Skip to content
Deployed on CKB testnet. Mainnet deployment pending audit completion.

CKB Transaction Firewall

Block transactions to blacklisted addresses at consensus — regardless of what your application code does.

The firewall is an outgoing payment filter. It prevents a CKB wallet cell from being spent in a transaction that creates outputs pointing to blacklisted lock or type args. It does not block incoming payments, does not screen counterparties, and does not affect cells that don’t use the firewall lock.

When application code is compromised — a hijacked agent runtime, a prompt injection, a forked payout path that skips the check — the on-chain lock still runs. CKB nodes enforce the blacklist rule at consensus for every transaction that tries to spend a firewall-protected cell.

ComponentWhat it does
firewall-lockCKB lock script that runs at consensus on every node when a protected cell is spent. Enforces the blacklist regardless of what application code does.
Registry cellLive CKB cell whose data is a BLKL v2 binary payload — a sorted, versioned blacklist maintained by governance.
@ckb-firewall/sdk / ckb-transaction-firewall-sdkOff-chain pre-flight check in TypeScript or Rust. Runs the same logic as the lock before signing — fast feedback, structured errors.
@ckb-firewall/cliCLI for inspecting the live registry, testing addresses, and running the full governance lifecycle.
GovernanceSigned, time-locked, multi-party process for adding and removing blacklist entries. Enforced at consensus via on-chain proposal cells.