Ownership Model

EVE Frontier uses a capability-based access control system. Instead of relying on wallet addresses for ownership, transferable capability objects (OwnerCap) grant access to on-chain objects.

Capability Hierarchy

GovernorCap  (deployer — top-level authority)
    └── AdminCap  (game server — creates objects, manages config)
            └── OwnerCap<T>  (player — mutates a specific object)
  • GovernorCap — created at deploy time. Can create/revoke AdminCaps.

  • AdminCap — granted to the game server. Can create objects and mint OwnerCaps.

  • OwnerCap<T> — a typed "keycard" that authorizes mutation of one specific object.

public struct OwnerCap<phantom T> has key {
    id: UID,
    authorized_object_id: ID,
}

Character as a Keychain

All OwnerCaps are stored inside the player's Character object (not in their wallet directly). This is inspired by a real-world keychain pattern — a single master key (the character) grants access to many capabilities.

User Wallet
    └── Character (shared object, mapped to user address)
            ├── OwnerCap<NetworkNode>
            ├── OwnerCap<Gate>
            ├── OwnerCap<StorageUnit>
            └── ...

When a Smart Assembly is created, its OwnerCap is minted and transferred to the Character object. If the user has access to the character, they have access to all its capabilities.

Borrow-Use-Return Pattern

To use an OwnerCap, the player borrows it from the character, uses it, and returns it all within a single transaction. This uses Sui's Receivingarrow-up-right pattern.

A ReturnOwnerCapReceipt (hot potato) ensures the cap is always returned or explicitly transferred, it cannot be silently dropped.

TypeScript Example

A typical owner-authenticated call (e.g., bringing a network node online):

Benefits

  • Centralized ownership — manage all capabilities from a single character object

  • Granular access — each OwnerCap<T> only authorizes one specific object

  • Delegatable — transfer an OwnerCap without moving the underlying assembly

  • Composable — the borrow-use-return pattern works within programmable transactions

Reference:

Last updated