Capability Invocation

A core tenet where a capability grants the minimum necessary authority to perform a task. Instead of giving a smart contract full control over a user's wallet, a capability might only allow it to spend up to 100 USDC. This drastically limits the impact of a compromised or malicious contract.

• Example: A DeFi lending protocol only receives a capability to withdraw the exact collateral amount for a loan, not the entire wallet balance.
• Contrasts with the all-or-nothing approve() model in traditional token standards.

The underlying security paradigm where authority is inseparable from the reference to an object. Possession of the capability is the proof of permission; there is no separate access control list to check.

• Unforgeable: Capabilities are created by the resource owner and cannot be fabricated by other parties.
• Delegatable: The holder of a capability can choose to pass it (or a derived, limited version) to another entity, enabling secure composability.
• Foundation for secure inter-contract communication in systems like the Cosmos SDK and Flow blockchain.

Once a user grants a capability to Contract A, Contract A can use that authority to call other contracts (B, C) on the user's behalf without requiring the user to sign new transactions. This enables complex, multi-step DeFi transactions (like a cross-protocol yield strategy) to be executed in a single atomic bundle.

• Efficiency: Reduces user friction and transaction count.
• Security Context: The downstream contracts (B, C) interact with the original capability, maintaining the chain of authority and the original permission scope.

Capabilities can be designed with time-bound validity or be revocable by the grantor. This provides fine-grained control over delegated permissions.

• Expiry: A capability to use an API key might be valid for only 24 hours.
• Revocation: The resource owner can invalidate a capability at any time, instantly removing the delegated authority. This is often implemented by having the target contract check a revocation registry or a nonce.
• Contrast with static ERC-20 allowances, which persist until explicitly set to zero.

Highlights the fundamental shift from identity-based to capability-based security.

• ERC-20 approve(): Grants permission to a specific address (identity) to spend tokens up to a limit. Any contract with that address can use the allowance.
• Capability Invocation: Grants permission to a specific capability object. Only the holder of that exact object can exercise the permission, regardless of its address. This prevents confused deputy attacks and phishing risks associated with excessive allowances.

In practice, a capability is often implemented as a signed message or a unique token (like an NFT or a session key) that a smart contract must present when calling a protected function.

• Signed Delegation: User signs a structured message authorizing specific actions, which a relayer contract verifies.
• Capability Tokens: An NFT minted to represent a permission; holding the NFT in the caller's context grants access. Burning the NFT revokes it.
• Frameworks: Used in Sealevel (Solana's parallel runtime), Cadence (Flow), and CosmWasm for secure cross-contract calls.

In blockchain gaming, capability invocation creates session keys. A user can grant a game client temporary, limited permissions—like the ability to move their NFT character or spend in-game tokens—for a set duration. This allows seamless gameplay without constant wallet pop-ups, while the underlying assets remain secure in the user's primary wallet. The capability automatically expires after the session.

Capabilities enable secure cross-chain messaging. A user on Chain A can issue a capability authorizing a bridge or router contract on Chain B to mint a wrapped asset, with the capability serving as proof of locked collateral on the origin chain. The system uses cryptographic signatures or verifiable credentials to prove the holder is authorized to perform that specific minting action, without exposing private keys.

In Decentralized Autonomous Organizations (DAOs), token holders can delegate their voting power using capabilities. Instead of transferring tokens, a holder issues a capability to a delegate, granting them the right to vote on proposals for a specific period or topic. This is more secure than full token delegation, as the capability can be scope-limited (e.g., only for treasury proposals) and revoked instantly, mitigating misuse risk.

Oracles use capability invocation to provide authenticated data to smart contracts. A data provider signs a message (the capability) containing a specific price feed for a specific pair. The consuming contract verifies the signature and the capability's scope—checking the authorized data type, timestamp, and provider—before accepting the input. This prevents unauthorized or spoofed data from being injected into the contract's logic.

Capability Invocation replaces the all-or-nothing key-based authorization of traditional accounts with a least-privilege model. Instead of signing a transaction with a private key that grants full control, a user signs a capability object that explicitly authorizes a single, scoped action, such as 'spend 10 USDC from vault A' or 'delegate voting power for proposal #42'. This prevents malicious dApps from draining wallets or performing unauthorized actions.

