Assessment reports>Radix>Threat Model>Transaction manifests

Transaction manifests

A transaction manifest is a sequence of instructions that defines operations to be executed on the Radix Engine. It serves as a programmatic description of transaction intent, allowing users and developers to interact with the network in a structured way.

These are the key manifest components:

  • Instructions for resource manipulation (buckets, proofs)

  • Function and method calls to components/blueprints

  • Authorization and access-control operations

  • Network-component interactions

  • Address-management operations

The manifest processor ensures secure execution through the following:

  • Requiring explicit intent of the user to manage resources

  • Resource tracking and isolation

  • Authorization verification

  • State-consistency checks

  • Size and complexity limits

System-wide security considerations

The primary security consideration at this stage is ensuring that the stack frames are appropriately created so that the privileges granted to the transaction processor are not inadvertently leaked to other blueprints. This is trivially achieved due to the explicit nature of the calls, but it is important to take into consideration for any future changes to the system that may introduce new callout mechanisms.

Other considerations include the following:

  • Proofs must be validated before use.

  • Operations must verify appropriate authorization.

  • Access-control rules must be enforced manually if acting on behalf of another component.

  • Auto moves (handle_call_return_data) into worktop must be handled carefully (i.e., nodes owned by (NON_)FUNGIBLE_BUCKET_BLUEPRINT).

Preview execution

Preview execution allows testing the manifest without committing to the network. This is useful for development but also for users to understand the effects of their transactions before committing through the help of their wallet software.

The manifest system supports preview execution through flags:

struct PreviewFlags { use_free_credit: bool, assume_all_signature_proofs: bool, skip_epoch_check: bool, disable_auth: bool }

Aliased operations

Some operations that are available in the manifest builder or the AST format do not map to a unique instruction. Instead, they are aliases for a call_function / call_method / call_direct_vault_method operation with a specific set of arguments.

Aliases bring convenience and readability to the manifest and consistency with less boilerplate to the transaction processor, but they may hide the underlying operation from a casual reader. Understanding both the aliases and their underlying instructions can be helpful for debugging and advanced usage.

Resource-management aliases

AliasTranslates to
MintFungibleCallFunction { ResourceAddress, "Fungible", "mint" }
MintNonFungibleCallFunction { ResourceAddress, "NonFungible", "mint" }
MintRuidNonFungibleCallFunction { ResourceAddress, "NonFungible", "mint_ruid" }

Here is an example:

// Alias MINT_FUNGIBLE Address("resource_sim1...") Decimal("100"); // Translates to CALL_METHOD Address("resource_sim1...") "mint" Decimal("100");

Vault operations aliases

AliasTranslates to
RecallFromVaultCallDirectVaultMethod { "recall" }
FreezeVaultCallDirectVaultMethod { "freeze" }
UnfreezeVaultCallDirectVaultMethod { "unfreeze" }
RecallNonFungiblesFromVaultCallDirectVaultMethod { "recall_non_fungibles" }

Here is an example:

// Alias RECALL_FROM_VAULT Address("internal_sim1...") Decimal("50"); // Translates to CALL_DIRECT_VAULT_METHOD Address("internal_sim1...") "recall" Decimal("50");

Package and component aliases

AliasTranslates to
CreateValidatorCallFunction { ConsensusManager, "Validator", "create" }
PublishPackageCallFunction { PackagePackage, "Package", "publish" }
PublishPackageAdvancedCallFunction { PackagePackage, "Package", "publish_advanced" }
ClaimPackageRoyaltiesCallMethod { method_name: "claim_royalties" }

Here is an example:

// Alias PUBLISH_PACKAGE Blob("a710f0...") Map(); // Translates to CALL_FUNCTION Address("package_sim1...") "Package" "publish" Blob("a710f0...") Map();

Resource creation aliases

AliasTranslates to
CreateFungibleResourceCallFunction { ResourcePackage, "Fungible", "create" }
CreateFungibleResourceWithInitialSupplyCallFunction { ResourcePackage, "Fungible", "create_with_initial_supply" }
CreateNonFungibleResourceCallFunction { ResourcePackage, "NonFungible", "create" }
CreateNonFungibleResourceWithInitialSupplyCallFunction { ResourcePackage, "NonFungible", "create_with_initial_supply" }

