Skip to main content

Typed Message policy rules

Early access:

Typed Message Policy is currently in Early Access (EA) mode, starting with Hyperliquid as its first supported workflow. Contact your Customer Success Manager for more information.

Typed Message Policy lets you govern off-chain signing requests at the field level, controlling not just whether a transaction can be signed, but what values are permitted inside the message itself. This gives you precise oversight of DeFi operations on supported platforms directly from your workspace Policies.

What are typed messages?

Many DeFi platforms use EVM off-chain messages to authorize operations such as withdrawals, deposits, and transfers. These messages are signed off-chain, meaning they are not recorded on the blockchain and no gas is required. Because they don't go through the standard transaction flow, they previously couldn't be governed with the same granularity as on-chain transactions.

This feature closes this gap by letting you define exactly which operations are allowed, from which sources, to which destinations, and up to what amounts, for each supported platform.

Note:

In Fireblocks, typed messages govern EVM off-chain messages such as EIP-712 messages, in addition to Non-EVM on-chain transactions. In this article we discuss EVM EIP-712 messages and the workflows they involve.

Governance levels

Typed Message Policy supports three levels of governance, from simple platform-specific presets to fully custom field-level control.

Platform presets

For supported platforms such as Hyperliquid, Fireblocks provides a predefined set of governable fields: operation, destination address, verifying contract, and amount. You select a platform when creating a rule, and the relevant fields appear automatically. No knowledge of the underlying message structure is required.

Custom field parameters

When you need to govern fields beyond the predefined set, you can define your own parameters. Selecting Add message parameters (advanced) opens the message parameters modal, where you can choose a specific parameter from the message type and set the value it must match.

Supported platforms and presets

This feature currently supports Hyperliquid, OpenSea, and Blur on mainnet with predefined field governance. Support for additional platforms, including Safe, is planned.

Note:

Supported platforms and presets are integrated based on factors such as market need and Fireblocks security policies.

Rule parameters

When creating a Typed Message Policy rule, you configure the following:

Scope

  • Rule name: a label which identifies the rule in your policy.
  • Initiator: the users or user groups this rule applies to.
  • Source: the vault account this rule applies to.
  • Blockchain type: EVM, non-EVM or Any. Selecting EVM filters the available assets to EVM-compatible assets and enables the Platform field.
  • Platform: the DeFi platform on which you want to govern signing requests (for example, Hyperliquid). Selecting a platform surfaces the relevant operation and destination fields.
  • Operation: the type of action being authorized (e.g., withdraw, staking deposit, or transfer).
  • Destination: the destination address the rule applies to. Only whitelisted addresses are accepted.
  • Add message parameters (advanced): adding specific message parameters.

Funds

  • Asset: the asset this rule applies to.
  • Amount: the minimum and maximum transaction values this rule applies to.

Action

  • Action: whether to allow or block matching transactions.

View your typed message policy rules

Your typed message policy rules appear in the policy table alongside all other rule types. Each row displays the rule's key parameters at a glance: rule number, name, initiator, source, destination, platform, message parameters count, asset, amount range, action (allow or block), and the approval groups required to authorize matching transactions.

Hovering over the message parameters count shows the parameters and their values:

To edit or delete a rule, select the More actions menu (⋮) on the right side of the row.

Create a Typed Message policy rule

  1. In the Fireblocks Console, go to Policies.
  2. Select the policy you want to edit, then select Edit policy.
  3. Select + Add rule and then select Typed message as the rule type.
  4. Complete the Scope fields: rule name, initiator, source, blockchain type, asset, platform, operation, and destination.
  5. To add message parameters, select Add message parameters (advanced) and configure the fields as needed.
  6. Set the action (allow or block) and configure the amount range if needed.
  7. Select Save to add the rule to your policy draft.
  8. Publish the updated policy. The required approval quorum must approve the change before the rule takes effect.

How Typed Message policy works

When a user initiates a DeFi EIP-712 operation on a supported platform, Fireblocks decodes the EIP-712 message and extracts the relevant fields: platform, operation, destination address, verifying contract, amount, and other relevant fields. These values are then evaluated against your policy rules before Fireblocks approves the transaction for signing.

If the transaction matches an allow rule, it proceeds to signing. If it matches a block rule, or no matching rule is found, the transaction is rejected.

Typed Message policy example

The following setup for typed message policy rules is a possible Hyperliquid use case example, where:

  • All of the workspace’s wallets are allowed to use Hyperliquid (e.g. login operations)
  • Withdraw operations are only allowed to specific wallet addresses
  • Other messages (non-Hyperliquid related) are allowed

Typed message policy rules are evaluated in order, from top to bottom, and the first matching rule determines the outcome. This example shows a possible implementation of restricting Hyperliquid withdrawals to an approved vault account, while leaving other typed messages, including other Hyperliquid operations such as ApproveAgent, unaffected.

Rule #1: Allow withdrawals to an approved destination

Allow Hyperliquid Withdraw messages that withdraw to a specific vault account.

  • Blockchain type: EVM
  • Platform: Hyperliquid
  • Operation: Withdraw
  • Destination: The approved Whitelisted Wallet
  • Action: Allow

Rule #2: Block all other Hyperliquid withdrawals

Block any Hyperliquid Withdraw message that does not match Rule #1.

  • Blockchain type: EVM
  • Platform: Hyperliquid 
  • Operation: Withdraw 
  • Destination: Any
  • Action: Block

Rule #3: Allow all other typed messages

Allow any typed message that does not match Rule #1 or Rule #2.

  • Blockchain type: Any 
  • Platform: Any 
  • Operation: Any 
  • Destination: Any 
  • Action: Allow

Why does the order matter?

Rules are evaluated top to bottom and the first match wins, therefore the sequence above is what makes the policy work:

  • Rule #1 is evaluated first, so approved withdrawals are allowed before any block rule is reached. 
  • Rule #2 blocks every other Hyperliquid withdrawal before it can reach the final catch-all allow rule. 
  • Rule #3 permits everything else: other Hyperliquid operations such as ApproveAgent, and typed messages on any other platform or blockchain.
Was this article helpful?
0 out of 0 found this helpful

Related Articles