Mempools are public ledgers. Every pending transaction, including its sender, recipient, and amount, broadcasts to the entire network before confirmation. This transparency creates a front-running attack surface for MEV bots and arbitrageurs.
e-commerce-and-crypto-payments-future
Blog
Why Submarine Sends and Covert Channels Are Essential Tools
A technical analysis of mempool privacy techniques like submarine sends, explaining why hiding transaction intent is a practical necessity for secure, MEV-resistant e-commerce and crypto payments.
introduction
THE REALITY
The Mempool is a Public Auction House, Not a Queue
Blockchain mempools are transparent, competitive bidding environments where transaction privacy is impossible without specialized tools.
Submarine sends are essential. Protocols like Tornado Cash and Railgun use zero-knowledge proofs to break the on-chain link between deposit and withdrawal. This is the only way to obscure transaction intent before it hits the public auction.
Covert channels hide execution. Systems like Ethereum's EIP-4337 bundles or Flashbots SUAVE allow users to submit transactions directly to block builders. This bypasses the public mempool, preventing sandwich attacks and information leakage.
Evidence: Over $1.2B in value has been extracted via MEV on Ethereum alone, a direct result of public mempool snooping. Protocols without these privacy tools leak alpha to the highest bidder.
key-trends
WHY PRIVACY IS INFRASTRUCTURE
The MEV Threat Matrix for Payments
In public mempools, every payment is a broadcasted target for front-running, sandwiching, and censorship. Covert execution is no longer a luxury; it's a requirement for secure value transfer.
01
The Problem: Front-Running as a Tax on Every Swap
Public intent broadcast allows bots to insert their own transactions ahead of yours, stealing price improvements. This is a direct, measurable cost extracted from users on every DEX trade.
- Cost: Routinely 5-30+ bps per swap, scaling with size.
- Scope: Affects Uniswap, Curve, Balancer, and all on-chain AMMs.
- Result: Users systematically receive worse prices than the public state suggests.
5-30+ bps
Slippage Tax
100%
Of Public Txs
02
The Solution: Submarine Sends (Private Mem Pools)
Transactions are encrypted and sent directly to trusted builders/validators, bypassing the public mempool entirely. This is the foundational privacy primitive for payments.
- Mechanism: Used by Taichi Network, Flashbots Protect, bloXroute Private Txns.
- Benefit: Eliminates front-running and sandwich attacks for simple transfers and swaps.
- Limitation: Relies on trust in the relay not to censor or exploit the transaction itself.
~0 bps
MEV Extracted
Trusted
Relay Model
03
The Problem: Censorship & Extractable Order Flow
Even private transactions reveal metadata (sender, recipient, approximate value) to relays and block builders, creating new centralization risks and potential for off-chain deal-making.
- Risk: Relays can censor transactions or auction off the right to include them.
- Entity Risk: Creates kingmaker power for entities like Flashbots, bloXroute.
- Outcome: Privacy is not complete; economic security is delegated.
1-3 Entities
Hold Power
Metadata
Exposed
04
The Solution: Covert Channels & Oblivious RAM
Advanced cryptographic schemes that hide transaction metadata from everyone, including the block builder. The ultimate goal for payment privacy.
- Technology: zk-SNARKs (e.g., Tornado Cash), Oblivious RAM designs, FHE-based L2s.
- Benefit: True sender/receiver/amount privacy, breaking the linkability chain.
- State: Computationally heavy today, but active R&D in projects like Aztec, Fhenix, Penumbra.
Full
Anonymity Set
High
Compute Cost
05
The Problem: Cross-Chain MEV & Bridge Extortion
Bridging assets reveals intent across chains. Bots can front-run the deposit on the destination chain or perform liability attacks, making bridging risky and expensive.
- Attack Vector: Seen in native bridges and some third-party bridges.
- Consequence: Increases cost and latency for LayerZero, Axelar, Wormhole messages.
- Scale: A multi-billion dollar attack surface as interoperability grows.
$B+
Attack Surface
2-Chain
Attack Scope
06
The Solution: Intent-Based Bridges & Secure Auctions
Users submit a desired outcome (e.g., "swap 1 ETH for USDC on Arbitrum") rather than a specific transaction path. Solvers compete privately to fulfill it best.
- Protocols: Across, CowSwap, UniswapX use this model.
- Benefit: Hides execution path, creates competition among solvers, and often results in better prices.
- Future: The paradigm shift from transaction broadcasting to declarative finance.
Improved
Price Execution
Path Hidden
From Bots
deep-dive
THE MECHANICS
First Principles of Transaction Obfuscation
Submarine sends and covert channels are not privacy features; they are fundamental tools for managing on-chain state and information leakage.
Submarine sends break atomicity. They separate the commitment from the final settlement, hiding the link between a user's initial action and the final outcome. This prevents front-running by obfuscating intent before execution, a technique pioneered by protocols like UniswapX for MEV protection.
Covert channels exploit metadata. They embed information in non-critical transaction fields, like gas price or calldata padding, creating a side-channel. This allows for off-chain coordination without bloating the canonical state, a method used by Flashbots' SUAVE for block building.
The core value is state management. These techniques reduce the public data footprint of complex interactions. Instead of broadcasting every step, protocols like Across use optimistic verification to settle intents with minimal, final on-chain proof.
Evidence: Tornado Cash's shutdown proved that explicit privacy is a target. Submarine sends and covert channels provide plausible deniability by leveraging existing protocol mechanics, making them more resilient to regulatory scrutiny than dedicated mixers.
