Compliance Attestation Token

CATs are typically implemented using token standards with built-in transfer restrictions, such as ERC-3643 or ERC-4671. These standards prevent the token from being moved to another wallet, ensuring the attestation is permanently bound to the verified entity (e.g., a specific Ethereum address). This immutability is fundamental to preventing attestation forgery or sale.

Each token acts as a verifiable credential, storing core attestation data on-chain. This typically includes:

• Issuer Identity: The decentralized identifier (DID) or address of the accredited compliance provider.
• Subject: The wallet address or smart contract being attested.
• Claim: The specific compliance status (e.g., KYC_Verified, Accredited_Investor).
• Validity Period: Expiration timestamp or revocation mechanism. Any protocol can permissionlessly query the blockchain to verify this credential's authenticity and current state.

Smart contracts can be programmed to gate access based on the presence or specific properties of a CAT. For example, a DeFi lending pool's deposit() function can require a SANCTIONS_NOT_DETECTED attestation, or a private sale contract can check for an ACCREDITED_INVESTOR token. This moves compliance from manual, off-chain checks to automated, transparent on-chain rules.

To maintain current compliance, CATs incorporate mechanisms to invalidate attestations. Common patterns include:

• Time-Based Expiry: The token becomes invalid after a block timestamp.
• Revocation Registries: The issuer maintains an on-chain registry (like an EIP-5539 revocation list) where revoked token IDs are logged.
• Status Flags: The token's smart contract can update an internal valid state variable to false. This ensures compliance is not a one-time event but a continuously verifiable state.

Trust in a CAT is derived from the reputation and identity of its issuer. Issuers are typically regulated entities (banks, broker-dealers) or decentralized identity networks (like SpruceID or Veramo frameworks). Their identity is often represented by a Decentralized Identifier (DID) documented in a public registry, allowing verifiers to audit the attestation's source and its authority.

Advanced implementations use zero-knowledge proofs (ZKPs) to allow users to prove they hold a valid attestation without revealing its specific details or their underlying identity. For instance, a user can generate a ZK proof that they possess a valid JURISDICTION_X CAT, enabling access to a service while minimizing on-chain data exposure and preserving privacy.

CATs serve as soulbound tokens (SBTs) or verifiable credentials within decentralized identity frameworks. They attest to specific user attributes, such as:

• Completion of a Know Your Customer (KYC) process by a licensed provider.
• Professional licensure or membership in a regulated entity.
• A positive history of compliance, building a reputation score. These tokens enable selective disclosure, where users can prove a claim without revealing underlying personal data.

For traditional financial institutions, CATs are critical infrastructure for tokenizing real-world assets (RWA) and participating in DeFi. They provide auditable proof that an entity or transaction complies with securities laws (e.g., Reg D, Reg S), anti-money laundering directives, and tax reporting standards like the FATF Travel Rule. This reduces legal overhead and enables programmable compliance for capital flows.

A CAT minted on one blockchain can be verified as authentic on another via cross-chain messaging protocols or bridges with attestation relays. This solves the compliance fragmentation problem, allowing a user's verified status to be portable across Ethereum, Solana, or Avalanche ecosystems. The token's validity is cryptographically proven, preventing forgery and ensuring the attestation issuer's signature is recognized universally.

Smart contracts can be programmed to read CATs and automatically generate audit trails and regulatory reports. For example, a protocol can aggregate all transactions involving a specific type of compliance token (e.g., for accredited investors) and produce a report for regulators. This shifts compliance from a manual, post-hoc process to a real-time, transparent system embedded in the protocol's logic.

The Financial Action Task Force (FATF) Travel Rule requires VASPs to share sender/receiver information for transactions above a threshold. A CAT can represent a pre-verified user identity from a VASP. When a transfer is initiated, the sending protocol can attach this CAT, and the receiving protocol can instantly verify the user's legitimacy with the issuing VASP, automating Travel Rule compliance without intermediaries.

