Creating Policies

Policies are the heart of Kairo's protection. They define exactly what transactions your wallet can sign—and more importantly, what it can't. This guide shows you how to create policies that match your security needs.

What Is a Policy?

A policy is a set of rules stored on the Sui blockchain. Every time you try to sign a transaction, Kairo checks it against your active policy:

• Match the rules? Transaction proceeds
• Break any rule? Transaction blocked

Because policies live on-chain, they can't be bypassed by compromising your device alone. Even if malware infected your browser, it couldn't sign transactions that violate your policy.

Policy Components

Every policy can include these types of rules:

Destination Rules

Control where your funds can go:

• Allowlist — Only these addresses can receive funds
• Denylist — These addresses are blocked, everything else is allowed

Most users should start with an allowlist. It's more restrictive but far safer.

Amount Limits

Cap how much can be sent:

• Per-transaction maximums
• Token-specific limits
• Different thresholds for different assets

Contract Interaction Rules

Control how you interact with smart contracts:

• Allowed function selectors — Only these contract functions can be called
• Blocked function selectors — These specific functions are forbidden
• Particularly useful for blocking unlimited token approvals

Chain Restrictions

Limit which blockchains you use:

• Only allow specific networks
• Prevent accidental transactions on testnets or unfamiliar chains

Time-Based Rules

Add temporal constraints:

• Policy expiration dates
• Future: Time-delayed transactions for high-value transfers

Creating Your First Policy

Step 1: Open Policy Settings

1. Click the Kairo extension icon
2. Navigate to Settings → Policy
3. Click Create New Policy (or Edit Policy if one exists)

Step 2: Set Up Destination Rules

For most users, we recommend starting with an allowlist:

1. Toggle Allowlist Mode on
2. Click Add Address
3. Enter addresses you commonly send to:
   • Your hardware wallet
   • Exchange deposit addresses
   • DeFi protocols you use (Uniswap, Aave, etc.)
4. Give each address a memorable name
5. Repeat for all trusted destinations

Tip: You can add contract addresses (like Uniswap Router) to allow interactions with those protocols.

Step 3: Configure Amount Limits (Optional)

If you want spending caps:

1. Toggle Amount Limits on
2. Set a maximum per-transaction amount
3. Optionally, set specific limits for specific tokens

Example configuration:

• ETH: Max 1 ETH per transaction
• USDC: Max 1,000 USDC per transaction
• Other tokens: Default limit of $500 equivalent

Step 4: Set Contract Rules (Optional)

For DeFi users who want extra protection:

1. Navigate to Contract Interactions
2. Consider blocking approve() with unlimited amounts
3. Add specific function selectors you want to allow or deny

Common selectors to know:

• 0x095ea7b3 — ERC20 approve()
• 0xa9059cbb — ERC20 transfer()
• 0x23b872dd — ERC20 transferFrom()

Step 5: Choose Network Settings

1. Navigate to Networks
2. Select which chains your policy applies to
3. For maximum security, only enable chains you actively use

Step 6: Review and Publish

1. Review all your policy settings
2. Click Publish Policy
3. Confirm the on-chain transaction
4. Wait for confirmation (usually a few seconds)

Your policy is now active!

Policy Versioning

Every time you update your policy, a new version is created. This is important for security:

• Old versions are preserved for audit trails
• You must explicitly "reaffirm" your binding to use a new policy version
• This prevents attackers from silently changing your policy

Updating Your Policy

1. Make your desired changes
2. Click Update Policy
3. A new version is published on-chain
4. You'll be prompted to reaffirm your binding
5. Confirm to activate the new policy

Why Reaffirmation Matters

Requiring explicit reaffirmation prevents a subtle attack:

Without reaffirmation: An attacker compromises your device → changes your policy to allow malicious addresses → immediately drains your wallet

With reaffirmation: An attacker compromises your device → changes your policy → but signing still fails because you haven't reaffirmed → you notice something is wrong before funds are lost

Policy Examples

Conservative HODLer

For someone who rarely transacts:

Destinations: Allowlist only
  - Personal hardware wallet
  - Primary exchange

Amount Limits: 
  - ETH: 0.5 max
  - All others: $1,000 max

Networks: Ethereum mainnet only

Contract Interactions: Transfer only (no approvals)

Active DeFi User

For regular trading and farming:

Destinations: Allowlist
  - Personal wallets
  - Uniswap Router (all versions)
  - Aave Pool
  - Compound cTokens
  - Major exchange addresses

Amount Limits:
  - Stablecoins: $10,000 max
  - ETH: 5 max
  - Others: No limit

Networks: Ethereum, Base, Arbitrum

Contract Interactions: All allowed except
  - Unlimited approve() calls blocked

Multi-Sig Treasury

For organizational funds:

Destinations: Strict allowlist
  - Approved vendor addresses
  - Internal transfer addresses only

Amount Limits:
  - All assets: $50,000 max
  - Above requires additional approval

Networks: Ethereum mainnet only

Additional: 24-hour delay on policy changes

Managing Multiple Policies

You can create different policies for different purposes:

• Daily spending policy — Lower limits, more allowed destinations
• Savings policy — Very restricted, high-value protection
• DeFi policy — More contract interactions allowed

Switch between policies as needed for different activities.

Troubleshooting Policies

Transaction Blocked Unexpectedly

1. Check the denial reason in the Kairo popup
2. Common causes:
   • Address not in allowlist
   • Amount exceeds limit
   • Contract function not allowed
3. Add the address/function if you trust it
4. Retry the transaction

Policy Update Not Taking Effect

1. Ensure you've reaffirmed your binding
2. Check the transaction confirmed on Sui
3. Try refreshing the extension

Can't Find a Contract Address

For DeFi protocols:

1. Check the protocol's official documentation
2. Look up the contract on Etherscan
3. Verify the address before adding to allowlist

Best Practices

1. Start restrictive — You can always add addresses later
2. Name your addresses — Makes reviewing transactions much easier
3. Review regularly — Remove addresses you no longer use
4. Test after changes — Make a small transaction to verify your policy works
5. Keep a backup — Note your policy configuration somewhere safe

Next Steps

• Recovery Options — Protect against device loss
• Multi-Chain Support — Use policies across networks
• Security Model — Understand how policies are enforced