PRIVACY INFRASTRUCTURE
Stealth Payment Techniques: A Builder's Comparison
A technical comparison of on-chain privacy mechanisms for concealing transaction amounts, participants, and intent.
| Feature / Metric | Submarine Sends (e.g., Tornado Cash) | Covert Channels (e.g., Railgun, Aztec) | Stealth Addresses (e.g., Zcash, Monero) |
|---|---|---|---|
Core Privacy Guarantee | Breaks on-chain link between deposit & withdrawal | Private state execution via ZKPs; hides all tx details | One-time addresses hide recipient; sender link remains |
Anonymity Set Size | Pool-based (e.g., 10 ETH pool) | Application-specific (per shielded pool) | Per-transaction (theoretically infinite) |
Gas Overhead (vs. public tx) | ~200k gas (2 deposits/withdrawals) | ~500k - 1M+ gas (ZK proof generation) | ~1.5x base tx cost (cryptographic ops) |
Supports Programmable Logic | |||
Native Cross-Chain Support | |||
Typical Withdrawal Delay | ~30 min (for safety) | < 1 sec (trustless, instant) | < 1 sec |
Primary Use Case | Breaking financial linkability for simple assets | Private DeFi (swaps, lending) & complex logic | P2P payments with recipient privacy |
Regulatory Friction (OFAC) | High (sanctioned mixer) | Medium (application-level privacy) | High (privacy-focused L1) |
counter-argument
THE PRAGMATIC REALITY
The Transparency Purist Argument (And Why It's Wrong)
Absolute on-chain transparency creates systemic risks that submarine sends and covert channels are engineered to mitigate.
Transparency creates front-running surfaces. Every public mempool transaction is a signal for MEV extraction. Protocols like Flashbots Protect and CoW Swap exist because naive transparency is a vulnerability, not a feature.
Privacy is a scaling primitive. Covert channels reduce on-chain footprint. A submarine send via Tornado Cash or an Aztec zk-rollup bundles actions, compressing data and lowering fees for end-users.
Institutional adoption requires discretion. A public ledger of corporate treasury movements or OTC deals is untenable. Off-chain intent settlement via SUAVE or Across's encrypted mempool enables professional activity without leaking strategy.
Evidence: The Ethereum mempool processes over 1.5 million pending transactions daily, a vast attack surface that pure transparency advocates ignore. Privacy tools are essential armor.
takeaways
PRIVACY & EFFICIENCY PRIMITIVES
TL;DR for Protocol Architects
Submarine sends and covert channels are not just privacy tools; they are essential infrastructure for mitigating MEV, reducing costs, and enabling new cross-chain patterns.
01
The Problem: Front-Running as a Tax on Every Swap
Public mempools expose user intent, allowing searchers to extract ~$1B+ annually in MEV. This is a direct tax on Uniswap, Curve, and Aave users, creating a toxic, adversarial environment for execution.
- Cost: Adds 5-50+ bps to every transaction.
- Risk: Enables sandwich attacks and time-bandit exploits.
- Inefficiency: Forces protocols to build complex workarounds like CowSwap's batch auctions.
~$1B+
Annual Extract
5-50+ bps
Cost Per TX
02
The Solution: Submarine Sends (e.g., Taiko, Aztec)
Commit to a transaction off-chain, then 'surface' it directly to a block builder, bypassing the public mempool entirely. This is the core mechanism behind intent-based systems like UniswapX.
- MEV Resistance: Transaction is only visible upon inclusion, negating front-running.
- Cost Certainty: User signs with a maximum cost, preventing last-second fee spikes.
- Builder Integration: Direct integration with Flashbots SUAVE or private RPCs like BloxRoute.
~0 bps
MEV Leakage
Guaranteed
Max Cost
03
The Problem: Cross-Chain is a Privacy Nightmare
Bridging assets via canonical bridges like Wormhole or LayerZero creates a permanent, public link between all your addresses across chains. This enables chain analysis firms to trivially map entire user portfolios and behaviors.
- Data Leak: Source chain, destination chain, amount, and timestamp are all public.
- Protocol Risk: Forces privacy-focused dApps to avoid major liquidity pools.
- User Experience: Kills anonymity sets for protocols like Tornado Cash.
100%
Traceable
Multi-Chain
Exposure
04
The Solution: Covert Channels (e.g., Chainflip, Railgun)
Use a shared liquidity pool or a private settlement layer to break the on-chain link between source and destination transactions. This is critical for privacy-preserving bridges and cross-chain DeFi.
- Link Breaking: Deposit and withdrawal are cryptographically unlinked on public chains.
- Liquidity Efficiency: Uses a shared pool, similar to Across's single-sided liquidity model.
- Composability: Enables private cross-chain swaps, lending, and derivatives.
0
Public Link
Pool-Based
Efficiency
05
The Problem: Censorship-Resistance is Fragile
Relayers, sequencers, and even validators can censor transactions based on origin, destination, or content. This centralizes power and violates the credibly neutral base layer promise of Ethereum and other L1s.
- Single Point of Failure: Relayer-dependent bridges (e.g., some Hyperlane configs) can block TXs.
- Regulatory Risk: OFAC-compliant blockspace threatens DeFi's global access.
- Protocol Risk: dApps can be deplatformed from critical infrastructure.
Centralized
Chokepoint
High
Sovereignty Risk
06
The Solution: Decentralized Covert Networks
Distribute the submission or relaying role across a permissionless set of operators, making censorship economically non-viable. This aligns with the security models of EigenLayer and DVT-based validator sets.
- Anti-Censorship: Requires collusion of a large, anonymous operator set.
- Credible Neutrality: Infrastructure cannot discriminate based on transaction content.
- Robustness: Eliminates single points of failure in the transaction supply chain.
Permissionless
Operators
Collusion-Resistant
Design
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall