In blockchain and smart contract security, an Action Whitelist functions as a restrictive access control list (ACL). Instead of a blacklist which blocks specific known-bad actions, a whitelist adopts a default-deny posture: only pre-approved actions, identified by their function signatures or operation codes, are allowed to execute. This model is fundamental to the principle of least privilege, severely limiting the attack surface by preventing any unintended or malicious interactions that aren't explicitly sanctioned by the contract's logic.
LABS
Glossary
Action Whitelist
An Action Whitelist is a predefined set of authorized smart contract calls or transaction parameters that a session key is permitted to execute on behalf of a user's smart contract wallet.
Chainscore © 2026
definition
SECURITY PRIMITIVE
What is an Action Whitelist?
An Action Whitelist is a security mechanism in smart contracts that explicitly defines the set of permitted functions or operations that an external account or contract is authorized to call.
Technically, implementation often involves a mapping—such as mapping(address => mapping(bytes4 => bool)) in Solidity—that stores a boolean flag for each caller address and function selector pair. A modifier like onlyWhitelistedAction(bytes4 _selector) is then applied to sensitive functions to check this mapping before execution. This granularity allows contracts to delegate specific capabilities to other addresses, a common pattern in upgradeable proxy patterns where a proxy contract whitelists calls to a logic contract, or in decentralized autonomous organizations (DAOs) where member proposals are limited to a set of safe treasury actions.
The primary use case for Action Whitelists is to enable secure, constrained composability. For example, a lending protocol might whitelist only the repayBorrow function for a specific liquidator contract, preventing it from accidentally or maliciously calling withdrawReserves. In token vesting contracts, a whitelist can permit a beneficiary to only claim tokens, not alter the vesting schedule. This contrasts with broader role-based systems like OpenZeppelin's AccessControl, which grants all functions associated with a role, making whitelists a more precise tool for function-level permissions.
While highly secure, Action Whitelists introduce management overhead. The whitelist state must be meticulously maintained—adding and removing entries—through privileged administrative functions, which themselves become critical security points. Poor management can lead to operational failure if necessary functions are omitted. Furthermore, because they are so restrictive, they can sometimes hinder legitimate composability if not designed with future integrations in mind, requiring careful planning of the initial allowed action set and a secure process for updates.
how-it-works
BLOCKCHAIN SECURITY
How an Action Whitelist Works
An action whitelist is a security mechanism that restricts a smart contract or protocol to executing only a pre-approved set of functions, preventing unauthorized or malicious operations.
An action whitelist is a security control, often implemented as a mapping or array within a smart contract, that explicitly enumerates the function signatures or operation codes that are permitted for execution. This creates a default-deny environment where any action not on the list is automatically rejected. This is a critical component in upgradable contract architectures and delegatecall-based proxy patterns, where it limits what logic a proxy can execute, thereby mitigating the risk of a malicious implementation contract taking unintended actions. It is a more granular and proactive form of access control than simple admin roles.
The core mechanism involves a modifier or a check within the contract's fallback function that validates the incoming call data against the stored whitelist. For example, in a diamond proxy (EIP-2535) setup, a Loupe facet might maintain the whitelist, and the proxy's dispatcher will revert any call to a function selector not present in that list. This ensures that even if an attacker gains the ability to upgrade a facet, they cannot introduce entirely new, unvetted functionality. The whitelist is typically managed by a multi-signature wallet or a decentralized autonomous organization (DAO) through a governance process, balancing security with upgradeability.
Implementing an action whitelist involves significant trade-offs. While it drastically reduces the attack surface and is considered a best practice for secure upgradeability, it also adds complexity to development and governance. Every new feature or bug fix requires a governance proposal to add the new function selectors to the whitelist before deployment. Furthermore, the whitelist must be meticulously curated to include all necessary view/pure functions and internal helper functions that might be called via delegatecall, as omissions can render parts of the protocol unusable.
key-features
SECURITY PRIMITIVE
Key Features of an Action Whitelist
An Action Whitelist is a security mechanism that explicitly defines the set of permitted operations a smart contract can perform, acting as a proactive filter to prevent unauthorized or malicious interactions.
01
Principle of Least Privilege
An Action Whitelist enforces the Principle of Least Privilege by restricting a smart contract's capabilities to only the specific functions it needs to operate. This minimizes the attack surface by preventing calls to unexpected or vulnerable external contracts, even if the primary contract logic is compromised.
02
Proactive Security vs. Reactive Blacklists
Unlike a blacklist, which blocks known-bad addresses or functions, a whitelist is a default-deny model. It only allows pre-approved actions, making it inherently more secure against novel attack vectors and zero-day exploits that wouldn't be on a reactive blacklist.
