A privacy architecture review is a structured assessment of a system's design to ensure it correctly implements privacy properties like confidentiality, anonymity, and data minimization. Unlike a security audit that focuses on code-level vulnerabilities, this review analyzes the system's blueprint—its data flows, trust models, cryptographic primitives, and access controls. For Web3 applications handling sensitive data such as wallet balances, transaction histories, or identity attributes, a flawed architecture can lead to irreversible privacy leaks, even if the individual smart contracts are bug-free. The goal is to identify design flaws before development begins, saving significant time and resources.
LABS
Guides
How to Review Privacy Architecture Designs
A step-by-step guide for developers and auditors to systematically evaluate the security and correctness of privacy-preserving systems in Web3, from threat modeling to cryptographic proofs.
Chainscore © 2026
introduction
SECURITY PRACTICE
Introduction to Privacy Architecture Reviews
A systematic methodology for evaluating the design and implementation of privacy-preserving systems in Web3 applications.
The review process typically starts by defining the privacy goals and threat model. What data must remain confidential? Who are the potential adversaries (e.g., other users, network observers, the application itself)? For a decentralized application (dApp) using zero-knowledge proofs (ZKPs), the goal might be to prove eligibility for a loan without revealing income. The threat model would specify if the prover, verifier, or blockchain is considered trusted or malicious. This foundational step frames the entire review, ensuring the analysis targets the correct risks and evaluates the architecture against realistic attacks.
Next, reviewers map the data lifecycle within the system. This involves tracing how sensitive information (inputs, intermediate states, outputs) is created, processed, stored, and eventually destroyed. For instance, in a privacy-preserving voting dApp, you would examine: where voter identities are submitted, how votes are encrypted or committed to, where tallying occurs (on-chain vs. off-chain), and how final results are revealed. Key questions include: Is plaintext data ever exposed to unintended parties? Are cryptographic keys managed securely? Does data persist longer than necessary? Visualizing these flows often reveals unintended data leakage points.
The core of the review is analyzing the cryptographic components and trust assumptions. You must verify that the chosen primitives—such as zk-SNARKs (e.g., Groth16), zk-STARKs, or secure multi-party computation (MPC)—are appropriate for the stated goals. A common pitfall is using a proving system that requires a trusted setup for a scenario demanding long-term, upgradeable trustlessness. Reviewers assess the robustness of randomness generation, the security of parameter generation ceremonies, and the implementation of standard cryptographic libraries. The trust model must be explicitly documented and minimized; any required trusted party becomes a central point of failure.
Finally, the review produces actionable findings and recommendations. These are categorized by severity (e.g., Critical, High, Medium) and include concrete steps for mitigation. A critical finding might be a design that leaks user input data to a centralized server controlled by the dApp developers. The recommendation could be to redesign the flow using client-side encryption or a decentralized oracle network. The output is a report that empowers developers to build with privacy by design, ensuring user data is protected by the system's architecture, not just by policy or promise.
prerequisites
FUNDAMENTAL CONCEPTS
Prerequisites for Reviewing Privacy Systems
Before analyzing the security of privacy-enhancing technologies, you must establish a foundation in cryptography, system design, and threat modeling. This guide outlines the core knowledge required to conduct a meaningful review.
Effective privacy architecture review begins with a strong grasp of cryptographic primitives. You must understand the properties and limitations of zero-knowledge proofs (ZKPs), secure multi-party computation (MPC), and homomorphic encryption. For instance, know the difference between a zk-SNARK (like Groth16) and a zk-STARK, including their trade-offs in proof size, verification speed, and trusted setup requirements. Familiarity with elliptic curve cryptography (e.g., BN254, BLS12-381) and hash functions (Poseidon, SHA-256) is essential for evaluating the underlying math.
Next, you need to model the system's trust assumptions and threat vectors. Map out the trusted execution environment (TEE) boundaries, identify potential malicious actors (users, validators, relayers), and define the privacy guarantees (e.g., transaction amount secrecy, sender-receiver unlinkability). A common flaw is failing to consider data availability attacks where privacy is broken if sequencers withhold specific transaction data. Review the system's resilience against network-level attacks like timing analysis or traffic pattern recognition.