Here is an example:

// Alias CREATE_FUNGIBLE_RESOURCE Enum<0u8>() false 18u8 Tuple(...); // Translates to CALL_FUNCTION Address("resource_sim1...") "Fungible" "create" Enum<0u8>() false 18u8 Tuple(...);

Core instructions

1. Worktop operations

These instructions manage resources on the transaction worktop — a temporary storage area that tracks resources during transaction execution.

Instruction: TakeFromWorktop

Signature: TakeFromWorktop { resource_address: ResourceAddress, amount: Decimal }

This takes a specific amount of fungible resources from the worktop and creates a new bucket.

Instruction: TakeAllFromWorktop

Signature: TakeAllFromWorktop { resource_address: ResourceAddress }

This takes all available resources of a specified type from the worktop.

Instruction: TakeNonFungiblesFromWorktop

Signature: TakeNonFungiblesFromWorktop { resource_address: ResourceAddress, ids: Vec<NonFungibleLocalId> }

This takes specific NFTs from the worktop by ID.

Instruction: ReturnToWorktop

Signature: ReturnToWorktop { bucket_id: ManifestBucket }

This returns resources from a bucket to the worktop.

Instruction: AssertWorktopContains

Signature: AssertWorktopContains { resource_address: ResourceAddress, amount: Decimal }

This verifies the worktop contains at least a specified amount of resources.

Instruction: AssertWorktopContainsAny

Signature: AssertWorktopContainsAny { resource_address: ResourceAddress }

This verifies the worktop contains any amount of a specified resource.

Instruction: AssertWorktopContainsNonFungibles

Signature: AssertWorktopContainsNonFungibles { resource_address: ResourceAddress, ids: Vec<NonFungibleLocalId> }

This verifies the worktop contains specified NFT IDs.

2. Authorization operations

These instructions manage proofs and access control through the authorization zone.

Instruction: PopFromAuthZone

Signature: PopFromAuthZone

This removes and returns the most recently added proof from the authorization zone.

Instruction: PushToAuthZone

Signature: PushToAuthZone { proof_id: ManifestProof }

This adds a proof to the auth zone.

Instruction: CreateProofFromAuthZoneOfAmount

Signature: CreateProofFromAuthZoneOfAmount { resource_address: ResourceAddress, amount: Decimal }

This creates a proof for a specified fungible amount.

Instruction: CreateProofFromAuthZoneOfNonFungibles

Signature: CreateProofFromAuthZoneOfNonFungibles { resource_address: ResourceAddress, ids: Vec<NonFungibleLocalId> }

This creates a proof for specified NFTs.

Instruction: CreateProofFromAuthZoneOfAll

Signature: CreateProofFromAuthZoneOfAll { resource_address: ResourceAddress }

This creates a proof for all resources of a type.

Instruction: DropAuthZoneProofs

Signature: DropAuthZoneProofs

This removes all proofs from the auth zone.

Instruction: DropAuthZoneRegularProofs

Signature: DropAuthZoneRegularProofs

This removes non-signature proofs.

Instruction: DropAuthZoneSignatureProofs

Signature: DropAuthZoneSignatureProofs

This removes signature proofs.

3. Bucket operations

These instructions manipulate resource buckets directly.

Instruction: CreateProofFromBucketOfAmount

Signature: CreateProofFromBucketOfAmount { bucket_id: ManifestBucket, amount: Decimal }

This creates a proof for specified amount from a bucket.

Instruction: CreateProofFromBucketOfNonFungibles

Signature: CreateProofFromBucketOfNonFungibles { bucket_id: ManifestBucket, ids: Vec<NonFungibleLocalId> }

This creates a proof for specified NFTs from a bucket.

Instruction: CreateProofFromBucketOfAll

Signature: CreateProofFromBucketOfAll { bucket_id: ManifestBucket }

This creates a proof for the entire bucket contents.

Instruction: BurnResource

Signature: BurnResource { bucket_id: ManifestBucket }

This burns resources in a bucket.

4. Proof operations

These instructions manage proof lifecycle including creation, copying, and destruction of proofs.

Instruction: CloneProof

Signature: CloneProof { proof_id: ManifestProof }

This creates a copy of an existing proof.

Instruction: DropProof

Signature: DropProof { proof_id: ManifestProof }

This destroys a specified proof.

5. Method/function calls

Instruction: CallFunction

Signature: CallFunction { package_address: DynamicPackageAddress, blueprint_name: String, function_name: String, args: ManifestValue }

This calls the blueprint function.

Instruction: CallMethod

Signature: CallMethod { address: DynamicGlobalAddress, method_name: String, args: ManifestValue }

This calls a component method.

Instruction: CallRoyaltyMethod

Signature: CallRoyaltyMethod { address: DynamicGlobalAddress, method_name: String, args: ManifestValue }

This calls a royalty-module method.

Instruction: CallMetadataMethod

Signature: CallMetadataMethod { address: DynamicGlobalAddress, method_name: String, args: ManifestValue }

This calls a metadata module method.

Instruction: CallRoleAssignmentMethod

Signature: CallRoleAssignmentMethod { address: DynamicGlobalAddress, method_name: String, args: ManifestValue }

This calls a role-assignment module method.

Instruction: CallDirectVaultMethod

Signature: CallDirectVaultMethod { address: InternalAddress, method_name: String, args: ManifestValue }

This calls a method directly on a vault, bypassing standard access controls.

6. Address operations

Instruction: AllocateGlobalAddress

Signature: AllocateGlobalAddress { package_address: PackageAddress, blueprint_name: String }

This creates global address reservation.

7. Metadata and role operations

Instruction: SetMetadata

Signature: SetMetadata { address: ComponentAddress, args: ManifestValue }

This sets metadata for a component.

Instruction: RemoveMetadata

Signature: RemoveMetadata { address: ComponentAddress, args: ManifestValue }

This removes metadata from a component.

Instruction: LockMetadata

Signature: LockMetadata { address: ComponentAddress, args: ManifestValue }

This locks component metadata to prevent further changes.

Instruction: SetComponentRoyalty

Signature: SetComponentRoyalty { address: ComponentAddress, args: ManifestValue }

This sets royalty configuration for a component.

Instruction: LockComponentRoyalty

Signature: LockComponentRoyalty { address: ComponentAddress, args: ManifestValue }

This locks component-royalty configuration.

Instruction: ClaimComponentRoyalties

Signature: ClaimComponentRoyalties { address: ComponentAddress, args: ManifestValue }

This claims accumulated royalties for a component.

Instruction: SetOwnerRole

Signature: SetOwnerRole { address: ComponentAddress, args: ManifestValue }

This sets the owner role for a component.

Instruction: LockOwnerRole

Signature: LockOwnerRole { address: ComponentAddress, args: ManifestValue }

This locks the owner-role configuration.

Instruction: SetRole

Signature: SetRole { address: ComponentAddress, args: ManifestValue }

This sets a role for a component.

8. Component-creation operations

Instruction: CreateAccessController

Signature: CreateAccessController { args: ManifestValue }

This creates a new access-controller component.

Instruction: CreateIdentity

Signature: CreateIdentity { args: ManifestValue }

This creates a new identity component.

Instruction: CreateIdentityAdvanced

Signature: CreateIdentityAdvanced { args: ManifestValue }

This creates a new identity component with advanced configuration options.

Instruction: CreateAccount

Signature: CreateAccount { args: ManifestValue }

This creates a new account component.

Instruction: CreateAccountAdvanced

Signature: CreateAccountAdvanced { args: ManifestValue }

This creates a new account component with advanced configuration options.

9. Cleanup operations

Instruction: DropNamedProofs

Signature: DropNamedProofs

This drops all named proofs.

Instruction: DropAllProofs

Signature: DropAllProofs

This drops all proofs (named and auth zone).

Zellic © 2025Back to top ↑