LUKSO LSP20 Call Verification Standard
LSP·20 · Execution
Inline verification — the account validates the call before it executes, no separate guard contract.
// The account contract calls the verifier inline:
function lsp20VerifyCall(
address requestor,
address target,
uint256 value,
bytes calldata callData
) external returns (bytes4 magicValue);
function lsp20VerifyCallResult(
bytes32 callHash,
bytes calldata callResult
) external returns (bytes4 magicValue);
LSP20 is the change that lets controllers call the Universal Profile directly — the profile asks the verifier (“is this controller allowed to do this?”) and acts on the answer. Without LSP20, every controller call has to route through the Key Manager first; with LSP20, the Key Manager is the verifier and the profile is the entry point.
The behavioral consequence is small but UX-meaningful: msg.sender inside a called contract
is the profile, not the Key Manager wrapper. Token contracts, marketplaces, and on-chain
integrations see the account.
What it solves.
- Key Manager indirection — controllers calling LSP6 calling LSP0
What it does not solve.
Anti-overselling is a feature.
- LSP20 doesn't replace LSP6's permission model. It changes how that model is *invoked*.
- If the verifier is itself a contract, you still need to think about its trust assumptions.
Companions.
Standards this composes with.