03
Common Implementation Patterns
Whitelists are typically implemented as:
- A mapping (e.g.,
mapping(address => bool) public isWhitelisted;) for approved contract addresses. - An array of function selectors or signature hashes for approved methods.
- Managed by a governance mechanism or multi-signature wallet for updates, ensuring changes are deliberate and auditable.
04
Use Case: Token Approvals & Vaults
A DeFi vault uses an action whitelist to restrict which protocols it can interact with and which tokens it can approve for spending. For example, a vault might whitelist only specific lending pools and DEX routers, preventing a hack from draining all approved tokens to an unknown contract.
05
Use Case: Cross-Chain Messaging
In cross-chain bridges and omnichain applications, action whitelists are critical for validating incoming messages. Only pre-approved source chains, sender contracts, and specific function calls are allowed to execute, mitigating risks from malicious or spoofed interchain messages.
06
Trade-offs and Considerations
While enhancing security, whitelists introduce administrative overhead for maintenance and can limit composability. They require careful governance to avoid becoming a centralization bottleneck. The whitelist manager itself becomes a critical trust point in the system's security model.
PARAMETER TYPES
Common Parameters in an Action Whitelist
A comparison of typical fields used to define and restrict permissible actions within a smart contract or protocol.
| Parameter | Description | Common Values | Enforcement |
|---|---|---|---|
Target Address | The smart contract address the action is allowed to interact with. | 0x... (EVM), SP3... (Stacks) | |
Function Selector | The 4-byte signature of the specific function to be called. | 0x23b872dd (transferFrom) | |
Maximum Value | The maximum amount of native token (e.g., ETH) that can be sent with the call. | 0.1 ETH | |
Calldata Pattern | A pattern or rule set defining permissible input arguments for the function call. | First arg must be >= 100 | |
Gas Limit | The maximum amount of gas the whitelisted call is permitted to consume. | 100,000 gas | |
Expiry Timestamp | A UNIX timestamp after which the whitelist entry is no longer valid. | 1735689600 | |
Call Depth | Restricts whether the call can make subsequent external calls (reentrancy). | <= 1 |
examples
ACTION WHITELIST
Real-World Examples & Use Cases
Action whitelists are a critical security primitive, moving beyond simple address permissions to control specific on-chain interactions. These examples illustrate their implementation and impact across DeFi, DAOs, and institutional finance.
03
Institutional Compliance & On-Chain Policies
Financial institutions and regulated DeFi platforms use action whitelists to encode compliance rules directly into transaction flows. This can automate adherence to:
- Travel Rule protocols, whitelisting only verified VASP (Virtual Asset Service Provider) addresses for transfers.
- Sanctions screening, by whitelisting interactions with compliant DEX pools or lending markets.
- Internal dealer limits, restricting trading bots to pre-approved venues and maximum position sizes. These programmable policies create enforceable, transparent compliance at the protocol level.
100%
Policy Enforcement
05
Upgradable Contract Governance
In upgradable proxy contract patterns (e.g., Transparent Proxy, UUPS), action whitelists manage the upgrade process itself. A Timelock contract or multi-sig may be whitelisted as the only address that can execute the upgradeTo function. Furthermore, the whitelist can restrict the implementation address to a registry of audited contracts. This creates a secure path for protocol evolution by:
- Preventing instant, unilateral upgrades by a single admin key.
- Ensuring all new logic contracts undergo a community vote or security review before being added to the whitelist.
24-72h
Typical Timelock Delay
security-considerations
ACTION WHITELIST
Security Considerations & Best Practices
An action whitelist is a security mechanism that explicitly defines the set of permitted operations a smart contract or protocol can execute, blocking all others by default. This section details its core principles and implementation strategies.
01
Principle of Least Privilege
An action whitelist enforces the Principle of Least Privilege by default. Instead of trying to predict and block every possible malicious action (a blacklist), the system only permits a finite, pre-approved set of actions. This drastically reduces the attack surface and is the recommended security model for managing upgradeable contracts, cross-chain messaging, and governance-executed transactions.
02
Key Implementation Patterns
Common technical implementations include:
- Function Selector Whitelists: Storing the 4-byte function signatures (e.g.,
0x12345678) that a proxy or router is allowed to delegatecall. - Target Address Whitelists: Specifying which external contract addresses a system can interact with.
- Parameter Validation: Whitelists can extend to specific argument values, like token addresses or destination chain IDs. A robust system often combines these patterns for defense in depth.
