Skip to main content

Troubleshooting transactions rejected due to "Blocked by Policy" - New Policy Engine

  • Updated

Important

The article is accessible to you as part of our New Policy Engine, which replaces the Transaction Authorization Policy (TAP). We are currently still updating the relevant documentation in the Help Center to reflect the recent changes to our New Policy Engine. 

Issue description

The Policy is a set of rules that govern the outflow of assets from your Fireblocks Vault and integrated connections. Based on the Policies you define, the Fireblocks Policy Engine will block some transactions. Rejected transactions due to Policy rules that you created will show with the rejection reason “Blocked by Policy.” Learn more about Policies.

However, you may also experience rejected transactions with the reason type "Blocked by Policy" which are not rejected due to specific Policy rules that you created, but due to global policies. In the section below you will find the common scenarios where your transactions may be unexpectedly blocked due to the rejection reason “Blocked by Policy" and how to address them.

Common reasons transactions can be "Blocked by Policy"

Transactions can fail with the transaction sub-status "BLOCKED_BY_POLICY" if:

  • You are sending to a "One Time Address" but you have not included "One Time Address" (OTA) destination parameters in your Policy rules.
  • The Transaction matched a Policy rule that lists “Block” as the required Action type.
  • The Transaction didn't match any Policy rule, so it was Blocked by the "Catch-All" rule.
  • The Raw Signing, Mint, or Burn transactions match a policy rule, but the premium feature is off (by default).

Resolutions

  • One-Time Address
    • If you want to receive transfers to one-time addresses, include "One-time Address" in the Destination parameter of your Policy rules.
    • Make sure "One-time Address" is enabled in your Firbelocks Console Settings:
      Settings > General: Under One-time Address, select Allow and confirm.
      Learn more about the One-Time Address feature.
  • There are two common scenarios where transactions will hit "Block" action rules:
    • The Transaction matched a "Block" action rule.

    • Time frame or individual and accumulation rule parameters for Initiator, Source, or Destination need to be redefined. 

      • The policy might block a transaction that exceeded the threshold monetary amount of a time-based rule if the rule’s action is “Block”. 

      • Suggested solution:
        • Increase the threshold amount of this rule.
        • Shorten the time frame.
        • Update the rule or add a new one with the “Request approval” action.
        • Trace and review the relevant rule, and make any adjustments if needed:
          • Determine what type of transaction was blocked by navigating to the Recent activity sidebar. (Transaction cards clear from the sidebar about 24 hours after their final state.)
          • Find the blocked transaction and take note of its type (e.g., Transfer, Mint).
          • Return to Policies in the left navigation panel and open the Policy type corresponding to the blocked transaction, and make the necessary changes. 

    • Note

      Assuming rules were not re-ordered as part of a Policy update after the block occurred:

      • Review the Rule.
        • Check if the rule serves your business needs or if you should change it to allow similar transactions in the future. After you update and publish your Policy, select Retry to process the transaction via Recent activity.
  • The transaction did not match any Policy rule. It was blocked by the "Catch-All" Block rule.

    Follow these steps to ensure the policy is configured as intended:

  • Note

    The Policy operates according to the first-match principle. Thus, having your rules in the proper order is also essential when creating your Policy. The order of your rules can affect whether or not specific rule parameters are enforced.

    •  Ensure all the blocked transactions’ parameters are included in a Policy rule:

      • Initiator (can be a specific initiator, or the user is part of a user group), **Transaction Type** (CONTRACT_CALL, TRANSFER, TYPED_MESSAGE, Etc.), Source and Destination (Whitelisted / OTA), Amount, and Time Period (Single Transactions / Accumulation), Asset, and an Action.

  • Raw signing, Mint, and Burn are premium features that are off by default. Please contact your Customer Success Manager to enable them.

    If you still cannot explain the "Blocked" transaction after performing the above steps or need more assistance, contact Fireblocks Support.

Was this article helpful?
0 out of 0 found this helpful

Related Articles