The primary technical standard is the CACAO (CApability Object) format, often used with SIWE (Sign-In with Ethereum). A CACAO is a signed JSON payload containing:

• iss (issuer): The user's decentralized identifier (DID).
• aud (audience): The resource or service being accessed.
• resources: An array of URIs specifying the exact resources and actions permitted (e.g., ceramic://* for data streams). This signed object is presented to a resource server to invoke the granted capability.

DApps use capability invocation to create secure, session-based interactions without exposing private keys. For example:

• A user signs a CACAO granting a gaming dApp the capability to mint one NFT on their behalf.
• A DeFi user grants a time-limited capability to a router contract to swap tokens, with a defined slippage limit.
• A data platform receives a capability to write to a specific data stream on a decentralized network like Ceramic. This confines dApp permissions to the exact intended actions.

The UCAN (User Controlled Authorization Networks) specification builds upon CACAOs to enable delegatable capabilities. A user (the origin) can issue a UCAN token to a service, which can then delegate a subset of that capability to another service, creating a verifiable chain of authorization. This enables complex, multi-service workflows (e.g., a backend service processing user data) while maintaining an audit trail back to the original user's intent.

Capability invocation offers key advantages:

• Reduced Attack Surface: Eliminates the risk of a malicious contract draining an entire wallet via an approve transaction.
• User Intent Clarity: Signing requests are explicit about the action being authorized.
• Composability: Capabilities are self-contained tokens that can be passed between services.
• Revocability: Capabilities can be designed with expiry times or be invalidated by the issuer. This model is foundational for secure account abstraction and user-friendly wallets.

This paradigm is being adopted by key infrastructure projects:

• WalletConnect: Uses capabilities for secure session authorization.
• Ceramic Network: Uses CACAOs for writing to decentralized data streams.
• EIP-5792: Proposes a standard for wallet capabilities on Ethereum, allowing wallets to expose specific functions to dApps.
• Fission Codes: Implements UCANs for serverless, user-controlled web apps. It represents a shift towards more granular and user-centric security across the Web3 stack.

The core security benefit of capabilities. Each capability grants only the minimum permissions necessary for a specific task. This compartmentalizes risk, preventing a compromised component from accessing unrelated system resources. For example, a token swap contract would receive a capability to transfer only the specific tokens involved, not blanket access to a user's entire wallet.

A critical risk is the uncontrolled propagation of capabilities. If a smart contract receives a powerful capability and can delegate it freely, the security model breaks. Mitigations include:

• Attenuation: Creating a derived capability with reduced rights.
• Restricting Delegation: Designing capabilities that are non-transferable or only delegatable under strict rules.
• Sandboxing: Ensuring received capabilities cannot be stored or passed on unintentionally.

This classic security flaw occurs when a component with a capability (the deputy) is tricked by a less-privileged attacker into misusing that authority. In blockchain, a user might invoke a benign-seeming contract that then uses an attached capability maliciously. Defenses include ambient authority elimination (only capabilities grant access) and designating the invoker as part of the capability's authority check.

Once granted, revoking a capability can be difficult in decentralized systems. Common patterns include:

• Expiring Capabilities: Time-bound or single-use tokens.
• Indirect Capabilities: Granting access via a proxy or manager contract that can update permissions.
• Capability Registries: A central on-chain record that can invalidate tokens, though this introduces a central point of control. The trade-off between flexibility and secure revocation is a key design decision.

A capability must be invoked through a well-defined, safe interface. Security vulnerabilities arise if:

• The interface allows unexpected operations (interface confusion).
• The underlying resource's implementation changes, breaking the capability's assumed safety guarantees.
• Static type systems and formal verification of capability interfaces are used to prove that only authorized operations can be invoked.

PDAs demonstrate capability-like security. A program generates a PDA that it alone can sign for, acting as a capability to control specific on-chain state. Security considerations include:

• Ensuring the PDA derivation is deterministic and collision-resistant.
• Carefully managing which programs are granted signing authority for a PDA.
• Preventing PDAs from being used to escalate privileges beyond their intended scope, such as accessing accounts they do not own.