // [!code ++] return

Error: {connect.error.message}

// [!code ++] return (/* ... */) } ``` ### Learning Resources import { Callout } from 'vocs/components' ## Fee Sponsorship Fee sponsorship enables gasless transactions where applications can subsidize user costs. Users can interact with the blockchain without holding fee tokens. This specification describes how one account can pay transaction fees on behalf of another account using the [Tempo Transaction](/protocol/transactions/spec-tempo-transaction) type with the `feePayerSignature` field. ### How It Works The [Tempo Transaction](/protocol/transactions/spec-tempo-transaction) type includes an optional `feePayerSignature` field. When present, this signature authorizes a third party to pay the transaction's gas costs while the original sender executes the transaction logic. :::steps #### Sender signs the transaction The sender signs the transaction with their private key, signing over a **blank fee token field**. This means the sender delegates the choice of which fee token to use to the fee payer. #### Fee payer selects and signs The fee payer selects which fee token to use, then signs over the transaction. #### Transaction submission The fee token and fee payer signature is added to the transaction using the `feePayerSignature` field and is then submitted. #### Network validation The network validates both signatures and executes the transaction. #### Transaction Fields The TempoTransaction includes: * Standard EIP-1559 fields (chainId, maxPriorityFeePerGas, maxFeePerGas, gasLimit) * TempoTransaction-specific fields: `signature`, `nonceKey`, `nonce`, `calls` (batch of calls to execute) * Optional `feeToken` field to specify which stablecoin pays fees * Optional `feePayerSignature` field when sponsored * Optional `validBefore` and `validAfter` for scheduled transactions #### Dual Signatures **Sender signs:** The transaction they want to execute using their preferred signature scheme (secp256k1, P256, or WebAuthn) **Fee payer signs:** Authorization to pay fees for that specific transaction and sender Each signature is recovered independently to determine the sender and fee payer addresses. ### Validation When `feePayerSignature` is present: 1. Both sender and fee payer signatures must be valid 2. Fee payer must have sufficient balance in the fee token 3. Transaction is rejected if either signature fails or fee payer's balance is insufficient When `feePayerSignature` is absent: * Sender pays their own fees (standard behavior) Fee payer information is determined statically from the transaction data, ensuring efficient validation without requiring transaction execution. ### Execution 1. Recover both sender and fee payer addresses from their signatures 2. Charge gas fees to the fee payer's balance 3. Execute transaction with sender as the transaction origin 4. Refund unused gas to the fee payer ### Security * Fee payer signature commits to both the transaction details and specific sender * Prevents signature reuse or unauthorized fee charging * Replay protection via chain ID and 2D nonce system (nonceKey + nonce) * Fee payers cannot be drained beyond the transaction's gas limit * Support for multiple signature schemes (secp256k1, P256, WebAuthn) with automatic detection based on signature length ::: import LucideFingerprint from '~icons/lucide/fingerprint' import LucideWallet from '~icons/lucide/wallet' import LucideCoins from '~icons/lucide/coins' import * as Card from "../../../components/Card.tsx" ## Create & Use Accounts Create and integrate Tempo accounts into your product with domain-bound passkeys or connecting your app to EVM-compatible wallets. :::tip **Should I use a Passkey account or a wallet?** * If you need a **domain-bound account** experience, you can embed a Passkey account. * If you need a **universal account** experience, you can integrate your app with wallets. You can even use both if you would like to offer both experiences. ::: import { Callout } from 'vocs/components' ## Scheduled Transactions Execute transactions only within a specific time window using `validAfter` and `validBefore` timestamps. Scheduled transactions are enabled by the [Tempo Transaction](/protocol/transactions/spec-tempo-transaction) type, which includes optional timestamp fields. These fields are validated by the protocol when the transaction is submitted. ### Setting Time Bounds You can add optional timestamp fields to your transaction to control when it can be executed. Both `validAfter` and `validBefore` accept Unix timestamps. For example, to create a transaction that can only execute between Jan 1, 2025 and Jan 2, 2025, you would set `validAfter: 1735689600` and `validBefore: 1735776000` when signing the transaction. ### Time Window Validation The protocol validates timestamps against the block timestamp: * **`validAfter`**: Block timestamp must be greater than or equal to this value * **`validBefore`**: Block timestamp must be less than or equal to this value * **Both optional**: Omit either or both to not restrict that bound You can use these fields individually or in combination: * **Only `validAfter`**: Transaction can execute any time after the specified date (e.g., after Jan 1, 2025) * **Only `validBefore`**: Transaction must execute by the specified date (e.g., before Jan 2, 2025) * **Both**: Transaction has a specific time window for execution * **Neither**: No time restrictions ### Examples #### Example: Vesting Schedule Release tokens at a specific future time by pre-signing a transaction with a future `validAfter` timestamp. You would sign a token transfer transaction that includes `validAfter: 1767225600` (Jan 1, 2026). The signed transaction can