Anti-DAO, Pre-DAO, DAOless — ICRC-137 Veto-Based Governance

Developers Showcase
, ,
1

TL;DR

  • ICDevs just shipped its first ICRC-137 “veto-governed” canisters: a Veto Canister and a Veto Lifeline—both wired through ICRC-120 orchestration.
  • Admins(DAP developers keep control but every sensitive(configured) call (upgrades, configs, token transfers, etc.) is subject to a DAO veto*. *The DAO can be a SNS, NNS, or other Item that returns proposal status in the same format as the NNS. For these canisters, that DAO is the NNS.
  • Lifeline ⟷ Veto: each can upgrade/configure the other via ICRC-120, so there’s a safety line if one fails.
  • Alpha has a backdoor (for safety); backdoor is removed at beta.
  • ICRC-120 orchestrator will be the next canister governed under ICRC-137.
  • This pattern is for Anti-DAOs, Pre-DAOs, and the DAOless who want accountability without having to establish a new DAO and who want to ‘inherit’ the security of the NNS.
  • Links: Veto-Lifeline akiyk-waaaa-aaaai-atlca-cai, Veto anj66-3yaaa-aaaai-atlcq-cai, ICRC-120 Orchestrator a7pjh-xiaaa-aaaai-atlbq-cai (block logs available).

Anti-DAO, Pre-DAO, DAOless — ICRC-137 Veto-Based Governance

What we shipped

  • ICRC-137 Veto Canister and Veto Lifeline (subject to NNS veto).

  • Mutual upgrades via ICRC-120:

    • Veto can upgrade the Lifeline through ICRC-120, config through self call.
    • Lifeline can upgrade the Veto through ICRC-120, config through self call.

  • Roadmap: the ICRC-120 Orchestrator itself will go under ICRC-137 governance next.

Canisters

Field note: the Lifeline already executed a command against the ICRC-120 to upgrade the Veto canister to v0.0.4. We shortened the timeline to test; it failed at first, then succeeded after enabling orthogonal persistence flags.

You can explore calls/behavior in the ICRC-3 block logs for each canister.

Here is the command status for the successful icrc120_upgrade_to call:

[
  [
    {
      "id": 1,
      "status": {
        "executed": "1759947563809335170"
      },
      "result": [
        {
          "Ok": "4449444c036d016b02bc8a017dc5fed201026b04efd1c6af057ff7b3b29d0871d4b4c59a097fecce99d4097f0100010007"
        }
      ],
      "request": {
        "scheduled_time": [],
        "method": "icrc120_upgrade_to",
        "metadata": [
          [
            "icrc137_upgrade_type",
            {
              "Text": "veto_canister_upgrade"
            }
          ],
          [
            "icrc137_description",
            {
              "Text": "Upgrade veto_canister through prod-orchestrator"
            }
          ],
          [
            "icrc137_target_canister",
            {
              "Text": "anj66-3yaaa-aaaai-atlcq-cai"
            }
          ],
          [
            "icrc137_wasm_hash",
            {
              "Text": "63f25d37647113c89eb65c8d3f02b13add3451cf3c7fb373e2348be768970d41"
            }
          ]
        ],
        "memo": [
          "757067726164652d31373539393437343833353633"
        ],
        "requested_at": [
          "1759947483563000064"
        ],
        "cycles": [],
        "best_effort_timeout": [],
        "method_args": [
          "4449444c0d6d7b6b0285a19bb8047fb490a1d90a7f6e016e7e6c02dceaaefa0202c0a09bde05036e046b03c8bb8a707f9ce9c69906059baaebec087f6c006c02007101076d086e096c09c4b0d08d027edd9ad2830400cedfa0a80400e3a683c3040682e0efe2047eb3c4b1f20468aafdfa8b050acf8f97d5067ea1b5dcc70d7d6d0b010c0100314449444c076c006e006c02dbb7017d8d98f3e7047d6d026e036c0381a99a4001fdbdbbb90504e780c0b107016e050106002063f25d37647113c89eb65c8d3f02b13add3451cf3c7fb373e2348be768970d41010101000001010a0000000001009ac50101000180f092cbdd08"
        ],
        "canister": "a7pjh-xiaaa-aaaai-atlbq-cai"
      },
      "scheduled_for": "1759947563044796132",
      "veto": [],
      "created_at": "1759947503044796132"
    }
  ],
  1
]

How it works (in one screen)

  • ICRC-137 lets an admin make any IC call (e.g., upgrade/config/transfer), but requires subjecting each call to a veto window by a chosen DAO (here: NNS).
  • On-chain: only the Veto Canister (and certain closed systems like the 120 Orchestrator) can perform protected actions on your target system; it is set as sole controller/admin for those functions.
  • Off-chain: community discovers pending commands and can organize a veto motion. We’re building a discovery dashboard in Astroflora; bots/feeds are viable too.