Understanding the system's architecture is critical. Diagram the data flow: where is plaintext data processed, where are cryptographic operations performed, and where are keys managed? Scrutinize the integration points between components, such as how a ZK rollup's prover interacts with its on-chain verifier contract. Look for implementation bugs in circuit logic, like those that could allow a prover to submit a valid proof for an invalid state transition in a zkEVM like Scroll or zkSync.
You must also be proficient in reading and auditing code in the relevant languages. Privacy systems are often implemented in Rust (for TEEs like Intel SGX), C++ (for performance-critical cryptography), and Solidity (for on-chain verifiers). Examine how randomness is generated for cryptographic operations, ensuring it's not predictable. Check for side-channel vulnerabilities in implementations, such as timing attacks in a multi-party computation protocol or gas-griefing vectors in a verifier contract.
Finally, stay current with academic research and real-world exploits. Follow publications from conferences like IEEE S&P and USENIX Security. Study past incidents, such as the Tornado Cash anonymity set analysis or the Zcash trusted setup ceremony compromise. Use tools like circom for ZK circuit testing and Manticore or Slither for smart contract analysis. Your review is only as strong as your understanding of both the theory and the practical attack landscape.
review-framework
SECURITY AUDIT
A 5-Step Framework for Privacy Reviews
A systematic methodology for evaluating the privacy guarantees of blockchain protocols, smart contracts, and decentralized applications.
Privacy in Web3 is not a binary feature but a spectrum of guarantees. A privacy review systematically evaluates a system's architecture against its stated privacy goals, such as transaction confidentiality, identity obfuscation, or data minimization. This process is distinct from a general security audit; it focuses on how information flows, who can access it, and what can be inferred. Common pitfalls include data leakage through public metadata, on-chain correlation of addresses, and reliance on centralized components that become single points of failure for user anonymity.
Step 1: Define the Privacy Model and Adversary
First, explicitly state the system's intended privacy guarantees. Is it aiming for unlinkability (transactions cannot be linked to each other), anonymity (identity is hidden within a set), or confidentiality (data is encrypted)? Next, define the adversary's capabilities. Are they a passive network observer, an active participant in the protocol, or a malicious validator? For example, reviewing a zkRollup requires considering a different adversary (potentially a malicious sequencer or prover) than reviewing a coin mixing protocol (where the adversary may control several nodes in the anonymity set).
Step 2: Map Data Flows and Trust Boundaries
Diagram every piece of data—inputs, outputs, internal states, and logs—from user entry to final on-chain settlement. Identify all trust boundaries: where does data move from a user's local client to a relayer, an off-chain prover, a mempool, or a smart contract? For each boundary, ask: what data is visible, to whom, and in what form? A common finding is that IP addresses or wallet metadata leaked to centralized RPC providers or indexers can deanonymize users, even if the on-chain transaction uses a stealth address.
Step 3: Analyze Cryptographic Primitives and Assumptions
Scrutinize the specific cryptographic components. If using zk-SNARKs, verify the trusted setup ceremony and the soundness of the circuit logic. For commitment schemes or verifiable encryption, confirm the hiding and binding properties hold. A critical review question is: what happens if the cryptographic assumption is broken? Does the system gracefully fail, or does it catastrophically leak all historical data? Relying on a novel, unaudited cryptographic library is a significant red flag.
Step 4: Evaluate Systemic and Economic Leakage
Privacy can be compromised by system design, not just cryptography. Analyze anonymity set size and how it's formed—is it sufficiently large and unpredictable? Examine timing attacks: can an adversary correlate transaction submission time with network activity? Assess cost and fee analysis: do unique fee amounts or gas usage patterns fingerprint users? In DeFi, simply interacting with a private pool on a public DEX like Uniswap can leak information through the public mempool before the private execution layer processes it.
