A submarine sending strategy is a cryptographic technique that breaks the direct, on-chain link between a transaction's sender and its ultimate recipient. Unlike a standard transfer, where Alice -> Bob is permanently recorded, a submarine send uses a commit-reveal scheme or a trusted relayer to create a time-delayed or indirect path. This method enhances privacy by preventing blockchain analysts from trivially mapping financial relationships, which is a significant concern for businesses and individuals operating on transparent ledgers like Ethereum or Bitcoin.
LABS
Guides
How to Implement a Submarine Sending Strategy
A technical guide for developers on implementing submarine sends to conceal transaction intent and protect against MEV. Includes code examples and protocol comparisons.
Chainscore © 2026
introduction
PRIVACY TECHNIQUE
How to Implement a Submarine Sending Strategy
A guide to implementing submarine sends, a privacy-preserving method for transferring assets on public blockchains by obfuscating the link between sender and recipient.
The core mechanism involves two main phases: the commit and the reveal. In the commit phase, the sender cryptographically commits to a secret (like a preimage of a hash) and a recipient address, often by publishing only a hash of this data to the chain. Funds are locked in a smart contract or a specific output conditional on revealing the secret. In the reveal phase, which can be executed by the sender, the recipient, or a third party, the secret is published on-chain, proving the right to claim the funds and completing the transfer. This decouples the funding transaction from the claiming transaction.
To implement a basic version, you can use a hash time-locked contract (HTLC). The sender deploys or interacts with a contract that holds funds, locked with a hash H = hash(secret, recipientAddress). Only an address that can submit the correct secret and recipientAddress that hash to H can claim the funds after a specified time lock expires. Here's a simplified Solidity snippet for a commit:
soliditybytes32 public commitmentHash = keccak256(abi.encodePacked(_secret, _recipient)); // ... lock funds conditional on revealing preimage to commitmentHash
The recipient (or a relayer) would later call a revealAndClaim(bytes32 _secret, address _recipient) function to withdraw.
Practical implementations often use relayers to improve usability and privacy. A relayer is a service that monitors the blockchain for commit transactions and automatically submits the reveal transaction on behalf of the recipient, paying the gas fee. This allows the recipient to receive assets without needing gas tokens (gasless) and further obfuscates the link, as the reveal transaction originates from the relayer's address. Protocols like Tornado Cash use a variant of this model with zero-knowledge proofs, while simpler ERC-20 submarine send services use trusted relay networks.
When designing a submarine send system, key considerations include security (ensuring the time lock is long enough for the recipient to act but short enough to refund the sender), cost (gas fees for two transactions and potential relayer fees), and trust assumptions. Using a decentralized relayer network or a non-custodial smart contract minimizes trust. Always audit the contract logic for edge cases, such as front-running the reveal transaction or hash collision vulnerabilities, to prevent fund loss.
prerequisites
FUNDAMENTALS
Prerequisites
Before implementing a submarine sending strategy, you need a solid foundation in core blockchain concepts and development tools.
A submarine sending strategy is a privacy technique that allows a user to send tokens to a recipient without publicly revealing the transaction link on-chain until a later reveal phase. To build one, you must first understand the underlying primitives. This includes a working knowledge of smart contracts on Ethereum or other EVM-compatible chains, as they form the execution layer. You should be comfortable with Solidity or Vyper for writing the contracts that will lock, commit, and reveal the funds. Familiarity with cryptographic concepts like hash functions (e.g., keccak256) and commitment schemes is essential, as they are used to create the secret pre-image that controls the transaction.
Your development environment is critical. You will need Node.js and npm/yarn installed to manage dependencies. A framework like Hardhat or Foundry is recommended for writing, testing, and deploying your contracts. These tools provide local blockchain networks (e.g., Hardhat Network) for rapid iteration. You'll also need access to a Web3 library such as ethers.js or web3.js to interact with your contracts from a front-end application or script. Setting up a wallet with test ETH on a network like Sepolia or Goerli is necessary for deployment and testing.
Understanding the transaction lifecycle is key. A standard submarine send involves two main phases executed via smart contract functions. First, the commit phase, where the sender deposits funds and submits a hash of a secret. Second, the reveal phase, where the recipient (or sender) provides the original secret to claim the funds. You must design your contract to securely handle the timing between these phases, often using block numbers or timestamps to enforce a reveal window. Consider edge cases like failed reveals and fund recovery mechanisms.