Alpha → Beta

  • Alpha: we maintain a backdoor (recovery).
  • Beta: we remove the backdoor.

Why this design?

Coin-voting DAOs are unresolved at best, broken at worst (collusion, plutocracy, capture):

At the same time, the NNS has “secured” >$2B for ~4+ years, while some SNS offspring have seen capture risks. We want operational clarity + last-resort accountability without pretending coin-vote solves everything today(and the expenses that come along with an SNS).

ICRC-137 requires a commitment to this ethos:

  1. Open source the code.
  2. Clear-communication about upcoming upgrades and/or service affecting actions.
  3. Honor the timeline - Announce publicly, wait 4 days, call command, wait 4 days, execution or veto.

This creates explicit power with explicit guardrails, not the murky implicit control that often accompanies governance theater.

Who this is for

  • Anti-DAO: You don’t want to give up control, but you want credible accountability (including protection against coercion). ICRC-137 gives you a safety net when pressure mounts.
  • Pre-DAO: You want to grow into decentralization. ICRC-137 sets rational limits and provides on-chain trust while you iterate toward a durable model.
  • DAOless utilities: Mostly “black-hole,” but want a measured upgrade path for rare protocol changes. ICRC-137 makes that straightforward.

Consider your application is successful and you find yourself holding the keys(literally) to a service that has US $100m of users’ funds held by accounts on your back-end canister. On a Tuesday night, a man shows up at your door with a gun and kindly suggests that you install his crafted wasm that will extract all the tokens your canister owns into his account. What do you do? If your canister is under ICRC-137 governance, this scenario becomes much less possible because upgrades take, at the least, 4 days, and an unannounced upgrade that does not have code associated with it will likely be vetoed.

Practicalities

On-chain (easy)

  • Propose the call via ICRC-137 → it enters a pending window.
  • If no veto within the window → it executes automatically.

Off-chain (harder)

  • People need to care and have information. We’ll surface pending requests in an Astroflora dashboard; third-party bots can help.
  • The governing DAO (here, NNS) must also care. Expect to write clear proposals and rally quorum (>~3% on some NNS topics). Example style:

“DAOZZZ proposes upgrading to WASM XXXXXX. The new build adds a withdrawal function enabling DAOZZZ to remove user funds at discretion. This violates stated protocol guarantees and is unsafe. We request the NNS to veto this upgrade. Commit: https://github.com/yyyyyyyy.”

The unstated subtext to the above proposed veto is that it is highly likely tha the THREAT of veto will cause the upgrade to not be issued in the first place and thus resolving the situation off chain.

Abuse & trolling

  • A sufficiently funded actor can repeatedly file veto motions to stall you. There’s no silver bullet yet; economic costs and social norms help.
  • ICRC-137 can plug into any governance system with a governance-canister-like interface; boards/councils are possible if NNS isn’t the right venue.

Security/operability notes

  • Only the Veto Canister (and selected closed systems like the 120 Orchestrator) should be controller/admin for functions guarded by 137.
  • Keep trivial stuff out of NNS governance; reserve veto for big promises and safety.
  • Emergency stops, can be issued by a developer that controls a 137 canister if they provide a pre-determined fee/deposit as a part of the standard. This allows vulnerabilities to be taken offline immediately, and then the fee/deposit is refunded after a new wasm is deployed. This provides at least SOME ‘delete the canister’ protection.

FAQ

Q: Can I read the code?
A: Not yet. We’re running a few experiments first and figuring out funding. We applied for a grant; it’s in limbo as it’s not seen as driving immediate network metrics. We’ll keep pushing—infra/public goods aren’t flashy, but they’re essential. Got ideas? Donations, naming rights, even playful things like “buy-a-line-as-an-NFT” have been floated. We’ll open-source at release with better docs and self-service onboarding.

