--- tzip: 0xx title: FA2.1 status: Draft author: type: Financial Application (FA) created: 2022-08-10 date: 2022-09-26 version: 0.3 --- ## Summary TZIP-0xx proposes FA2.1 as an extension of the FA2 standard introduced in [TZIP-012](https://tzip.tezosagora.org/proposal/tzip-12/). FA2.1 adds support for on-chain views, tickets, events, and a finite allowance mechanism similar to FA1.2. ## Abstract The goal of the FA2.1 extension is to include new protocol features while remaining fully compatible with current applications that rely on the FA2 standard. **Events** are a means to solve discoverability problems encountered by indexers, i.e. to know when a token is transferred especially outside the specified transfer entrypoint (mint, burn, etc…). **On-chain views** are a means for smart contracts to share information easily. Callback views are kept for compatibility with already deployed contracts. **Tickets** are a way to materialize tokens outside of smart contracts. They can be transferred without calling the creator contract and affecting its status. Tezos rollups rely on tickets for representing Layer 1 assets on Layer 2. Additionally, **finite allowance**, enabling a user to grant permission to spend a fixed amount of tokens, is introduced (based on the FA1.2 scheme). ## General The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in [RFC 2119](https://www.ietf.org/rfc/rfc2119.txt). FA2.1 MUST comply with the same rules defined by FA2 standard: - Token type is uniquely identified on the chain by a pair composed of the token contract address and token ID, a natural number (`nat`). If the underlying contract implementation supports only a single token type (e.g. ERC-20-like contract), the token ID MUST be `0n`. In cases where multiple token types are supported within the same FA2.1 token contract (e. g. ERC-1155-like contract), the contract is fully responsible for assigning and managing token IDs. - The FA2.1 batch entrypoints accept a list (batch) of parameters describing a single operation or a query. The batch MUST NOT be reordered or deduplicated and MUST be processed in the same order it is received. - An empty batch is a valid input and MUST be processed as a non-empty one. For example, an empty transfer batch will not affect token balances, but applicable transfer core behavior and permission policy MUST be applied. - If the underlying contract implementation supports only a single token type, the batch may contain zero or multiple entries where token ID is a fixed `0n` value. Likewise, if multiple token types are supported, the batch may contain zero or more entries and there may be duplicate token IDs. ## Extension specification Token contracts implementing the FA2.1 standard MUST follow this interface: * entrypoints: * balance_of (for backwards compatibility with FA2) * update_operators (for backwards compatibility with FA2) * transfer * approve * export_ticket * import_ticket * views: * get_balance * get_total_supply * get_all_tokens * is_operator * get_allowance * get_token_metadata * events: * transfer_event * operator_update * approval_update * token_metadata_update The FA2 entrypoints `balance_of` and `update_operators` should be deprecated at some point, but many applications rely on them so they MUST be implemented for backwards compatibility. In some specific use cases, `export_ticket` and `import_ticket` may cause conflicts with the transfer policy. For this reason, one can simply throw an "FA2.1_TICKETS_UNSUPPORTED" error without implementing the logic of both entrypoints. This standard relies on a specific type of ticket: `(pair nat (option bytes))` to represent assets. Be cautious to not reuse this type if you implement another custom ticket functionnality. ### Entrypoint semantics #### `transfer` The core behavior is the same as for FA2 with additional rules regarding allowances: * To avoid conflicts between `approve` and `update_operators`, the operator's rights take precedence over those of the spender. * If the allowance of the sender falls under zero, the transfer MUST fail with the `"FA2.1_INSUFFICIENT_ALLOWANCE"` error message. * Transfer of zero amount is allowed but in the case of allowance, if no allowance is set (or is equal to zero), the transfer MUST fail. In the case of a self transfer (`%from_ == %to_`), make sure to not allow one to transfer more than they own, i.e. do not update `%to_`'s balance before `%from_`'s balance. #### `approve` ``` (list %approve (pair (address %owner) (address %spender) (nat %token_id) (or (nat %increase) (nat %decrease) ) ) ) ``` This entrypoint allows a token owner to increase or decrease the allowance set to `spender`. The `spender` can withdraw multiple times from the `owner`'s balance up to the value set by `owner`. In case of a decrease below zero, no error is thrown, the allowance MUST be removed. Each call of `transfer` and `export_ticket` entrypoints decreases the allowance amount by the transferred amount of tokens, unless the transfer is called with `from_` being equal to sender or with `from_` being an operator on behalf of the sender. The standard does not specify who is permitted to update spenders on behalf of the token owner. Depending on the business use case, the particular implementation of the FA2.1 contract MAY limit operator updates to a token owner (`owner == SENDER`) or it can be limited to an administrator. #### `export_ticket` ``` (list %export_ticket (pair (or %destination (contract (ticket (pair nat (option bytes)))) (contract (list (ticket (pair nat (option bytes))))) ) (list %tickets_to_export (pair (address %from_) (nat %token_id) (nat %amount) ) ) ) ) ``` The ticket id MUST be a pair containing the `token_id` and any additional information (a timestamp for example) as an `option bytes`. The ticket value MUST be the `amount`. In the case of the `destination` being a: * `(contract (ticket (pair nat (option bytes))))`, an operation is emitted for each exported ticket. * `(contract (list (ticket (pair nat (option bytes)))))`, only one operation is necessary to transfer the tickets batched in a list. The destination SHOULD be a contract able to manage tickets. The entrypoint MUST comply with the same policy as the `transfer` entrypoint. The balance of `%destination` and the total supply MUST remain unchanged. #### `import_ticket` ``` (list %import_ticket (pair (address %to_) (list %tickets_to_import (ticket (pair nat (option bytes))) ) ) ) ``` The nat value of the ticket id of type `(pair nat (option bytes))` represents the `token_id` and the ticket value represents the amount to be credited to the `to_` address for the corresponding `token_id`. The ticket MUST be destroyed upon import. If the ticket has not been created by the contract in which it is imported (`ticketer != SELF_ADDRESS`), the entrypoint MUST fail with the error mnemonic "FA2.1_INVALID_TICKET". The total supply MUST remain unchanged. ### Views We recommend to not throw an error inside a view but rather responding with a meaningful default value to let the callers choose their actions. For example, returning 0 when trying to get the balance of a non-existing wallet. #### `get_balance` Returns the number of tokens `%token_id` held for each `%owner` in the `%requests` list. ``` view "get_balance" (list %requests (pair (address %owner) (nat %token_id) ) ) (list (pair (address %owner) (nat %token_id) (nat %balance) ) ) ``` #### `get_total_supply` Returns the total supply of `token_id`. The total supply accounts for the number of tokens stored by the contract and the ones exported in tickets. i.e., exporting or importing tickets MUST not change the total supply. ``` view "get_total_supply" (list %requests (nat %token_id)) (list (pair (nat %token_id) (nat %total_supply) ) ) ``` #### `get_all_tokens` Has a unit parameter and returns the list of all the token IDs, (list nat), known to the contract. ``` view "get_all_tokens" unit (list (nat %token_id)) ``` #### `is_operator` Returns true if `%operator` is an operator of `%owner` for the token `%token_id` for each triplet in the `%requests` list. ``` view "is_operator" (list %requests (pair (address %owner) (address %operator) (nat %token_id) ) ) (list (pair (address %owner) (address %operator) (nat %token_id) (bool %is_operator) ) ) ``` #### `get_allowance` Returns the number of tokens `%token_id` allowed by `%owner` for `%spender` for each triplet in the `%requests` list. ``` view "get_allowance" (list %requests (pair (address %owner) (address %spender) (nat %token_id) ) ) (list (pair (address %owner) (address %spender) (nat %token_id) (nat %allowance) ) ) ``` #### `get_token_metadata` Returns the metadata aasociated to each `%token_id` in the `%requests` list. ``` view "get_token_metadata" (list %requests (nat %token_id) ) (list (pair (nat %token_id) (bytes %token_metadata) ) ) ``` ### Events #### `transfer_event` MUST be triggered when a balance is updated by any mechanism. `%sender` is the sender of the transaction (`SENDER` in Michelson). In case of a ticket export or any burn-like mechanism, the `option %to_ address` MUST be `none`. In case of a ticket import or any mint-like mechanism, the `option %from_ address` MUST be `none`. The case where both option are `none` should be considered as invalid. ``` (pair %transfer_event (address %sender) (list %transfer (pair (option %from_ address) (list %txs (pair (option %to_ address) (nat %token_id) (nat %amount) ) ) ) ) ) ``` #### `operator_update` MUST be triggered when an operator is updated by any mechanism. ``` (pair %operator_update (address %sender) (list %updates (pair (address %owner) (address %operator) (nat %token_id) (bool %is_operator) ) ) ) ``` `%is_operator` is true if `%operator` has been set as an operator by `owner` and false otherwise. #### `approval_update` MUST be triggered when a spender's allowance is updated by any mechanism. ``` (pair %approval_update (address %sender) (list %updates (pair (address %owner) (address %spender) (nat %token_id) (nat %new_value) (nat %old_value) ) ) ) ``` #### `token_metadata_update` MUST be triggered when a token metadat is updated by any mechanism, for example mint, burn, reveal, etc. In case of the token is burned the `option %new_value bytes` MUST be `none`. ``` (pair %token_metadata_update (address %sender) (list %updates (pair (nat %token_id) (option %new_value bytes) ) ) ) ``` ### Error Handling Following FA2 pattern: | Error mnemonic | Description | | :------------------------------- | :---------------------------------------------------------------------------------------------------- | | `"FA2.1_INVALID_TICKET"` | A ticket import failed because one of the ticket doesn't belong to the contract (`ticketer != SELF_ADDRESS`) | | `"FA2.1_TICKETS_UNSUPPORTED"` | Ticket export/import isn't supported | | `"FA2.1_INSUFFICIENT_ALLOWANCE"` | A token spender does not have sufficient allowance to transfer tokens from owner's account | ### Contract metadata Following the [TZIP-16](https://tzip.tezosagora.org/proposal/tzip-16/) about smart contract metadata, a new field is reserved but optional: - `"NFT only"` (optional, default: false): if the contract manages only NFTs, this flag SHOULD be set to `true` then the contract MUST NOT allow a total supply greater than 1 for any `token_id`.