Step 5: Test with Threat Modeling and Tooling
Finally, actively probe the system. Use differential privacy analysis tools to measure information leakage. For smart contracts, employ static analyzers like Mythril or Slither with custom detectors for privacy-specific patterns, such as emitting events with sensitive data. Conduct a simulation with a controlled set of test accounts to trace data linkage. The goal is to empirically validate—or invalidate—the privacy model defined in Step 1. Document all findings with clear severity levels and actionable remediation steps for developers.
key-concepts
PRIVACY ARCHITECTURE
Core Cryptographic Concepts to Audit
Auditing privacy systems requires deep cryptographic expertise. This guide covers the essential primitives, their implementation risks, and how to evaluate them in protocols like zkRollups and mixers.
ARCHITECTURE ANALYSIS
Privacy Threat Model Comparison
Comparison of threat model assumptions and mitigations across common privacy design patterns.
| Threat Vector | ZK-Rollup (e.g., zkSync) | Mixer (e.g., Tornado Cash) | FHE Application (e.g., Fhenix) |
|---|---|---|---|
On-Chain Data Leakage | |||
Linkability of Deposits/Withdrawals | |||
Trusted Setup Requirement | |||
Prover Centralization Risk | Medium | N/A | High |
Withdrawal Censorship Resistance | High (via forced inclusion) | Low (relayer dependent) | Protocol Dependent |
Anonymity Set Size | All chain users | Pool participants only | Application users only |
Privacy for Smart Contract Logic | |||
Gas Cost for Privacy | $0.50 - $5.00 | $20 - $100+ | $5 - $50+ |
zk-circuit-audit
PRIVACY ARCHITECTURE
Auditing ZK-SNARK Circuits: A Practical Guide
A systematic approach to reviewing the security and correctness of zero-knowledge proof systems used in private applications.
Auditing a ZK-SNARK circuit requires a dual-focus approach: verifying the mathematical soundness of the proving system and the logical correctness of the circuit's constraints. The audit begins with the circuit description, typically written in a domain-specific language like Circom, ZoKrates, or Cairo. Reviewers must ensure the constraints accurately encode the intended computation and that there are no hidden inputs or unintended degrees of freedom. A common pitfall is the misuse of public and private signals, where a value intended to be private is incorrectly declared as public, leaking information.
The next critical phase is analyzing the underlying cryptographic trusted setup. For Groth16 and other SNARKs requiring a powers-of-tau ceremony, you must verify the setup was performed correctly and that the toxic waste was securely discarded. For universal setups (like in Plonk), the focus shifts to ensuring the verifier correctly validates the structured reference string. Any flaw here compromises the entire system's security. Tools like the snarkjs powersoftau subcommands can be used to verify setup contributions.
A deep review of the constraint system is essential. Look for constraints that are under-constrained, allowing a prover to submit invalid proofs that still verify. Conversely, over-constrained systems can be correct but inefficient. Use formal verification tools specific to the DSL, such as Circomspect for Circom circuits, to automatically detect common vulnerabilities like under-constrained signals, unused signals, and degree mismatches. Manually trace through arithmetic operations to check for overflow/underflow, especially in non-native field arithmetic.
Finally, integrate the circuit audit with the application layer. Review how the verifier smart contract (e.g., a Solidity Verifier.sol) imports and uses the verification key. Check for correct handling of public inputs and that the contract's logic properly enforces the business rules implied by the proof. The ultimate test is a differential fuzzing campaign, comparing the output of the native circuit with a clear-text implementation for thousands of random inputs to uncover logical discrepancies.
SECURITY REVIEW
Common Privacy Architecture Vulnerabilities
Privacy-focused systems like zk-rollups, mixers, and private L2s introduce unique attack vectors. This guide covers critical vulnerabilities to audit for during design reviews.
A trusted setup is a one-time ceremony where a set of secret parameters are generated to initialize a cryptographic system, such as a zk-SNARK circuit. If these parameters are compromised, an attacker could generate fraudulent proofs.
Key Risks:
- Single Point of Failure: The original ceremony participants ("trusted parties") must destroy their secret shares. If they collude or are compromised, the entire system's security fails.
- Long-Term Risk: A system like Groth16 requires a circuit-specific setup. If the vulnerability is exploited, all proofs generated after the setup become untrustworthy, potentially requiring a costly system migration.