Q: Can I use it today?
A: If you have a clear use case and would like to participate in the Alpha/Beta, please reach out.

Next steps

  • Run more experiments, including vetoing one of our own upgrades end-to-end to prove the loop.
  • Remove the alpha backdoor.
  • Open-source the code, document the spec, and package deployment tooling.
  • Release the Astroflora dashboard for ICRC-137 discovery (pending-commands feed).

If you’re building an Anti-DAO, Pre-DAO, or DAOless service and want to ship with accountability—without pretending coin-vote is “solved”—ICRC-137 is for you.

You can currently launch your own ICRC-137 canister via the AstroFlora dashboard at https://muwct-xiaaa-aaaaj-a2ffq-cai.icp0.io/ if you create an empty canister and make a7pjh-xiaaa-aaaai-atlbq-cai a controller.

11 Likes
2
ICRC Title Author Discussions Status Type Category Created
137 Vetoable Command and Governance Service Specification Austin Fatheree Vetoable Upgrades · Issue #137 · dfinity/ICRC · GitHub Draft Standards Track 2025-10-08

ICRC-137: Vetoable Upgrade and Governance Service

1. Scope

ICRC-137 defines a standard interface for the management of canister upgrades with integrated veto, cancellation, and emergency stop mechanisms. Designed to work with upgrade orchestrators (e.g., ICRC-120), this service provides robust, auditable workflows for risk-managed upgrades, suitable for DAOs, utilities, and enterprises operating on the Internet Computer.

This standard covers:

  • Submitting, reviewing, and executing upgrade commands

  • Vetoable pending state with payment and burn logic

  • Emergency stop (with suggested economic guardrails)

  • Querying governance and command metadata

  • Compatibility with ICRC-120 orchestration and canister snapshots

Out of Scope

  • Low-level wasm install or execution procedures (see ICRC-120)

  • SNS-style voting extensions (can be layered atop this standard)

2. Purpose and Reasoning

Many Internet Computer services and utilities lack the resources—or the maturity—to run their own SNS or fall outside the remit of the NNS. Yet, those that hold or manage value must safeguard user funds and maintain developer agility and physical and financial safety while the ecosystem and its protocols evolve. ICRC-137 fills this gap by offering a “governance of last resort”: teams retain operational control of their canisters, but any proposed upgrade or installation is subject to a vetoable governance check.

Key extensions introduced by ICRC-137:

  • Pending windows. Every proposed command enters a configurable delay period before execution, giving stakeholders time to review changes.

  • Veto, cancellation, and emergency blocks. Authorized parties can halt a pending command—subject to implementation-defined deposit, burn, or delay rules.

  • Role-based controls. Fine‑grained permissions let projects define which principals may propose, veto, cancel, or stop operations (details left to each instance).

  • Deduplication. Commands are uniquely identified and de‑duplicated within a time window, preventing accidental replays and aiding recovery.

These features suit scenarios such as decentralized utilities, compliance‑aware dapps, and managed‑upgrade frameworks, where transparency and risk management are paramount.

Governance “Safety Net”

ICRC-137 is intentionally positioned as a fallback governance layer for services that:

  1. Serve the public but aren’t yet ready for—or don’t require—the full SNS/NNS voting apparatus.

  2. Need a simple, predictable upgrade process with the option for emergency intervention.

Teams give control of their canisters to open-sourced ICRC-137 “orchestration canister,” maintain day‑to‑day control, and pledge to follow a pre‑committed upgrade workflow. A designated SNS, NNS, or other designated DAO can trigger a veto motion against that workflow if concerns arise.

Suggested Upgrade Workflow

  1. Open‑source code. All canister logic must be publicly auditable.

  2. Advance notice. Publish code and announce any planned upgrade at least 4 days before submission.

  3. Scheduled execution. Submit the upgrade command to execute 8 days after announcement.

  • During the first 4 days, the team and community can discuss and, if necessary, cancel the command and propose a revised version.

  • If unresolved, anyone posting the required deposit may file a veto motion. A successful veto blocks the original command; the team must then submit a new proposal.

Note: Tokenomics for veto deposits, burns, and rewards are intentionally left open. Each deployment may define its own economic parameters in accordance with its governance policies.