The most common technical standard for CATs is ERC-735 (Claim Holder). This Ethereum standard defines a contract interface for managing, adding, and removing claims (attestations) from trusted issuers. A claim is a key-value pair where the key is a claim type (e.g., isKYCVerified) and the value is the proof data, signed by the issuer's private key. This creates a portable, verifiable credential that is bound to a user's wallet address.

CATs are often implemented as Soulbound Tokens—non-transferable NFTs that are permanently bound to a specific wallet address. This prevents the sale or transfer of compliance status, ensuring the attestation remains linked to the verified entity. Key properties include:

• Non-Transferable: Cannot be sent to another wallet.
• Revocable: The issuer can invalidate the token if compliance lapses.
• Transparent: Verification status is publicly verifiable on-chain.

Verifying a CAT involves checking the cryptographic signature of the trusted issuer against the claim data. Common mechanisms include:

• Off-Chain Signatures with On-Chain Verification: The issuer signs a structured message (e.g., using EIP-712 for human-readable signing). The verifier contract checks this signature against the issuer's known public key.
• Zero-Knowledge Proofs (ZKPs): For privacy, a user can generate a ZK proof that they hold a valid CAT without revealing the underlying data, enabling compliant but private interactions.

CATs act as permissioning layers for decentralized applications. Smart contracts can check for the presence of a valid CAT before allowing a user to interact. Examples include:

• KYC-gated Pools: Lending protocols that require verified identity for high-value deposits.
• Jurisdictional Compliance: DEXs that restrict trading based on geographic attestations.
• Accredited Investor Verification: Platforms for security tokens that require proof of accredited status.

Trusted third-party entities act as Attestation Issuers. Their role is to perform the off-chain compliance check and mint the on-chain token. Examples include:

• Specialized KYC Providers (e.g., Fractal ID, Parallel Markets)
• Legal Entity Validators for corporate wallets
• DAO Governance Modules for membership attestations The security of the entire system relies on the trustworthiness and key management of these issuers.

CATs align with the broader W3C Verifiable Credentials (VC) data model, which provides a standardized format for cryptographically verifiable digital credentials. While VCs are often used in broader identity systems, CATs implement this concept specifically for blockchain addresses. This creates potential for interoperability between on-chain CATs and off-chain VC ecosystems, allowing portable identity across Web2 and Web3.

A key regulatory requirement addressed by CATs. The Travel Rule (FATF Recommendation 16) mandates that Virtual Asset Service Providers (VASPs) share originator and beneficiary information for transactions above a threshold. CATs provide a standardized, on-chain mechanism to satisfy this rule.

• Process: The originating VASP issues a CAT containing required sender data; the receiving VASP can verify it.
• Protocols: Solutions like TRP (Travel Rule Protocol) and IVMS 101 data standard are often integrated with CAT implementations.

Smart contracts or decentralized protocols that store, index, and manage the revocation status of attestations like CATs. An Attestation Registry acts as a public, verifiable ledger of claims.

• Key Functions: Issuance logging, status queries (valid/revoked), and revocation management.
• Examples: Ethereum Attestation Service (EAS), Verax, and Smart Layer provide frameworks for creating and managing on-chain attestations, which CATs can be built upon.

A cryptographic method that allows one party (the prover) to prove to another (the verifier) that a statement is true without revealing the underlying data. Zero-Knowledge Proofs can enhance privacy in compliance by enabling selective disclosure.

• Application to CATs: A user can prove they hold a valid KYC CAT without exposing their name or date of birth, or prove they are over 18 without revealing their exact age.
• Technology: zk-SNARKs and zk-STARKs are common ZKP constructions used for this purpose.

The automation of regulatory logic directly into smart contracts or protocol rules. Programmable Compliance uses tokens like CATs as permissioning inputs, enabling decentralized applications to enforce rules autonomously.

• Mechanism: A lending protocol's smart contract can check for a valid 'Accredited Investor' CAT before allowing access to a private pool.
• Benefits: Reduces manual review, creates a consistent and auditable enforcement layer, and enables complex, conditional logic (e.g., jurisdiction-specific rules).