Metaplex Candy Guard

💡 Update:

From Candy Guard v0.2.0, the serialization logic for the arguments of the initialize and update instructions expect a [u8] represeting the custom serialized struct. This is to ensure adding new guards in the future does not affect clients.

If you are using the mpl-candy-guard npm package, you can serialize the CandyMachineData object using:

import { serialize } from '@metaplex-foundation/mpl-candy-guard';

const data = { ... };
const serializedData = serialize(data);

If you are using the mpl-candy-guard Rust crate, you can serialize the CandyMachineData struct using:

let data = CandyGuardData { ... };
let mut serialized_data = vec![0; data.size()];
data.save(&mut serialized_data)?;

Overview

The new Candy Guard program is designed to take away the access control logic from the Candy Machine to handle the additional mint features, while the Candy Machine program retains its core mint functionality — the creation of the NFT. This not only provides a clear separation between access controls and mint logic, it also provides a modular and flexible architecture to add or remove mint features without having to modify the Candy Machine program.

The access control on a Candy Guard is encapsulated in individuals guards representing a specific rule that needs to be satisfied, which can be enabled or disabled. For example, the live date of the mint is represented as the LiveDate guard. This guard is satisfied only if the transaction time is on or after the configured start time on the guard. Other guards can validate different aspects of the access control – e.g., ensuring that the user holds a specific token (token gating).

Note The Candy Guard program can only be used in combination with Candy Machine Core (Candy Machine V3) accounts. When a Candy Guard is used in combination with a Candy Machine, it becomes its mint authority and minting is only possible through the Candy Guard.

How the program works?

The main purpose of the Candy Guard program is to hold the configuration of mint guards and apply them before a user can mint from a candy machine. If all enabled guard conditions are valid, the mint transaction is forwarded to the Candy Machine.

When a mint transaction is received, the program performs the following steps:

1. Validates the transaction against all enabled guards.
   • If any of the guards fail at this point, the transaction is subject to the BotTax (when the BotTax guard is enabled) and the transaction is then aborted.
2. After evaluating that all guards are valid, it invokes the pre_actions function on each guard. This function is responsible to perform any action before the mint (e.g., take payment for the mint).
3. Then the transaction is forwarded to the Candy Machine program to mint the NFT.
4. Finally, it invokes the post_actions function on each enabled guard. This function is responsible to perform any action after the mint (e.g., freeze the NFT, change the update authority).

A guard is a modular piece of code that can be easily added to the Candy Guard program, providing great flexibility and simplicity to support specific features without having to modify directly the Candy Machine program. Adding new guards is supported by conforming to specific interfaces, with changes isolated to the individual guard – e.g., each guard can be created and modified in isolation. This architecture also provides the flexibility to enable/disable guards without requiring code changes, as each guard has an enable/disable "switch".

The Candy Guard program contains a set of core access control guards that can be enabled/disabled:

• AddressGate: restricts the mint to a single address
• Allocation: specify the maximum number of mints in a group (guard set)
• AllowList: uses a wallet address list to determine who is allowed to mint
• BotTax: configurable tax (amount) to charge invalid transactions
• EndDate: determines a date to end the mint
• FreezeSolPayment: set the price of the mint in SOL with a freeze period.
• FreezeTokenPayment: set the price of the mint in spl-token amount with a freeze period.
• Gatekeeper: captcha integration
• MintLimit: specified a limit on the number of mints per wallet
• NftBurn: restricts the mint to holders of a specified collection, requiring a burn of the NFT
• NftGate: restricts the mint to holders of a specified collection
• NftPayment: set the price of the mint as an NFT of a specified collection
• ProgramGate: restricts the programs that can be in a mint transaction
• RedeemedAmount: determines the end of the mint based on a total amount minted
• SolPayment: set the price of the mint in SOL
• StartDate: determines the start date of the mint
• ThirdPartySigner: requires an additional signer on the transaction
• TokenBurn: restricts the mint to holders of a specified spl-token, requiring a burn of the tokens
• TokenGate: restricts the mint to holders of a specified spl-token
• TokenPayment: set the price of the mint in spl-token amount

Along with those guads, amazing teams in the community are making guard programs with new and cool checks. Here are a few teams who have created guards:

• Civic: Civic Pass Guard (Integration Docs)

Account

The Candy Guard configuration is stored in a single account. The information regarding the guards that are enable is stored in a "hidden" section of the account to avoid unnecessary deserialization.

