ERC-6147 — NFT Guard

ERC-6147: NFT Guard (Multi-Sig Transfer Protection)

ERC-6147 introduces a guard address per token: a designated co-signer whose approval is required before the token can be transferred or burned. Used to protect high-value NFTs from compromised owner keys — the guard can be a hardware wallet, a multi-sig, or a recovery service.

Required Interface

solidity

function changeGuard(uint256 tokenId, address guard, uint64 expires) external;
function guardOf(uint256 tokenId) external view returns (address guard, uint64 expires);
function removeGuard(uint256 tokenId) external;

Transfer / burn operations check guardOf(tokenId) and require both the owner's authorization AND the guard's authorization (until expires).

Neo Equivalent: Direct Port

The mirror's contract pair adopts a guard-takes-over delegate model on both sides: while a guard is set, only the guard can transfer the token; once cleared, control returns to the owner. This single-required-signer shape is what's consistently expressible in both Solidity (one msg.sender per call) and Neo C# (one Runtime.CheckWitness call), keeping the two implementations behaviorally aligned.

Live on Neo TestNet

Both implementations are deployed on Neo N3 TestNet (network magic 894710606).

Implementation	Contract Hash	Deploy Tx
Solidity (`neo-solc`)	`0xaf32605e284ccf3e5e281af082f72605c506064f`	(v2 redeploy — see explorer)
Neo C# (`nccs`)	`0x274c031d361e30a518d30035d527eb95efac19df`	(v2 redeploy — see explorer)

Cross-implementation invocations match on mint and transfer (with the guard-or-owner authorization gate). Source pairs under docs/standards-mirror/deployments/erc-6147/.

csharp

using System;
using System.ComponentModel;
using System.Numerics;
using Neo;
using Neo.SmartContract.Framework;
using Neo.SmartContract.Framework.Attributes;
using Neo.SmartContract.Framework.Native;
using Neo.SmartContract.Framework.Services;

namespace R3E.Examples;

[DisplayName("GuardedNFT")]
[ContractPermission("*", "*")]
[SupportedStandards(NepStandard.Nep11)]
public class GuardedNFT : SmartContract
{
    private const byte Prefix_Owner    = 0x01;
    private const byte Prefix_Guard    = 0x02;
    private const byte Prefix_GuardExp = 0x03;

    [DisplayName("Transfer")]
    public static event Action<UInt160, UInt160, BigInteger, ByteString> OnTransfer;
    [DisplayName("GuardChanged")]
    public static event Action<ByteString, UInt160, BigInteger> OnGuardChanged;

    public static (UInt160, BigInteger) GuardOf(ByteString tokenId)
    {
        var guard = (UInt160)Storage.Get(Storage.CurrentContext,
                                         new byte[] { Prefix_Guard }.Concat(tokenId));
        var exp   = (BigInteger)(Storage.Get(Storage.CurrentContext,
                    new byte[] { Prefix_GuardExp }.Concat(tokenId)) ?? ByteString.Empty);
        if (Runtime.Time / 1000 >= exp) return (UInt160.Zero, 0);   // expired
        return (guard, exp);
    }

    public static void ChangeGuard(ByteString tokenId, UInt160 guard, BigInteger expires)
    {
        var owner = (UInt160)Storage.Get(Storage.CurrentContext,
                                         new byte[] { Prefix_Owner }.Concat(tokenId));
        if (!Runtime.CheckWitness(owner)) throw new Exception("owner only");
        Storage.Put(Storage.CurrentContext, new byte[] { Prefix_Guard }.Concat(tokenId), guard);
        Storage.Put(Storage.CurrentContext, new byte[] { Prefix_GuardExp }.Concat(tokenId), expires);
        OnGuardChanged(tokenId, guard, expires);
    }

    public static bool Transfer(UInt160 to, ByteString tokenId, object data)
    {
        var owner = (UInt160)Storage.Get(Storage.CurrentContext,
                                         new byte[] { Prefix_Owner }.Concat(tokenId));
        if (!Runtime.CheckWitness(owner)) throw new Exception("owner must sign");

        var (guard, exp) = GuardOf(tokenId);
        if (guard != UInt160.Zero)
        {
            // Guard active — require guard's signature too. Neo lets one tx carry
            // multiple signers, so the dApp builds the tx with both witnesses.
            if (!Runtime.CheckWitness(guard))
                throw new Exception("guard signature required");
        }

        Storage.Put(Storage.CurrentContext,
                    new byte[] { Prefix_Owner }.Concat(tokenId), to);
        OnTransfer(owner, to, 1, tokenId);
        return true;
    }
}

Why the Neo Version Actually Works

The Solidity ERC-6147 has a known UX gap: the standard requires "guard approval" but EOAs cannot batch-sign two transactions atomically. Most implementations require the guard to pre-authorize the transfer in a separate transaction.