3. Terminology and Definitions

  • Command: An action (typically an upgrade, install, or governance operation) proposed on a canister.

  • Veto: The ability to block/stop a pending command during its defined window, after which it executes automatically.

  • Emergency Stop: A mechanism for an admin to instantaneously halt a canister or operation, with possible fee/deposit requirements.

  • Deduplication: Ensuring only one instance of a transaction is accepted within a window for resilience against network failure.

  • Governance Canister: An associated canister responsible for reviewing, vetting, or executing commands for the governed canister.

  • ICRC-16 Map: Flexible metadata annotation as defined by ICRC-16.

  • Proposal Format: Each ICRC-137 service should publish the valid motion proposal format and any stipulations that must be in place to tie the veto to a particular command proposal. The proposal SHOULD contain a Representational Independent Hash of ICRC-137 Principal as Blob | Target Canister Principal as Blob | Command Id as Nat as well as a clear and intentional text explaining the reason for the veto and why governance participants should adopt the veto.

4. Service Function Specifications

Please review ICRC7 - Generally-Applicable Specification for general details on batch update methods and batch query methods.

4.1. icrc137_get_command_info

Purpose:

Query the currently pending (and historical) command information for one or more canisters or command IDs. Allows applications or DAOs to inspect waiting upgrades and associated governance/veto data.

Function Signature:


icrc137_get_command_info: query (prev: ?Nat, take: ?Nat, filter: vec CommandInfoFilter) -> record{ vec opt CommandInfo; nat};

Parameters:

  • prev, take: For pagination

  • filter: Filter by id, canister, requester, or status

Returns:

  • CommandInfo records and a count of number of records

CommandInfoFilter Type


type CommandStatusFilter = variant {

pending;

executed;

canceled;

vetoed;

stopped;

any;

};

type CommandInfoFilter = variant {

by_id: Nat;

by_canister: Principal;

by_requestor: Principal;

by_status: CommandStatusFilter;

};

CommandInfo Type


type CommandInfo = record {

id: Nat;

request: CommandProposalRequest;

status: CommandStatus;

scheduled_for: Nat;

veto: opt VetoRequest;

cycles: opt nat;

best_effort_timeout: opt nat32;

created_at: Nat;

};

4.2. icrc137_get_emergency_stop_info

Purpose:

Query the currently pending (and historical) emergency stop information for one or more canisters or emergency stop IDs. Allows applications or DAOs to inspect waiting upgrades and associated governance/veto data.

Function Signature:


icrc137_get_emergency_stop_info: query (prev: ?Nat, take: ?Nat, filter: vec EmergencyStopInfoFilter) -> record{vec opt EmergencyStopInfo, nat};

Parameters:

  • prev, take: For pagination

  • filter: Filter by id, canister, requester, or status

Returns:

  • Vector of Optional EmergencyStopInfo records and the count of total records (see below)

CommandInfoFilter Type


type EmergencyStopStatus = variant {

pending;

active: nat;

resolved: nat;

expired: nat;

failed: text;

};

type EmergencyStopStatusFilter = variant {

pending;

active;

resolved;

expired;

failed;

any;

};

type EmergencyStopInfoFilter = variant {

by_id: Nat;

by_canister: Principal;

by_stopper: Principal;

by_status: EmergencyStopStatusFilter;

};

EmergencyStopInfo Type


type EmergencyStopInfo = record {

id: Nat;

canister: Principal;

stopper: Principal;

token: Principal;

amount: Nat;

escrow_subaccount: Blob;

requested_at: Nat;

stopped_at: opt Nat;

collateral_paid: Bool;

status: EmergencyStopStatus;

memo: opt Blob;

metadata: ICRC16Map;

penalty_deadline: Nat;

};

4.2. icrc137_get_veto_hash

Purpose:

Query the representational independent hash required for ICRC-137 veto motion proposals. This hash uniquely identifies a command for governance veto purposes and should be included in motion proposal text.

Function Signature:


icrc137_get_veto_hash: query (Nat) -> opt [Nat8];

Parameters:

  • command_id: The ID of the command to generate the veto hash for

Returns:

  • Optionally an array of Nat8 representing the hash, or null if command not found

Hash Format:

The hash is generated using Representational Independent Hashing of:

ICRC-137 Principal as Blob | Target Canister Principal as Blob | Command Id as Nat

This hash should be included in NNS motion proposal text to tie the veto to the specific ICRC-137 command.

