Skip to content
Docs

Spending Limits Policy

The spending limits policy provides fine-grained control over ERC20 token transfers, allowing you to set both per-transaction and cumulative spending limits, as well as restrict transfers to specific addresses.

⚠️ Security Consideration: Always whitelist recipient addresses and set conservative token limits to protect against unauthorized transfers.

spendingLimits.ts
import { usersNexusClient } from "./client.ts";
import { parseUnits, toFunctionSelector } from "viem";
import { ParamCondition } from "@biconomy/sdk-canary";
 
const createSessionsResponse = await usersNexusClient.grantPermission({
  sessionRequestedInfo: [
    {
      sessionPublicKey,
      actionPoliciesInfo: [
        {
          functionSelector: toFunctionSelector("transfer(address,uint256)"),
          contractAddress: USDC_ADDRESS,
          rules: [
            {
              condition: ParamCondition.EQUAL,
              offsetIndex: 0, // recipient parameter
              isLimited: false,
              ref: WHITELISTED_ADDRESS
            },
            {
              condition: ParamCondition.LESS_THAN,
              offsetIndex: 1, // amount parameter
              isLimited: true,
              ref: parseUnits("1000", 6), // 1000 USDC per tx
              usage: {
                limit: parseUnits("5000", 6), // 5000 USDC total
                used: 0n
              }
            }
          ],
          tokenLimits: [
            {
              token: USDC_ADDRESS,
              limit: parseUnits("5000", 6) // 5000 USDC total limit
            }
          ]
        }
      ]
    }
  ]
})

Common Use Cases

  • Token Allowances: Set maximum spending limits for ERC20 tokens
  • Whitelisted Transfers: Restrict transfers to approved addresses only
  • Budget Management: Implement departmental spending controls
  • DeFi Risk Management: Limit exposure in DeFi protocols
  • Automated Payments: Control recurring token payments
  • Treasury Operations: Manage organizational token distributions

Best Practices

  1. Whitelist Recipients: Always specify allowed recipient addresses
  2. Dual Limits: Implement both per-transaction and cumulative limits
  3. Token Decimals: Carefully account for token decimal places when setting limits
  4. Usage Tracking: Monitor cumulative usage against total limits
  5. Multiple Tokens: Set appropriate limits for each token type
  6. Regular Reviews: Periodically audit spending patterns and adjust limits
  7. Combine Policies: Use with time-based restrictions for enhanced security