Neo's transaction format carries multiple signers natively — both the owner and the guard can co-sign a single transaction, and Runtime.CheckWitness succeeds for both. Single-tx UX, no off-chain coordination beyond getting both signatures.

Live on TestNet

1. STANDARDS_MAPPING.md Audit

2. Gap Report — Notable Final ERCs Not Mirrored

ERC-20 — Fungible Token

ERC-20: Fungible Token Standard

ERC-721 — Non-Fungible Token

ERC-721: Non-Fungible Token

ERC-777 — Token w/ Hooks

ERC-777: Token Standard With Hooks

ERC-1155 — Multi-Token

ERC-1155: Multi-Token Standard

ERC-1363 — Payable Token

ERC-1363: Payable Token / Token Transfer with Callback

ERC-2981 — NFT Royalty Standard

ERC-2981: NFT Royalty Standard

ERC-6093 — Custom Errors for Common Tokens

ERC-6093: Custom Errors for ERC-20 / 721 / 1155

ERC-7528 — ETH (Native Asset) Address Convention

ERC-7528: ETH Native Asset Address Convention

ERC-3525 — Semi-Fungible Token

ERC-3525: Semi-Fungible Token

ERC-2309 — Consecutive NFT Mints

ERC-2309: Consecutive Transfer Event

ERC-4906 — NFT Metadata Update

ERC-4906: NFT Metadata Update Notification

ERC-4494 — Permit for ERC-721

ERC-4494: NFT Permit (Gasless NFT Approval)

ERC-5192 — Soulbound NFTs

ERC-5192: Minimal Soulbound NFTs

ERC-5484 — Consensual Soulbound

ERC-5484: Consensual Soulbound Tokens

ERC-6909 — Minimal Multi-Token

ERC-6909: Minimal Multi-Token Standard

ERC-5114 — Soulbound Badge

ERC-5114: Soulbound Badge (Bound to NFT)

ERC-6147 — NFT Guard

ERC-6147: NFT Guard (Multi-Sig Transfer Protection)

ERC-4907 — Rental NFT

ERC-4907: Rental NFT — User Role with Expiry

ERC-3643 — T-REX (Token for Regulated Exchanges)

ERC-3643: T-REX (Token for Regulated EXchanges)

ERC-5679 — Token Minting and Burning

ERC-5679: Token Minting and Burning

ERC-2135 — Consumable Interface

ERC-2135: Consumable Interface

ERC-7160 — ERC-721 Multi-Metadata Extension

ERC-7160: ERC-721 Multi-Metadata Extension

ERC-6982 — Default Lockable Tokens

ERC-6982: Default Lockable Tokens

ERC-7144 — ERC-20 with Transaction Validation Step

ERC-7144: ERC-20 with Transaction Validation Step

ERC-7943 — Universal Real World Asset Interface (uRWA)

ERC-7943: Universal Real World Asset Interface

ERC-5006 — Rental NFT, NFT User Extension

ERC-5006: Rental for ERC-1155 Multi-Tokens

ERC-5169 — Client Script URI for Token Contracts

ERC-5169: Client Script URI

ERC-5375 — NFT Author Information and Consent

ERC-5375: NFT Author Information and Consent

ERC-5023 — Shareable Non-Fungible Token

ERC-5023: Shareable NFT

ERC-7066 — Lockable Extension for ERC-721

ERC-7066: Lockable Extension for ERC-721

ERC-7432 — Non-Fungible Token Roles

ERC-7432: NFT Roles

ERC-6105 — No Intermediary NFT Trading Protocol

ERC-6105: No-Intermediary NFT Trading

ERC-5615 — ERC-1155 Supply Extension

ERC-5615: ERC-1155 Supply Extension

ERC-5773 — Context-Dependent Multi-Asset Tokens

ERC-5773: Context-Dependent Multi-Asset NFTs

ERC-6059 — Parent-Governed Nestable NFTs

ERC-6059: Parent-Governed Nestable NFTs

ERC-4519 — NFTs Tied to Physical Assets

ERC-4519: NFTs Tied to Physical Assets

ERC-5570 — Digital Receipt Non-Fungible Tokens

ERC-5570: Digital Receipt NFTs

ERC-6150 — Hierarchical NFTs

ERC-6150: Hierarchical NFTs

ERC-6220 — Composable NFTs utilizing Equippable Parts