be stored off-chain or given to a third party. When Jan 1, 2026 arrives, anyone can submit the signed transaction to the network, and it will execute. If submitted before that date, validators will reject it. This enables trustless vesting schedules where the beneficiary holds a pre-signed transaction that becomes valid at a specific future date. #### Example: Time-Limited Offer You can create an offer that expires if not accepted by setting both `validAfter` and `validBefore` timestamps. For example, to create an offer valid for 24 hours, you would set `validAfter` to the current timestamp and `validBefore` to 86400 seconds (24 hours) in the future. The signed transaction can only be executed within that 24-hour window. After the expiration time passes, the transaction becomes invalid and cannot be included in a block. #### Example: Delayed Execution You can sign a transaction now that can only be executed at a future time by setting `validAfter` to a timestamp 7 days in the future. The signed transaction is then stored (in a database, onchain via a contract, or held by a party). After the 7-day delay period passes, anyone with access to the signed transaction can submit it to the network for execution. The protocol enforces that the transaction cannot be included in a block before the specified time. This is useful for governance proposals with timelock requirements or delayed contract upgrades. ### Storing Scheduled Transactions **Important**: It is your responsibility to store and manage signed scheduled transactions until their execution time. The protocol validates the time constraints but does not store transactions for you. When you create a scheduled transaction, you have several options for storage: * **Self-custody**: Store the signed transaction in your own database or secure storage until the execution time * **Third-party services**: Work with a company that specializes in holding and submitting scheduled transactions at the appropriate time * **Smart contracts**: Store the signed transaction onchain in a contract that can submit it when the time window is valid The Tempo team is actively exploring the design of a protocol-level scheduled transaction feature that would eliminate the need for off-chain storage. If this capability is valuable to your use case, please contact us to share your requirements and help inform the design. ### Mempool Behavior Validators will reject transactions that are outside their validity window: * **Too early**: Transactions with `validAfter` in the future won't be included in blocks. The transaction will be rejected if you try to submit it before the specified time. * **Too late**: Transactions with `validBefore` in the past will be rejected. Once the expiration time passes, the transaction can no longer be executed. For example, if you submit a transaction with `validAfter` set to Jan 1, 2026, validators will return an error until that timestamp is reached. ### Combining with Other Features **Fee sponsorship**: You can combine scheduled transactions with fee sponsorship, where a sponsor pays the fees for a time-locked transaction. The fee payer signs their portion, and the combined transaction becomes valid only within the specified time window. **Batch transactions**: Multiple operations can be scheduled together to execute atomically within a specific time window. All operations in the batch must succeed or fail together, and the entire batch is subject to the time constraints. The block timestamp is set by validators and may vary slightly. For critical timing, account for small time variations (±15 seconds). ### Technical Details For complete specifications on timestamp validation, see the [Tempo Transaction](/protocol/transactions/spec-tempo-transaction) type specification. import { Callout } from 'vocs/components' ## WebAuthn & P256 Signatures Tempo EOA addresses can be derived from multiple signature types. Allowing you to sign transactions with standard Ethereum wallets, hardware security keys, biometric authentication like Face ID and Touch ID, or even using [passkeys](https://passkeys.dev/). The supported signature types are: #### secp256k1 The standard Ethereum signature format. No type identifier needed, this is the default. #### P256 Raw P256 signatures that include the public key coordinates. Identified by type `0x01`. The `preHash` flag indicates whether the digest should be hashed with SHA256 before verification. Set this to `true` if using Web Crypto API or similar implementations that require pre-hashing. #### WebAuthn WebAuthn signatures include authenticator data from biometric devices. Identified by type `0x02`. The verification data contains information from the authenticator (device metadata, user presence flags, etc.). *** Additional signature types may be supported in the future. For complete technical specifications, see the [Tempo Transaction](/protocol/transactions/spec-tempo-transaction) protocol documentation. import LucideCoins from '~icons/lucide/coins' import LucideShieldCheck from '~icons/lucide/shield-check' import LucideLayers from '~icons/lucide/layers' import LucideKey from '~icons/lucide/key' import LucideZap from '~icons/lucide/zap' import LucideCircleHelp from '~icons/lucide/circle-help' import LucideClock from '~icons/lucide/clock' import * as Card from "../../../components/Card.tsx" import TempoTxProperties from '../../../snippets/tempo-tx-properties.mdx' ### Use Tempo Transactions Tempo Transactions are a new [EIP-2718](https://github.com/ethereum/EIPs/blob/master/EIPS/eip-2718.md) transaction type, exclusively available on Tempo.

Transaction [SDKs](#integration-guides) are available for TypeScript, Rust, Go, and Foundry.