Identity lists
IdentityAllowList, IdentityBlockList, and AddressBlockList compliance modules for investor-level and wallet-level access control.
Identity list modules let an asset restrict who may receive tokens. Each module checks either the recipient's OnchainID or the wallet addresses in the transfer. Use them when your asset needs explicit eligibility gates, persistent investor exclusions, or wallet-level blocking that takes effect alongside other controls.
Choose the right list
| Requirement | Use | What DALP checks |
|---|---|---|
| Only pre-approved investors may receive the token | IdentityAllowList | The recipient wallet has a registered OnchainID identity, and that identity is in the allow list |
| A specific investor must not receive the token through any registered wallet | IdentityBlockList | The recipient wallet's registered OnchainID identity is not in the block list |
| A specific wallet must not send or receive the token | AddressBlockList | Neither the sender wallet nor the recipient wallet is in the address block list |
Module behaviour
| Module | Granularity | Primary use | Empty list behaviour | Identity required |
|---|---|---|---|---|
| IdentityAllowList | OnchainID identity contract | Private placements, institutional-only offerings, restricted investor groups | Blocks recipients because no identity can match the allow list | Yes |
| IdentityBlockList | OnchainID identity contract | Investor-level exclusions | Blocks no identities | No. Unknown recipients pass |
| AddressBlockList | Wallet address | Sanctions screening, fraud response, compromised wallets | Blocks no addresses | No |
Identity-level versus address-level blocking
| Aspect | IdentityAllowList and IdentityBlockList | AddressBlockList |
|---|---|---|
| Scope | Follows the OnchainID identity across registered wallets | Applies only to the listed wallet address |
| Wallet rotation | Still covered when the new wallet resolves to the same identity | Not covered until the new wallet is listed |
| Recipient identity lookup | Required for IdentityAllowList. Used by IdentityBlockList when the recipient has a registered identity | Not used |
| Transfer direction | Checks the recipient identity | Checks both sender and recipient wallet addresses |
| Best fit | Investor eligibility and investor-level restrictions | Fast wallet-level controls and address intelligence feeds |
Use identity-level lists when the restriction belongs to the investor. Use address-level lists when the restriction belongs to a specific wallet: a compromised address, a sanctioned wallet, or a fraud signal from wallet analytics.
Capabilities
| Capability | IdentityAllowList | IdentityBlockList | AddressBlockList |
|---|---|---|---|
| Configure the list | Token administration updates the configured OnchainID identity addresses | Token administration updates the configured OnchainID identity addresses | Token administration updates the configured wallet addresses |
| Evaluate a transfer | Allows only recipients whose registered identity is listed | Blocks recipients whose registered identity is listed | Blocks transfers where the sender or recipient wallet is listed |
| On successful match | The transfer can continue to the next compliance module | The transfer is rejected | The transfer is rejected |
| On missing identity | Rejects the transfer | Passes the transfer | Does not check identity |
Common operating patterns
Private placement allow list
Use IdentityAllowList when only pre-approved investors may receive the token. Register each eligible investor's OnchainID before you enable the module on an asset. Recipients without a registered identity fail the check.
Investor-level block list
Use IdentityBlockList when a restriction should follow an investor across all registered wallets. Legal disputes, failed re-verification, and compliance alerts are typical triggers. A listed investor cannot receive more tokens through any wallet tied to the same OnchainID.
Wallet-level block list
Use AddressBlockList when the wallet itself is the risk signal. Typical triggers include sanctioned addresses, fraud reports, compromised wallets, and mixer addresses flagged by analytics providers. A different wallet belonging to the same investor remains unblocked unless you also add it to the list.
Invariants and failure modes
- IdentityAllowList rejects recipients with no registered identity.
- IdentityAllowList rejects recipients whose registered identity is not in the allow list.
- IdentityBlockList does not reject an unidentified recipient by itself. Add identity verification when recipients must hold accepted identity claims.
- AddressBlockList checks both transfer participants. A transfer reverts when either the sender or the recipient wallet is listed.
- IdentityAllowList and IdentityBlockList do not freeze existing balances by themselves. They check whether a recipient can receive more tokens.
- AddressBlockList blocks a listed holder from sending tokens, because it checks sender and recipient addresses.
- The modules do not emit module-specific events. Monitor rejected transactions and compliance-check errors for list violations.
Combine with other controls
Identity lists form one part of an asset policy. Combine them with other modules to build the full compliance policy for your token:
- Identity verification when every recipient must hold accepted OnchainID claims.
- Country restrictions when eligibility depends on jurisdiction.
- Supply and investor limits when the asset has holder-count or supply caps.
- TimeLock when transfers must respect a holding period.
- Address block list when wallet-level blocking needs a dedicated operating guide.
Country Restrictions
Choose CountryAllowList or CountryBlockList to permit or exclude token recipients by ISO 3166-1 country code, covering MiCA jurisdiction selection, OFAC sanctions screening, and similar regulatory requirements.
Address Block List
Block specific EVM wallet addresses from sending or receiving a regulated token, without requiring an OnchainID identity.