Since the number of guards enabled and groups is variable, the account size is dynamically resized during the update instruction to accommodate the updated configuration.

Instructions

📄 initialize

This instruction creates and initializes a new CandyGuard account.

📄 mint (deprecated)

This instruction mints an NFT from a Candy Machine "wrapped" by a Candy Guard. Only when the transaction is succesfully validated, it is forwarded to the Candy Machine.

📄 mint_v2

This instruction mints both NFT or pNFT from a Candy Machine "wrapped" by a Candy Guard. Only when the transaction is succesfully validated, it is forwarded to the Candy Machine.

📄 route

This instruction routes the transaction to a guard, allowing the execution of custom guard instructions. The transaction can include any additional accounts required by the guard instruction. The guard that will received the transaction and any additional parameters is specified in the RouteArgs struct.

📄 unwrap

This instruction removes a Candy Guard from a Candy Machine, setting the mint authority of the Candy Machine to be the Candy Machine authority. The Candy Gard public key must match the Candy Machine mint_authority for this instruction to succeed.

📄 update

This instruction updates the Candy Guard configuration. Given that there is a flexible number of guards and groups that can be present, this instruction will resize the account accordingly, either increasing or decreasing the account size. Therefore, there will be either a charge for rent or a withdraw of rent lamports.

📄 withdraw

This instruction withdraws the rent lamports from the account and closes it. After executing this instruction, the Candy Guard account will not be operational.

📄 wrap

This instruction adds a Candy Guard to a Candy Machine. After the guard is added, minting is only allowed through the Candy Guard.

Guards

AddressGate

pub struct AddressGate {
    address: Pubkey,
}

The AddressGate guard restricts the mint to a single address — the address must match the payer's address of the mint transaction.

Allocation

pub struct Allocation {
    pub id: u8,
    pub size: u16,
}

The Allocation guard specifies the maximum number of mints allowed in a group (guard set). The id configuration represents the unique identification for the allocation — changing the id has the effect of restarting the limit, since a different tracking account will be created. The size indicates the maximum number of mints allocated.

Route Instruction

The allocation PDA needs to be created before the first mint transaction is validated. This is done by a route instruction with the following accounts and RouteArgs:

AllowList

pub struct AllowList {
    pub merkle_root: [u8; 32],
}

The AllowList guard validates the payer's address against a merkle tree-based allow list of addresses. It required the root of the merkle tree as a configuration and the mint transaction must include the PDA of the merkle proof. The transaction will fail if no proof is specified.

Route Instruction

The merkle proof validation needs to be completed before the mint transaction. This is done by a route instruction with the following accounts and RouteArgs:

BotTax

pub struct BotTax {
    pub lamports: u64,
    pub last_instruction: bool,
}

The BotTax guard is used to:

• charge a penalty for invalid transactions. The value of the penalty is specified by the lamports configuration.
• validate that the mint transaction is the last transaction (last_instruction = true).

The bot_tax is applied to any error that occurs during the validation of the guards.

EndDate

pub struct EndDate {
    pub date: i64,
}

The EndDate guard is used to specify a date to end the mint. Any transaction received after the end date will fail.

FreezeSolPayment

pub struct FreezeSolPayment {
    pub lamports: u64,
    pub destination: Pubkey,
}

The FreezeSolPayment guard is used to charge an amount in SOL (lamports) for the mint with a freeze period. The funds are transferred a freeze escrow until all NFTs are thawed, which at this point, can be transferred (unlock) to the destination account.

Note: The freeze functionality must be initialized using the initialize route instruction before mint starts.

