Bypassing Kiosk Rules

Hi, we have implemented an NFT collection with the Kiosk mode. While it offers great features for creators, I was thinking what would happen if you have 1 NFT per Kiosk (so, 10 NFTs = 10 Kiosks). You could transfer the KioskOwnerCap and bypass the Kiosk rules. This means that you would need kind of a KioskManager to manage the Kiosks (which would need to be supported by Wallets and Trading sites), but then you would be trading Kiosks with 1 NFT in it, without respecting and TransferPolicy rules. I’m not saying that this should be done, or is a security issue, I just want to ask, if my understanding of the kiosk is correct, that this could be done.

1 Like

Hey, thank you for the great question! Your intuition is correct, if there was a case where NFTs were placed in different Kiosks, then they could be traded together with Kiosks by sending KioskOwnerCap’s. However, there are ways to address it!


Original design of Kiosk did not imply a specific storage / ownership model and was built for maximum compatibility with whatever the client needs to implement. The biggest case at the time was OriginByte NFT protocol which took the KioskOwnerCap from user and implemented a custom authorization scheme based on address instead of capability. Another use cases that we saw coming were: Kiosk owned by an organization / DAO, Marketplace that owns Kiosks and so on.


At Mysten, we addressed it with “PersonalKiosk” Kiosk extension which makes the Kiosk soulbound (wraps the KioskOwnerCap into a non-transferable, key-only object). To enforce this extension on collections there’s a “personal_kiosk_rule” which guarantees that the buyer of the NFT has turned their Kiosk into a PersonalKiosk. The extension and rule are being actively adopted by marketplaces, and will very soon become a standard way of initializing and using Kiosks.

Tooling & links

The extension and the matching rule are part of the Mysten Kiosk package:

They’re already integrated into the Kiosk Client SDK, so the apps utilizing the SDK get this support for Kiosk creation and usage + rule resolution out of the box.

1 Like

Thx for this insightful answer, now I think I fully grasp many aspects and technical details of the kiosk use-cases.

1 Like

I don’t understand the problem here, a Kiosk is an user’s own personal shop, whoever owns the owner cap, owns the right of managing the kiosk. Why would an owner bypass rules he made himself ? The point being anyone can take from a Kiosk as long as he respect the rules

1 Like

The rules are made by the creator of an NFT, and any kiosk where this NFT is in should respect this rule. So, its not about bypassing your rules, but about bypassing the rules of the NFT creator.

1 Like

Oh my bad, I might have missread the Kiosk concept, so actually anyone can list anything in any Kiosk as long as they respect the transferPolicy set by the kiosk owner ?

I thought of it like anyone creating a Kiosk is a merchant and put whatever he wants inside while being the only one having the right to do that. Anyone can take from the kiosk if he respects the rules (like paying the price of the nft to get it)

So with the first concept described yeah if you wrap the nft and then transfer the “key” of the wrapper then it totally bypasses the rules…

“so actually anyone can list anything in any Kiosk as long as they respect the transferPolicy set by the kiosk owner?” → Yes, but technically you even can list the NFT without respecting the rules, but then no one can purchase/transfer this NFT, as you need to prove that you respect the rules, which you did not.

“Anyone can take from the kiosk if he respects the rules” → Only if the NFT is locked in the kiosk, otherwise you can. You cannot take the NFT out if the NFT is locked in the Kiosk and you have a lock transfer policy rule, it remains forever in a kiosk. But it still can be transferred from one kiosk to another kiosk, but you cannot take the NFT out of the kiosk. Since TransferRules are enforced by the kiosk, and the NFT is always in some kiosk, then the rules can be always enforced.

But yes, you could transfer the KioskOwnerCap and bypass unless you use the PersonalKiosk.

There are a lots of details in the kiosk idea, and I only got full picture by looking at the implementation of the kiosk.

1 Like