- Mitigation: Modern systems use MPC ceremonies (e.g., Perpetual Powers of Tau) or transition to transparent proof systems like STARKs, which require no trusted setup.
audit-tools
PRIVACY ENGINEERING
Essential Tools for Privacy Audits
Reviewing privacy architecture requires specialized tools to analyze cryptographic implementations, data flows, and on-chain footprints. This guide covers the essential tooling for developers and auditors.
ARCHITECTURE COMPARISON
Technical Specifications of Major Privacy Protocols
Key cryptographic and architectural differences between leading privacy-enhancing protocols.
| Feature / Metric | Tornado Cash | Aztec Protocol | Zcash |
|---|---|---|---|
Core Privacy Technology | zk-SNARKs (Groth16) | zk-SNARKs (Plonk) + Private Rollup | zk-SNARKs (Halo 2) |
Privacy Model | Full Anonymity Set | Private State + Public Verification | Shielded (z-addr) & Transparent (t-addr) |
Transaction Finality | ~5 min (Ethereum L1) | < 1 sec (L2 Rollup) | ~75 sec (Zcash Mainnet) |
Trusted Setup Required | |||
Recursive Proof Support | |||
Programmability | Fixed Logic (Deposit/Withdraw) | Full Smart Contract Privacy | Limited Script (Zcash Sapling) |
Approx. Withdrawal Gas Cost | ~450k gas | ~25k gas (L2) | N/A (Native Chain) |
Native Multi-Asset Support |
PRIVACY ARCHITECTURE
Frequently Asked Questions on Privacy Reviews
Common questions and technical clarifications for developers and architects designing privacy-preserving systems in Web3.
In blockchain design, privacy and confidentiality are related but distinct concepts. Privacy refers to the ability of users to control their personal data and transaction footprint, preventing on-chain activity from being linked to their real-world identity. Confidentiality is a subset of privacy focused on keeping the content of a transaction secret from unauthorized parties, while potentially revealing metadata.
For example, a private transaction on Monero uses ring signatures and stealth addresses to provide both privacy (obscuring sender/receiver) and confidentiality (obscuring amount). In contrast, a zero-knowledge rollup like Aztec provides confidentiality for transaction amounts and participants, but the proof verification is public on the base layer, revealing some system-level metadata. Understanding this distinction is crucial for selecting the right cryptographic primitive for your application's threat model.
resource-links
REFERENCE MATERIAL
Further Reading and Resources
These resources help developers and auditors review privacy architecture designs at the threat, protocol, and implementation level. Each card focuses on a specific review dimension with concrete documents and methods you can apply directly.
conclusion
PRIVACY REVIEW
Conclusion and Next Steps
A systematic review of privacy architecture is essential for building secure and compliant applications. This guide outlines the final steps to solidify your assessment and plan for ongoing improvements.
A thorough privacy architecture review culminates in a clear, actionable report. This document should summarize your findings, categorizing issues by severity (e.g., critical, high, medium) and linking them directly to the specific components of your system diagram. For each finding, provide a concrete recommendation, such as "Replace the current commit-reveal scheme for auctions with a zk-SNARK-based solution like Semaphore to hide bid amounts" or "Implement a secure multi-party computation (MPC) protocol for the key generation ceremony to eliminate single points of failure." This report becomes the blueprint for your remediation roadmap.
The next step is to integrate privacy into your development lifecycle. Establish privacy gates in your CI/CD pipeline using tools like ganache for local testing with private transactions or hardhat-ignition for managing private state deployments. Consider adopting a privacy-by-design framework, such as conducting a Data Protection Impact Assessment (DPIA) for features handling sensitive user data. For on-chain components, formal verification of critical zkCircuit logic with tools like Circom and snarkjs can provide mathematical guarantees of correctness, moving beyond manual review.
Finally, stay informed on the evolving landscape. Privacy is a rapidly advancing field. Monitor updates to foundational protocols like Aztec, Zcash, and Tornado Cash (for technical insights, not sanctioned use). Engage with the research from teams like Ethereum Foundation's Privacy & Scaling Explorations (PSE) and 0xPARC. The goal is not a one-time audit but fostering a culture of continuous privacy awareness, ensuring your architecture remains resilient against both current threats and future advancements in cryptanalysis.