4.3. icrc137_request_command

Purpose:

Admin requests a command (such as an upgrade) for a canister. The admin must have prior rights (not defined in this standard; refer to implementation).

Function Signature:


icrc137_request_command: ([CommandProposalRequest]) -> [CommandProposalResponse];

CommandProposalRequest Example:


type CommandProposalRequest = record {

memo: opt Blob;

canister: Principal;

method: Text;

method_args: opt Blob;

metadata: ICRC16Map;

scheduled_time: opt Nat;

requested_at: opt Nat;

};

Operation:

  1. Verify the requester is authorized by governance rules

  2. Apply deduplication (see below)

  3. Create a pending command record (status: pending)

  4. If duplicate or invalid, return relevant error variant

CommandProposalResponse Type:


variant {

Ok: Nat; // command id

Err: CommandProposalError;

}

4.4. icrc137_check_and_resolve_emergency_stops

Purpose:

Check and resolve all emergency stops that can be resolved for a given canister. This function allows those who have posted collateral deposits to manually resolve their emergency stops once the underlying issues have been addressed (e.g., after a successful upgrade). It also enables others to trigger resolution if stoppers fail to resolve within the penalty deadline, potentially burning their deposits.

Function Signature:


icrc137_check_and_resolve_emergency_stops: (resolvableCanisterId: Principal) -> [(Nat, Result<Nat, Text>)];

Parameters:

  • resolvableCanisterId: The Principal of the canister for which to check and resolve emergency stops

Returns:

  • Array of tuples containing:

  • Nat: Emergency stop ID that was processed

  • Result<Nat, Text>: Either the block number of the successful refund transaction (Ok) or an error message (Err)

Behavior:

  • Checks all active emergency stops for the specified canister

  • Attempts to resolve stops where the canister is now running (indicating successful remediation)

  • Processes collateral refunds for resolved stops

  • Returns results for each stop that was processed

  • Only processes stops that are eligible for resolution based on current canister status

4.5. icrc137_request_veto

Purpose:

Request a veto on a pending command, typically within a configured window. Payment (burn/deposit) may be required and is implementation-defined.

Function Signature:


icrc137_request_veto: ([VetoRequest]) -> [VetoResponse];

VetoRequest Example:


type VetoRequest = record {

motion_id: Nat;

governance_canister: Principal;

command_id: Nat;

metadata: ICRC16Map;

requested_at: opt Nat;

memo: opt Blob;

};

VetoResponse:


variant {

Ok: Nat; // command id

Err: VetoError;

}

Operation:

  1. Check if the veto request is within the veto window for the command

  2. Confirm with the governance canister that the motion exists, is of the correct topic, is open for voting, was created within the window and contains the proper format for a veto proposal.

  3. Enforce payment requirement (e.g., burn if veto fails)

  4. Register the veto and update status

  5. Deny if late, duplicate, invalid, or not found

4.6. icrc137_emergency_stop

Purpose:

Let an administrator halt a target canister. Service suggests a hefty deposit, only returned if the stop leads to a successful upgrade (final implementation left to instance policy).

Function Signature:


icrc137_emergency_stop: ([EmergencyStopRequest]) -> [EmergencyStopResponse];

Request/Response Types:


type EmergencyStopRequest = record {

canister: Principal;

memo: opt Blob;

metadata: ICRC16Map;

requested_at: opt Nat;

};

type EmergencyStopResponse = variant {

Ok: Nat;

Err: EmergencyStopError;

};

Metadata Management

This specification does not dictate how collateral for emergency stops should be managed. The implementor SHOULD provide a method for the stopper to recover their funds after a successful deployment and the system SHOULD burn the collateral if the stopper does not provide a fix in a timely manner.

4.7. icrc137_cancel_command

Purpose:

Cancel a pending command by id. Must be performed by an authorized administrator.

Function Signature:


icrc137_cancel_command: ([Nat]) -> [CancelCommandResponse];

CancelCommandResponse Example:


variant {

Ok: Nat;

Err: CancelCommandError;

}

4.8. icrc137_canister_metadata

Purpose:

Retrieve registry/governance metadata about a canister (such as governance canister, payment requirements, etc).

