Overview

The TAP Editor is a tool in your Fireblocks Console that you use to manage your TAP. You access it through the Transaction Policy tab of your Console settings.

Before you create your TAP

• Review this entire section. If you have more questions, contact your Customer Success Manager or email csm@fireblocks.com.
• Read TAP examples for a better understanding and helpful templates.
• Review the TAP best practices for important tips and reminders.
• If you want to apply rules to specific users, including API users, make sure you create and fully set up each user before you create the rules.
• Set up any source or destination in your workspace that you wish to use in a rule before creating the rule. Read how to create a vault account or link an exchange account before using either as a source or destination. This applies to Fireblocks Network connections and whitelisted addresses as well.
• To apply rules to user groups, first, create the groups on the Manage Groups page of your Fireblocks Console. We recommend that all users in the same group have similar workspace roles. To change users’ roles, contact Fireblocks Support.

Viewing drafted changes

Select Show changes at the top of Edit Mode to review drafted rule changes. Here you can also more easily see if other Admins drafted changes in the same timeframe that may conflict with yours.

In Show changes view, a Status column appears on the left and changes show like this:

• Newly added rules: green Added badge under Status
• Deleted rules: in strike-through, gray Deleted badge under Status
• A rule that was moved: shows in its new position and is deleted from its old position
• Edited rules: blue Edited badge under Status, a drop-down button to compare it to the old rule, and modified parameters are shaded in gray.

Select the top left Back  button to save and leave Edit Mode.

Loading your previous policy as a draft

Once you have implemented multiple versions of your TAP, a new option appears that allows you to load your most recent previously approved policy as a draft. Loading a previous policy will open it as a draft in Edit Mode. Then, your Owner and Admin Quorum must approve restoring the policy.

To restore your most recently approved version of your TAP:

1. Enter Edit Mode.
2. Select Load previous policy at the top right.
   

3. A window appears with details about the previous policy. Select Load Policy.
   

4. The previous policy loads as a draft. Restoring your previous TAP will discard any unsubmitted policy edit drafts. If restoring your previous policy returns any error or warning indicators, review them and make edits as needed.

Requesting to publish a new, edited, or restored TAP

1. After you finish creating or editing rules, select Publish at the top right. You must have at least one edited, added, or removed rule to be able to submit changes.
   
2. The Publish New Policy window shows a limited summary of the submitted policy's details. 
   l
3. Select Publish policy to send it to your Admin Quorum and Owner for approval.

Approving or denying pending TAP changes

After you submit a new or edited policy, your Admin Quorum and Owner receive Fireblocks mobile app notifications. The notification includes a summary of the TAP changes, but the policy details must be reviewed and approved or denied using the Fireblocks Console. A trail of orange pending policy approval indicatorsappears in their Console.

To approve or deny the TAP changes:

1. Go to Settings > Transaction policy. A yellow Pending approval badge indicates there are changes to review.
   
2. Select Review new policy or Review policy changes.
   • Added rules appear with a green badge.
   • Deleted rules are grayed out with diagonal stripes.
   • Edited rules include a button to expand the rule to compare the old and new versions.
   • Modified parameters are shaded in gray.
   • Moved rules appear in their new position and are deleted from their old position.

3. Select Approve changes or Deny changes. Then confirm the action on the confirmation window.

   • If you deny the changes, you can enter a reason to be logged in the Audit Log.

4. Complete the approval or denial process using your Fireblocks mobile app.
    

If the policy is approved, it becomes active immediately. If it is denied:

• The submitter can re-submit based on the feedback in the rejection notification.
• When the submitter enters Edit Mode post-rejection, their rejected edits will still be there and they can pick up from where they left off.
• After you submit a request, a yellow Pending approval badge shows.
• You can’t draft more edits until the pending request is approved or rejected.

TAP for DeFi operations

DeFi authorization

By default, contract call transactions to whitelisted contract addresses only are allowed in your workspace. To allow contract calls to non-whitelisted contract addresses or to add rules and approval flows for other parameters, implement specific TAP rules for contract calls in the TAP Editor. You need these rules to enable the WalletConnect integration in your workspace and to call DeFi apps programmatically with the Fireblocks DeFi SDK.

Policy rules for contract call transactions are identical to other transfer rules, except that no rules can be set based on transaction amounts through your TAP. The policy can still specify all other TAP parameters required to interact with DeFi apps.

You can however set amount thresholds limiting how much a smart contract can withdraw separately from your TAP. Learn about Approve transaction amount caps. We will soon also enable you to set rules based on specific functions called in the contract (ABI Decoding).

Below, we summarize unique characteristics of contract calls and two unique DeFi operations, Approve transactions and Typed messages, that impact how you construct DeFi TAP rules. Please finish the sections below before looking at the Web3 TAP example.

Contract call whitelisting

Depending on your security risk appetite, you can choose whether to enable contract calls to be sent to any DeFi protocol at will (using the one-time address feature) or whether to whitelist each contract's address before you can interact with it. Note that if you choose to whitelist, you must first whitelist each contract address (requires Admin Quorum approval).

TAP rules for Typed messages and Approve transactions

When using DeFi apps, you may be required to perform certain actions that create different types of smart contract transactions. You can create different rules for these actions or include all types in one contract call rule. The primary DeFi operations are contract calls. Two other operations you may use within the same rule are:

• Approve transactions: When you want to transfer to a new ERC-20 smart contract that you never used before, you must first make a special Approve transaction. This allows the smart contract to withdraw funds from a specific wallet, but it is not an actual transfer. Turn on the Applies for Approve toggle for a contract call rule to apply it to the initial Approve transaction for that smart contract. Learn more about Approve transactions.
• Typed messages: You can use Typed message signing to securely sign off-chain messages that are not transactions. Below, we explain specific use cases that may require Typed messages and how to enable them. Learn more about Typed message signing here.

Enabling Typed message signing for DeFi

You can use off-chain (“Typed”) message signing for two types of operations:

• EIP-712 messages: a standard format of off-chain messages, used by some ERC-20 contracts to verify withdrawals for you instead of the less-secure gas-consuming “Approve” operation.
• ETH personal messages: a standard format to sign any string of data that is not a valid transaction.

If you want to use a DeFi app that requires signing one of these formats, you must either create a Typed message type rule using TAP Editor that enables Typed messages for that smart contract or create contract call rules and enable Applies for Typed messages for them.

Fireblocks Console users

When the Destination parameter for the rule is:

• Whitelisted+OTA (one-time address)
  • Set Applies for Typed messages toggle on in your contract call rule or Create a separate Typed message type rule.
• Other
  • Off-chain messages have no destinations, so a Typed message type rule can’t be applied in the same rule. Create a separate Typed message type rule.

Fireblocks API users

• Since the Fireblocks WalletConnect integration doesn’t work via API, you’re less likely to need to use Typed message signing if you connect to DeFi apps via API.
• If you want to use Typed messages with Fireblocks API, the same flow applies as with Fireblocks Console.

Smart contract deployment

Smart contracts are foundational to a variety of blockchains. For example, Ethereum’s standards, such as ERC-20 (fungible tokens) and ERC-721 (non-fungible tokens), are implemented using smart contracts. In order to leverage these standards for your use case, you must first deploy a smart contract.

In Fireblocks, you can create TAP rules that allow you to deploy smart contracts via the Fireblocks Console and the Fireblocks API. These rules are also helpful for restricting when smart contracts can be deployed from your workspace.

To create rules for smart contract deployment, select the Contract call type and make sure the Applies for deployment toggle is enabled.