Route Instructions

initialize: initializes the freeze escrow PDA.

thaw: thaw an eligible NFT.

unlock_funds: unlocks frozen funds.

Unlock funds is only enabled after all frozen NFTs are thaw.

FreezeTokenPayment

pub struct FreezeTokenPayment {
    pub amount: u64,
    pub mint: Pubkey,
    pub destination_ata: Pubkey,
}

The FreezeTokenPayment guard is used to charge an amount in a specified spl-token as payment for the mint with a freeze period. The funds are transferred a freeze escrow until all NFTs are thaw, which at this point, can be transferred (unlock) to the destination account.

Note: The freeze functionality must be initialized using the initialize route instruction before mint starts.

Route Instructions

initialize: initializes the freeze escrow PDA.

thaw: thaw an eligible NFT.

unlock_funds: unlocks frozen funds.

Unlock funds is only enabled after all frozen NFTs are thaw.

Gatekeeper

pub struct Gatekeeper {
    pub gatekeeper_network: Pubkey,
    pub expire_on_use: bool,
}

The Gatekeeper guard validates if the payer of the transaction has a token from a specified gateway network — in most cases, a token after completing a captcha challenge. The expire_on_use configuration is used to indicate whether or not the token should expire after minting.

MintLimit

pub struct MintLimit {
    pub id: u8,
    pub limit: u16,
}

The MintLimit guard allows to specify a limit on the number of mints for each individual address. The id configuration represents the unique identification for the limit — changing the id has the effect of restarting the limit, since a different tracking account will be created. The limit indicated the maximum number of mints allowed.

NftBurn

pub struct NftBurn {
    pub required_collection: Pubkey,
}

The NftBurn guard restricts the mint to holders of another NFT (token), requiring that the NFT is burn in exchange of being allowed to mint.

NftGate

pub struct NftGate {
    pub required_collection: Pubkey,
}

The NftGate guard restricts the mint to holders of a specified required_collection NFT collection. The payer is required to hold at least one NFT of the collection.

NftPayment

pub struct NftPayment {
    pub required_collection: Pubkey,
    pub destination: Pubkey,
}

The NftPayment guard is a payment guard that charges another NFT (token) from a specific collection for the mint. As a requirement of the mint, the specified NFT is transferred to the destination address.

ProgramGate

pub struct ProgramGate {
    pub additional: Vec<Pubkey>,
}

The ProgramGate guard restricts the programs that can be in a mint transaction. The guard allows the necessary programs for the mint and any other program specified in the configuration.

RedeemedAmount

pub struct RedeemedAmount {
    pub maximum: u64,
}

The RedeemedAmount guard stops the mint when the number of items_redeemed of the Candy Machine reaches the configured maximum amount.

SolPayment

pub struct SolPayment {
    pub lamports: u64,
    pub destination: Pubkey,
}

The SolPayment guard is used to charge an amount in SOL (lamports) for the mint. The funds are transferred to the configured destination address.

StartDate

pub struct StartDate {
    pub date: i64,
}

The StartDate guard determines the start date of the mint. If this guard is not specified, mint is allowed — similar to say any date is valid.

ThirdPartySigner

pub struct ThirdPartySigner {
    pub signer_key: Pubkey,
}

The ThirdPartySigner guard required an extra signer on the transaction.

TokenBurn

pub struct TokenBurn {
    pub amount: u64,
    pub mint: Pubkey,
}

The TokenBurn restrict the mint to holder of a specified spl-token and required the burn of the tokens. The amount determines how many tokens are required.

TokenGate

pub struct TokenGate {
    pub amount: u64,
    pub mint: Pubkey,
}

The TokenGate restrict the mint to holder of a specified spl-token. The amount determines how many tokens are required.

TokenPayment

pub struct TokenPayment {
    pub amount: u64,
    pub token_mint: Pubkey,
    pub destination_ata: Pubkey,
}

The TokenPayment restrict the mint to holder of a specified spl-token, transferring the required amount to the destination_ata address. The amount determines how many tokens are required.