ERC-3009 — Transfer With Authorization

Back to Account & Authentication

ERC-3009: Transfer With Authorization

ERC-3009 lets a user sign an off-chain authorization to transfer tokens at a later block, with a relayer paying the gas to broadcast. It's the meta-transaction pattern shipped by USDC (transferWithAuthorization, receiveWithAuthorization, cancelAuthorization) and is one of the most widely used signature-based authorization patterns on Ethereum despite the EIP itself sitting at "Stagnant". The newer EIP-7758 (Review) is the actively-developed successor.

Required Interface

function transferWithAuthorization(
    address from, address to, uint256 value,
    uint256 validAfter, uint256 validBefore,
    bytes32 nonce,
    uint8 v, bytes32 r, bytes32 s
) external;

function receiveWithAuthorization(
    address from, address to, uint256 value,
    uint256 validAfter, uint256 validBefore,
    bytes32 nonce,
    uint8 v, bytes32 r, bytes32 s
) external;

function cancelAuthorization(
    address authorizer, bytes32 nonce,
    uint8 v, bytes32 r, bytes32 s
) external;

function authorizationState(address authorizer, bytes32 nonce) external view returns (bool);

The signature is an EIP-712 typed-data payload over a TransferWithAuthorization struct. The nonce is per-authorization (not sequential), preventing replay attacks and allowing parallel authorizations.

Neo Equivalent: Witness Scopes

Neo doesn't need a "transfer with authorization" extension because witness scopes already provide signed, scoped transfer authorization at the protocol level. A user signs a transaction with a witness scope that says "this signature authorizes only contract X to use my address as the from parameter". The relayer broadcasts; the contract runs Runtime.CheckWitness(from) and gets true because the witness scope validates.

ERC-3009 Component	Neo Equivalent
EIP-712 typed-data signature	Native transaction witness (Hash160 + ECDSA over the tx body)
validAfter / validBefore window	Transaction validUntilBlock (and signed-block enforcement)
Per-call nonce	Transaction nonce (sender-scoped, prevents replay)
cancelAuthorization	Don't broadcast the transaction (or invalidate by changing nonce)
Custom domain separator	Network magic + chain id, baked into the witness signature
Off-chain signing → on-chain ecrecover	Off-chain signing → on-chain Runtime.CheckWitness (no ecrecover round-trip)

The whole "signed authorization, relayer broadcasts" pattern is just a normal Neo transaction with the user as a signer (witness scope: CalledByEntry or narrower), submitted by a different relayer wallet that pays GAS.

Migration Notes

Solidity contracts using ERC-3009 should drop the *WithAuthorization methods entirely when compiled with neo-solc. The from address in NEP-17's transfer(from, to, amount, data) is verified by Runtime.CheckWitness(from) — which is the same security guarantee ERC-3009 provides via signature recovery, just enforced earlier in the call stack.

For the gasless meta-tx use case (relayer pays gas), see also our ERC-2612 Permit and ERC-2771 Trusted Forwarder mirrors — both reduce to "use a witness scope" on Neo.

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.20;

contract ERC3009 {
    bytes32 public constant TRANSFER_WITH_AUTH_TYPEHASH = keccak256(
        "TransferWithAuthorization(address from,address to,uint256 value,"
        "uint256 validAfter,uint256 validBefore,bytes32 nonce)"
    );

    bytes32 public DOMAIN_SEPARATOR;
    mapping(address => uint256) public balanceOf;
    mapping(address => mapping(bytes32 => bool)) public authorizationState;

    event AuthorizationUsed(address indexed authorizer, bytes32 indexed nonce);
    event AuthorizationCanceled(address indexed authorizer, bytes32 indexed nonce);

    function transferWithAuthorization(
        address from, address to, uint256 value,
        uint256 validAfter, uint256 validBefore,
        bytes32 nonce, uint8 v, bytes32 r, bytes32 s
    ) external {
        require(block.timestamp >  validAfter,  "auth not yet valid");
        require(block.timestamp <  validBefore, "auth expired");
        require(!authorizationState[from][nonce], "auth already used");

        bytes32 structHash = keccak256(abi.encode(
            TRANSFER_WITH_AUTH_TYPEHASH, from, to, value, validAfter, validBefore, nonce
        ));
        bytes32 digest = keccak256(abi.encodePacked("\x19\x01", DOMAIN_SEPARATOR, structHash));
        require(ecrecover(digest, v, r, s) == from, "invalid signature");

        authorizationState[from][nonce] = true;
        balanceOf[from] -= value;
        balanceOf[to]   += value;
        emit AuthorizationUsed(from, nonce);
    }
}

This entire mechanism collapses to transfer(from, to, amount, data) on Neo, with from proven by witness instead of ecrecover.

using System;
using System.ComponentModel;
using System.Numerics;
using Neo;
using Neo.SmartContract.Framework;
using Neo.SmartContract.Framework.Attributes;
using Neo.SmartContract.Framework.Native;
using Neo.SmartContract.Framework.Services;

namespace R3E.Examples;

// "Transfer With Authorization" on Neo is the default behavior — every NEP-17
// transfer that names a `from` proves authorization via Runtime.CheckWitness(from).
// The relayer broadcasts the tx; the user supplies a signature in the tx body.
//
// To restrict the relayer to ONLY this transfer (the equivalent of ERC-3009's
// per-nonce single-use authorization), the user signs the tx with a custom
// WitnessRule scope that limits the witness to one specific contract+method
// invocation. See: docs.neo.org/docs/n3/develop/write/transactions

[DisplayName("RelayedToken")]
[ContractPermission("*", "*")]
[SupportedStandards(NepStandard.Nep17)]
public class RelayedToken : Nep17Token
{
    public override string Symbol => "RLY";
    public override byte Decimals => 8;

    // No `transferWithAuthorization` method needed. The standard Transfer
    // already supports the meta-tx pattern:
    //   1. User signs a tx invoking Transfer(from=user, to=...)
    //      with a CalledByEntry or scoped witness.
    //   2. Relayer broadcasts the tx (relayer is the network sender, pays GAS).
    //   3. Transfer runs: Runtime.CheckWitness(from) succeeds because the
    //      witness scope validates the user's signature.
    //
    // Per-authorization replay protection comes from the tx nonce (Nonce field
    // in the Transaction), which is sender-scoped and validated by consensus.

    public static void Mint(UInt160 to, BigInteger amount)
    {
        if (!Runtime.CheckWitness(GetAdmin())) throw new Exception("admin only");
        Mint(to, amount);
    }

    private static UInt160 GetAdmin() => (UInt160)"0x0000000000000000000000000000000000000000";
}

For tighter authorization scoping (e.g. "this signature is only valid for one contract method"), use Neo's WitnessRule with conditions like CalledByContract or ScriptHash — composed by the wallet at signing time and enforced by the runtime.