Function Signature:


icrc137_canister_metadata: query ([Principal]) -> [ICRC16Map];

Suggested Metadata Value:

  • icrc137_veto_fee_amount: Nat; - amount of the veto fee in the designated token

  • icrc137_veto_fee_ledger: Principal; - ledger of the designated token

  • icrc137_veto_fee_fee: Nat; - fee on transactions

  • icrc137_veto_fee_symbol: Text; - symbol of the designated token

  • icrc137_veto_fee_decimals: Nat; - decimals in the token

  • icrc137_veto_fee_account: Array[Blob, Blob]; - account the veto fee should be approved to using ICRC-2

  • icrc137_stop_fee_amount: Nat; - amount of the stop fee in the designated token

  • icrc137_stop_fee_ledger: Principal; - ledger of the designated token

  • icrc137_stop_fee_fee: Nat; - fee on transactions

  • icrc137_stop_fee_symbol: Text; - symbol of the designated token

  • icrc137_stop_fee_decimals: Nat; - number of decimals

  • icrc137_stop_fee_account: Array[Blob, Blob]; - account the stop fee should be approved to using ICRC-2

  • icrc137_default_veto_window: Nat; - default veto window (in nanoseconds) for commands that don’t have method-specific windows

  • icrc137_veto_window_{method}: Nat; - amount of time to wait for veto before a command with that method is run

Metadata Security

The specification does not define management functions for metadata, amounts, and specified tokens. The canister should limit any updates for these values to come from the managed canister as a security measure. By doing this management for the fees comes under the same work flow and must be at least silently approved by an upgrade being invoked without a veto.

5. Deduplication and Transaction Safety

To promote error recovery for agents (e.g., sudden disconnects), ICRC-137-compliant services SHOULD deduplicate incoming transactions within a fixed time window (TX_WINDOW, e.g., last 24 hours). Use memo and requested_at fields to detect/reject duplicates. Requests with explicit requested_at may be exempt from deduplication.

6. Recommendations, Security and Payments

  • Veto payments: Implementers are strongly advised to require a payment (which may be burned) to request a veto; this discourages spurious vetoes.

  • Emergency stop deposits: It is RECOMMENDED that emergency stop require a deposit only returned if a subsequent upgrade is successful.

  • Role-based controls: Rights for proposing commands, vetoing, or cancelling should be strictly enforced. The standard does not mandate a specific admin framework.

  • ICRC-120 Integration: For safe upgrades, it is recommended that ICRC-137 services rely on or invoke an ICRC-120-compatible orchestrator for actual module installs, rollbacks, and snapshotting.

  • Canister snapshot: Before an upgrade, orchestrators should snapshot the canister state to support reversion upon failure.

  • Chain of trust: Use of related standards like ICRC-121 (blocks), ICRC-105 (wasm chain), and ICRC-126 (wasm verification) is recommended but not required.

  • Security: Implementers should review security considerations outlined in ICRC-7 before deployment.

7. ICRC‑137 Block Schemas

Every block is an ICRC‑3 record with a header:

  • btype: the block type identifier

  • ts: timestamp of record creation

  • tx: a record carrying event‑specific fields

7.1. 137new_command

Purpose:

Records that a new command (e.g., upgrade/install) has been proposed and entered the pending window.

tx Fields:

  • requester: Blob

Principal initiating the command.

  • canister: Principal as Blob

Target canister of the command.

  • method: Text

Method name to be invoked (e.g., "upgrade", "install").

  • method_args: Optional Blob

Serialized arguments for the method.

  • scheduled_for: Nat

Epoch timestamp when the command is slated to execute.

  • metadata: ICRC16Map

Arbitrary governance settings or parameters.

  • memo: Optional Blob

Free‑form user memo.

  • requested_at: Optional Nat

Client‑provided or service‑assigned submission time.

Block Header:

  • btype: "137new\_command"

  • ts: Timestamp of proposal

7.2. 137command_cancel

Purpose:

Records cancellation of a pending command by an authorized party.

tx Fields:

  • canceller: Blob

Principal requesting cancellation.

  • command_id: Nat

Identifier of the command being canceled.

  • reason: Optional Text

Human‑readable reason for cancellation.