03
Governance & Management
Managing the whitelist is a critical governance function. Best practices include:
- Using a timelock on all whitelist updates to allow for community review.
- Implementing a multi-signature wallet or DAO vote for approvals.
- Maintaining a clear, public record of all whitelisted actions. Poor key management or rushed updates can render the whitelist ineffective or introduce new vulnerabilities.
04
Common Vulnerabilities
Even with a whitelist, risks remain:
- Whitelist Poisoning: If governance is compromised, an attacker can whitelist a malicious function.
- Insufficient Validation: Whitelisting an address without restricting the function selector, or vice versa, can be exploited.
- Logic Flaws in Whitelisted Code: The whitelist only controls access; the underlying logic of a whitelisted contract must still be secure. Regular audits are essential.
05
Use Case: Cross-Chain Bridges
Bridges like Wormhole and LayerZero use action whitelists as a core security component. Their relayers or oracles are only authorized to trigger specific, pre-defined functions on the destination chain (e.g., mintTokens or unlockTokens). This prevents a compromised validator from executing arbitrary code, limiting damage to the whitelisted actions.
06
Use Case: Upgradeable Proxies
In proxy patterns (e.g., Transparent or UUPS), the proxy contract often uses a whitelist to restrict which functions in the implementation can be called via delegatecall. This prevents the implementation from self-destructing the proxy or altering its storage arbitrarily. It confines upgrade logic to a specific, whitelisted function like upgradeTo(address).
DEBUNKED
Common Misconceptions About Action Whitelists
Action whitelists are a critical security primitive, but their implementation and guarantees are often misunderstood. This section clarifies the precise technical boundaries and limitations of this mechanism.
An action whitelist is a security mechanism that explicitly enumerates the smart contract functions or transaction types a user's account is permitted to interact with, blocking all others by default. It works by integrating with a user's wallet or a smart contract wallet like a Safe, where a policy contract validates every transaction against a predefined list of approved target addresses and function selectors (e.g., 0x... for a specific swap() function). If the call matches an entry, it proceeds; otherwise, it is automatically rejected. This is a form of principle of least privilege, drastically reducing the attack surface from malicious or buggy contracts.
technical-implementation
ACTION WHITELIST
Technical Implementation (ERC-4337 Context)
Within the ERC-4337 standard for account abstraction, an Action Whitelist is a security and gas optimization mechanism that restricts a smart contract wallet to executing only a predefined set of trusted operations.
An Action Whitelist is a security feature implemented within an ERC-4337 UserOperation validation logic, typically in the wallet's EntryPoint or a module like a Session Key. It explicitly enumerates the smart contract addresses and function selectors (e.g., transfer(address,uint256)) that the account is permitted to interact with during a given session or transaction. This creates a constrained execution environment, preventing the wallet from signing off on malicious or unintended interactions, such as approving unlimited token spends or calling unknown contracts. By limiting scope, it significantly reduces the attack surface for phishing and malicious dApps.
From a gas optimization perspective, whitelists enable more efficient UserOperation validation. Because the set of allowed actions is known and limited, the validation logic can be simpler and require fewer computational steps to verify. This can lower the preVerificationGas cost for the operation, making transactions cheaper for the user. Furthermore, whitelists are a foundational concept for implementing session keys, where a user can grant temporary, limited permissions to a dApp for a smoother UX without surrendering full control of their account.
Implementing an action whitelist involves defining the logic within the account's validateUserOp function or a dedicated validation module. A common pattern checks the UserOperation's callData against a stored mapping of permitted to addresses and function signatures. For example, a gaming session key might only whitelist calls to a specific game contract's playTurn function and a specific ERC-20 contract's transferFrom function for in-game currency. This granular control balances usability with security, allowing for specialized wallet configurations tailored to specific dApp interactions.
ACTION WHITELIST
Frequently Asked Questions (FAQ)
Common questions about Action Whitelists, a core security and governance mechanism for managing smart contract interactions within a protocol.
An Action Whitelist is a security control mechanism that explicitly defines which smart contract functions or transaction types are permitted to be executed within a specific protocol or system. It works by maintaining an on-chain registry of approved function signatures or contract addresses, and the protocol's core logic checks every incoming transaction against this list before allowing execution. This is a form of positive security model, where only pre-approved actions are allowed, contrasting with a blacklist that only blocks known malicious ones. It is commonly used in upgradeable contracts, decentralized autonomous organizations (DAOs), and cross-chain messaging protocols to minimize attack surface and enforce governance policies.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall