Ghostmint Authorization
Only governance-authorized contracts can call the Ghostmint precompile. Unauthorized calls revert.
How authorization works
The list of authorized callers is configured via the GHOSTMINT_AUTHORIZED_CALLERS environment variable on the validator node. The precompile checks this list on every call.
Current authorized callers
| Contract | Address | Purpose |
|---|---|---|
| NativeAssetHandler | 0x35cdaE691037fcBb3ff9D0518725F1ae98d502b7 | Commit/reveal bridge |
Call chain
User → CommitRevealVault → NativeAssetHandler → Precompile (0x0808)
(not authorized) (authorized) (checks caller)
The CommitRevealVault itself is not an authorized caller. It delegates to the NativeAssetHandler, which is the single authorized entry point.
Updating authorized callers
Authorization changes require either:
- Validator restart — update the
GHOSTMINT_AUTHORIZED_CALLERSenvironment variable and restart thespecterdservice - Governance proposal — submit an on-chain governance proposal to update the authorized callers stored in the KVStore
The environment variable takes precedence over the KVStore. This allows emergency authorization changes without waiting for governance.
Environment variable format
GHOSTMINT_AUTHORIZED_CALLERS=0x35cdaE691037fcBb3ff9D0518725F1ae98d502b7
Multiple callers can be comma-separated:
GHOSTMINT_AUTHORIZED_CALLERS=0xAddress1,0xAddress2
PreCommit invariant
The chain's PreCommit ABCI hook verifies the supply invariant on every block:
totalMinted - totalBurned <= 1,000,000,000 GHOST
If a block would violate this constraint, it is rejected. This is a consensus-level safeguard independent of the smart contract logic.
For developers
You cannot directly call the precompile from your smart contracts unless your contract is authorized via governance. To interact with the mint/burn system:
- Use the CommitRevealVault for standard commit/reveal operations
- Use GhostERC20 tokens for ERC20 privacy operations
- If you need custom mint/burn logic, propose a governance authorization for your contract