Identity lists
IdentityAllowList, IdentityBlockList, and AddressBlockList compliance modules for investor-level and wallet-level access control.
Identity list modules let an asset restrict who may receive tokens by checking either the recipient's OnchainID identity or the wallet addresses in the transfer. Use them when an asset needs explicit investor eligibility, persistent investor blocking, or immediate wallet-level blocking alongside other compliance modules.
Choose the right list
| Requirement | Use | What DALP checks |
|---|---|---|
| Only pre-approved investors may receive the token | IdentityAllowList | The recipient wallet has a registered OnchainID identity, and that identity is in the allow list |
| A specific investor must not receive the token through any registered wallet | IdentityBlockList | The recipient wallet's registered OnchainID identity is not in the block list |
| A specific wallet must not send or receive the token | AddressBlockList | Neither the sender wallet nor the recipient wallet is in the address block list |
Module behaviour
| Module | Granularity | Primary use | Empty list behaviour | Identity required |
|---|---|---|---|---|
| IdentityAllowList | OnchainID identity contract | Private placements, institutional-only offerings, restricted investor groups | Blocks recipients because no identity can match the allow list | Yes |
| IdentityBlockList | OnchainID identity contract | Investor-level exclusions | Blocks no identities | No. Unknown recipients pass |
| AddressBlockList | Wallet address | Sanctions screening, fraud response, compromised wallets | Blocks no addresses | No |
Identity-level versus address-level blocking
| Aspect | IdentityAllowList and IdentityBlockList | AddressBlockList |
|---|---|---|
| Scope | Follows the OnchainID identity across registered wallets | Applies only to the listed wallet address |
| Wallet rotation | Still covered when the new wallet resolves to the same identity | Not covered until the new wallet is listed |
| Recipient identity lookup | Required for IdentityAllowList. Used by IdentityBlockList when the recipient has a registered identity | Not used |
| Transfer direction | Checks the recipient identity | Checks both sender and recipient wallet addresses |
| Best fit | Investor eligibility and investor-level restrictions | Fast wallet-level controls and address intelligence feeds |
Use identity-level lists when the restriction belongs to the investor. Use address-level lists when the restriction belongs to a wallet, such as a compromised address, a sanctioned wallet, or a fraud signal from wallet analytics.
Capabilities
| Capability | IdentityAllowList | IdentityBlockList | AddressBlockList |
|---|---|---|---|
| Configure the list | Token administration updates the configured OnchainID identity addresses | Token administration updates the configured OnchainID identity addresses | Token administration updates the configured wallet addresses |
| Evaluate a transfer | Allows only recipients whose registered identity is listed | Blocks recipients whose registered identity is listed | Blocks transfers where the sender or recipient wallet is listed |
| On successful match | The transfer can continue to the next compliance module | The transfer is rejected | The transfer is rejected |
| On missing identity | Rejects the transfer | Passes the transfer | Does not check identity |
Common operating patterns
Private placement allow list
Use IdentityAllowList when only pre-approved investors may receive the token. Add each eligible investor's OnchainID contract before enabling the module on an asset. Recipients without registered identities fail the check.
Investor-level block list
Use IdentityBlockList when a restriction should follow an investor across registered wallets. Legal disputes, failed re-verification, and compliance alerts are typical triggers. A listed investor cannot receive more tokens through wallets tied to the same OnchainID.
Wallet-level block list
Use AddressBlockList when the wallet is the risk signal. Typical triggers include sanctioned addresses, fraud addresses, compromised wallets, and mixer addresses flagged by analytics providers. A different wallet is not blocked unless that wallet is also listed.
Invariants and failure modes
- IdentityAllowList rejects recipients with no registered identity.
- IdentityAllowList rejects recipients whose registered identity is not in the allow list.
- IdentityBlockList does not reject an unidentified recipient by itself. Add identity verification when recipients must hold accepted identity claims.
- AddressBlockList checks both transfer participants. A listed sender or listed recipient rejects the transfer.
- IdentityAllowList and IdentityBlockList do not freeze existing balances by themselves. They check whether a recipient can receive more tokens.
- AddressBlockList can stop a listed holder from sending tokens because it checks sender and recipient addresses.
- The modules do not emit module-specific events. Monitor rejected transactions and compliance-check errors for list violations.
Combine with other controls
Identity lists are usually one part of an asset policy. Combine them with:
- Identity verification when every recipient must hold accepted OnchainID claims.
- Country restrictions when eligibility depends on jurisdiction.
- Supply and investor limits when the asset has holder-count or supply caps.
- TimeLock when transfers must respect a holding period.
- Address block list when wallet-level blocking needs a dedicated operating guide.
Country Restrictions
CountryAllowList and CountryBlockList modules for geographic transfer restrictions. Covers sanctions/OFAC use cases, EU MiCA jurisdiction selection, and ISO 3166-1 country codes.
Address Block List
Block specific wallet addresses from sending or receiving an asset. Includes configuration, transfer behavior, and identity-list boundaries.