← Back to Glossary

ERC-3643

A token standard for permissioned security tokens that integrates identity verification and compliance checks directly into transfer logic.

ERC-3643, formerly known as T-REX (Token for Regulated EXchanges), is the leading Ethereum token standard for security tokens and Real World Assets. Unlike permissionless ERC-20 tokens, ERC-3643 integrates identity verification and compliance rules directly into the token's transfer logic, ensuring that only verified investors can hold the tokens and that all transfers comply with regulatory requirements. This makes it the standard choice for tokenizing regulated assets like securities, real estate, and private equity.

Why ERC-3643 Exists

Standard ERC-20 tokens are permissionless—anyone can receive them:

1// ERC-20: No restrictions
2function transfer(address to, uint256 amount) public returns (bool) {
3    balances[msg.sender] -= amount;
4    balances[to] += amount;
5    return true;
6}

For regulated securities, this is problematic:

  • Securities laws restrict who can hold certain assets
  • KYC/AML requirements must be enforced
  • Transfer restrictions vary by jurisdiction
  • Investor caps may apply (e.g., max 500 US investors)

ERC-3643 solves this by checking compliance before every transfer.

Architecture Overview

1┌─────────────────────────────────────────────────────────┐
2│                    ERC-3643 Token                       │
3│  ┌─────────────────────────────────────────────────┐   │
4│  │              Transfer Function                   │   │
5│  │  1. Check Identity Registry                     │   │
6│  │  2. Check Compliance Rules                      │   │
7│  │  3. Execute Transfer                            │   │
8│  └─────────────────────────────────────────────────┘   │
9└─────────────────────────────────────────────────────────┘
10         │                           │
11         ▼                           ▼
12┌─────────────────┐       ┌─────────────────────┐
13│ Identity        │       │ Compliance          │
14│ Registry        │       │ Contract            │
15│ (ONCHAINID)     │       │ (Rules Engine)      │
16└─────────────────┘       └─────────────────────┘
17
18
19┌─────────────────┐
20│ Claim Issuers   │
21│ (KYC Providers) │
22└─────────────────┘

Core Components

Identity Registry

Maps wallet addresses to verified identities:

1interface IIdentityRegistry {
2    function isVerified(address userAddress) external view returns (bool);
3    function identity(address userAddress) external view returns (address);
4    function investorCountry(address userAddress) external view returns (uint16);
5}

ONCHAINID

ERC-734/735 compliant identity contracts storing verified claims:

1// User's identity contract holds claims like:
2// - KYC verified by Provider X
3// - Accredited investor status
4// - Country of residence

Compliance Contract

Enforces transfer rules:

1interface ICompliance {
2    function canTransfer(
3        address from,
4        address to,
5        uint256 amount
6    ) external view returns (bool);
7}

Transfer Flow

1function transfer(address to, uint256 amount) public override returns (bool) {
2    // 1. Verify sender is registered
3    require(_identityRegistry.isVerified(msg.sender), "Sender not verified");
4    
5    // 2. Verify receiver is registered
6    require(_identityRegistry.isVerified(to), "Receiver not verified");
7    
8    // 3. Check compliance rules
9    require(
10        _compliance.canTransfer(msg.sender, to, amount),
11        "Transfer not compliant"
12    );
13    
14    // 4. Execute transfer
15    _transfer(msg.sender, to, amount);
16    
17    return true;
18}

Common Compliance Rules

Investor Caps

1// Max 2000 investors globally
2function canTransfer(address from, address to, uint256 amount) 
3    external view returns (bool) 
4{
5    if (balanceOf(to) == 0) {
6        // New investor
7        require(investorCount < MAX_INVESTORS, "Investor cap reached");
8    }
9    return true;
10}

Country Restrictions

1// Block transfers to certain jurisdictions
2mapping(uint16 => bool) public blockedCountries;
3

4function canTransfer(address from, address to, uint256 amount)
5    external view returns (bool)
6{
7    uint16 toCountry = identityRegistry.investorCountry(to);
8    require(!blockedCountries[toCountry], "Country blocked");
9    return true;
10}

Holding Periods

1// Enforce lock-up periods
2mapping(address => uint256) public lockUntil;
3

4function canTransfer(address from, address to, uint256 amount)
5    external view returns (bool)
6{
7    require(block.timestamp >= lockUntil[from], "Tokens locked");
8    return true;
9}

Agent Roles

ERC-3643 defines privileged roles:

1// Token agents can:
2// - Force transfers (court orders, lost keys)
3// - Freeze/unfreeze addresses
4// - Mint/burn tokens
5// - Update compliance rules
6

7function forcedTransfer(
8    address from,
9    address to,
10    uint256 amount
11) external onlyAgent returns (bool) {
12    _transfer(from, to, amount);
13    return true;
14}
15

16function freezeAddress(address account) external onlyAgent {
17    frozen[account] = true;
18}

Security Considerations

Identity Verification Trust

The security model depends on trusted claim issuers:

1// Only trusted KYC providers can issue identity claims
2function addClaimIssuer(address issuer) external onlyOwner {
3    trustedIssuers[issuer] = true;
4}

If a claim issuer is compromised, they could verify malicious addresses.

Agent Key Management

Agent keys have significant power:

  • Force transfers (bypass normal compliance)
  • Freeze any address
  • Modify compliance rules

These should be protected with multi-signature wallets and timelocks.

Upgrade Security

Compliance contracts are often upgradeable:

1function setCompliance(address newCompliance) external onlyOwner {
2    _compliance = ICompliance(newCompliance);
3}

Malicious upgrades could disable all compliance checks.

ERC-3643 vs Other Standards

StandardPermissionedIdentityComplianceUse Case
ERC-20NoNoNoUtility tokens
ERC-1400YesOptionalOptionalSecurity tokens
ERC-3643YesRequiredRequiredRegulated securities

Audit Checklist

When auditing ERC-3643 implementations:

  • All transfers check identity registry
  • Compliance rules correctly implemented
  • Agent functions properly access-controlled
  • Force transfer has appropriate safeguards
  • Freeze functionality works correctly
  • Identity claims validated properly
  • Compliance contract upgrade protected
  • Country/jurisdiction rules accurate

ERC-3643 enables compliant tokenization of regulated assets, embedding regulatory requirements directly into the token's transfer logic. Understanding its architecture is essential for auditing security token platforms and RWA protocols.

Articles Using This Term

Learn more about ERC-3643 in these articles:

Real World Asset (RWA) Tokenization: Architecture & Security

Real World Asset (RWA) Tokenization: Architecture & Security

Master Real World Asset tokenization: implement ERC-3643 compliance, ERC-7540 async vaults, and secure SPV architecture. Technical guide for developers building RWA protocols.

Dec 12, 20258 min read

Related Terms

Real World Asset (RWA)

Physical or traditional financial assets tokenized on blockchain, such as real estate, bonds, or commodities.

Access Control

Security mechanisms that restrict which addresses can call specific functions in a smart contract, preventing unauthorized actions.

Tokenization (AI)

The process of breaking text into smaller units (tokens) that AI models can process, determining how the model perceives and handles input.

Need expert guidance on ERC-3643?

Our team at Zealynx has deep expertise in blockchain security and DeFi protocols. Whether you need an audit or consultation, we're here to help.

Get a Quote

oog
zealynx

Subscribe to Our Newsletter

Stay updated with our latest security insights and blog posts

REQUEST AN AUDIT

Quick Links

Services

Company

Resources

© 2024 Zealynx