  • requested_at: OPtional Nat

Block Header:

  • btype: "137command_cancel"

  • ts: Timestamp of cancellation

7.3. 137veto_request

Purpose:

Logs that a veto motion has been filed against a pending command (with deposit logic handled separately).

tx Fields:

  • veto_requester: Blob

Principal filing the veto.

  • command_id: Nat

ID of the command under veto.

  • motion_id: Nat

Governance‑canister motion identifier.

  • governance_canister: Principal as Blob

Canister adjudicating the motion.

  • metadata: ICRC16Map

Veto‑specific metadata (e.g., fee parameters).

  • memo: Optional Blob

  • requested_at: Optional Nat

Block Header:

  • btype: "137veto_request"

  • ts: Timestamp of veto filing

7.4. 137command_executed

Purpose:

Marks that a pending command has successfully executed (post‑veto window).

tx Fields:

  • executor: Blob

Principal or system actor that ran the command.

  • command_id: Nat

  • canister: Principal as Blob

  • method: Text

  • result_hash: Optional Value

Post‑execution state or response.

  • requested_at: Optional Nat

Block Header:

  • btype: "137command_executed"

  • ts: Execution timestamp

7.5. 137command_vetoed

Purpose:

Indicates a command was vetoed (and any associated fee refund processed).

tx Fields:

  • veto_resolver: Blob

Governance canister or system actor confirming veto outcome.

  • command_id: Nat

  • veto_motion_id: Nat

  • veto_approve: Nat VP used to approve

  • veto_reject: Nat VP used to reject

  • fee_amount: Nat

Amount deposited for veto.

  • fee_refunded: Nat

Amount returned or burned (implementation‑defined).

  • timestamp: Nat

Block Header:

  • btype: "137command_vetoed"

  • ts: Timestamp of veto resolution

7.6. 137emergency_stop

Purpose:

Logs that an immediate halt request was issued against a canister.

tx Fields:

  • stop_requester: Principal as Blob

  • canister: Principal as Blob

  • deposit_amount: Nat

Deposit held pending outcome.

  • metadata: ICRC16Map

  • memo: Optional Blob

  • requested_at: Optional Nat

Block Header:

  • btype: "137emergency_stop"

  • ts: Timestamp of stop request

7.7. 137emergency_stop_refund

Purpose:

Records refund or burn of the emergency‑stop deposit after resolution.

tx Fields:

  • resolver: Principal as Blob

  • canister: Principal as Blob

  • stop_request_id: Nat

Links back to the original stop request (e.g., same command\_id space).

  • refund_amount: Nat

  • timestamp: Nat

Block Header:

  • btype: "137emergency_stop_refund"

  • ts: Timestamp of refund/burn processing

7.8. 137metadata_update

Purpose:

Captures any on‑chain update to governance or fee metadata for this service.

tx Fields:

  • updater: Principal as Blob

  • canister: Principal as Blob

  • changed_keys: Array

List of metadata keys modified.

  • new_values: Array

  • timestamp: Nat

Block Header:

  • btype: "137metadata_update"

  • ts: Timestamp of metadata change

8.0 Integrations

ICRC-10

An implementation of ICRC-137 Registry MUST also support the method icrc10_supported_standards (per ICRC-10), and include the following entries in its response:


record { name = "ICRC-10"; url = "https://github.com/dfinity/ICRC/ICRCs/ICRC-10"; }

record { name = "ICRC-137"; url = "https://github.com/dfinity/ICRC/ICRCs/ICRC-137"; }

8. References

9. Annotations

Reserved for future updates, configuration, and parameterization of timeouts, payment requirements, or extension fields.

6 Likes
3

ICDevs will be making a motion proposal to the NNS asking for voters to ratify a veto of our veto_lifeline canister to hash 4bd36cc937213607a8a7c6214e91cb19f9ae093fae3426f2b3012e69747cc9ae.

This is an experiment. We are asking voters to vote ACCEPT to test that the motion will block the upgrade via our ICRC-137 interface.

Proposal link - Please Accept for testing: Network Nervous System

The veto has been filed with the 137 canister and now we await the results.

6 Likes
4

Got it. Sounds like an interesting test. I’ll keep an eye on the results.

5

I voted to adopt. Out of interest, what text in the motion is used to identify it as a veto proposal by your upgrade system?

I gather the idea is that anyone in the future could submit a motion like this to block an upgrade that the’re unhappy with?