Security considerations are paramount. Since funds are locked in a contract, you must rigorously audit the logic for vulnerabilities. Common risks include hash collision weaknesses, front-running during the reveal, and improper access controls. Using established libraries like OpenZeppelin Contracts for ownership (Ownable) and reentrancy guards (ReentrancyGuard) is a best practice. You should also plan for gas optimization, as both the commit and reveal transactions will incur costs, which may be borne by different parties.
Finally, consider the user experience. A functional front-end is needed to guide users through the commit and reveal process. This typically involves a web app built with a framework like React or Vue, integrated with a wallet connector such as MetaMask. The app must generate cryptographically secure secrets, create the corresponding hashes, and call the correct contract functions. Testing the entire flow end-to-end on a testnet is a non-negotiable final step before considering a mainnet deployment.
key-concepts-text
CROSS-CHAIN STRATEGY
How Submarine Sending Works
A submarine sending strategy is a cross-chain technique that uses a liquidity pool on the destination chain to provide instant, low-cost asset transfers, bypassing traditional bridge mint/burn cycles.
Submarine sending, also known as a liquidity bridge or atomic swap pool, enables users to transfer assets between chains without waiting for block confirmations on a canonical bridge. Instead of locking and minting tokens, the system uses a pre-funded liquidity pool on the target chain. When a user initiates a transfer, the pool immediately releases the desired asset, and a relayer or a smart contract later reconciles the transaction by depositing the original asset into a corresponding pool on the source chain. This creates a near-instant user experience similar to a centralized exchange withdrawal.
The core mechanism relies on a liquidity pool and a messaging layer. Popular implementations include SocketDL's Liquidity Layer and Chainlink's CCIP. For example, when sending USDC from Ethereum to Polygon, the user's USDC on Ethereum is sent to a designated vault. A message is sent via the chosen interoperability protocol (like Axelar or Wormhole) to the Polygon pool, instructing it to release an equivalent amount of USDC to the recipient. The pool is then replenished by the relayer who claims the locked funds on Ethereum. This decouples the transfer speed from the slower, more secure settlement of the source chain transaction.
To implement a basic submarine send, you interact with a bridge aggregator's SDK or smart contract. Below is a conceptual example using a hypothetical bridge SDK:
javascriptimport { SubmarineBridge } from '@bridge-sdk/submarine'; const bridge = new SubmarineBridge({ sourceChain: 'ethereum', destinationChain: 'arbitrum', asset: 'USDC' }); // Initiate the submarine send const tx = await bridge.send({ amount: '1000000', // 1 USDC (6 decimals) recipient: '0xRecipientAddressOnArbitrum', }); // User receives funds on Arbitrum in seconds console.log(`Transaction hash for reconciliation: ${tx.hash}`);
The key parameters are the source/destination chain IDs, the token address, and the recipient. The SDK handles the message passing and pool interaction.
The primary advantage is speed and cost. Users get finality on the destination chain in seconds, not the 10-20 minutes typical of optimistic rollup bridges. It also reduces gas costs by batching settlement transactions. However, this model introduces liquidity risk and relayer dependency. Transfers are limited by the depth of the destination pool, and the system requires a trusted or incentivized relayer to perform the settlement. If the relayer fails, the liquidity pools become imbalanced, potentially halting transfers until they are rebalanced manually or via incentives.
Use submarine sending for applications requiring fast cross-chain interactions, such as interchain arbitrage trading, cross-chain collateral posting for loans, or gaming asset transfers. It is less suitable for large, one-time transfers that could drain the liquidity pool or for users who prioritize decentralized security over speed. When implementing, always query the available liquidity on the destination chain first and have a fallback to a standard bridge method if the pool is insufficient. Monitoring tools like SocketDL's Liquidity Dashboard are essential for managing this risk.
In summary, a submarine sending strategy optimizes for user experience by leveraging pre-funded liquidity. It is a powerful tool in the cross-chain stack, but developers must architect around its constraints—ensuring liquidity provisioning, monitoring relayer health, and implementing fallbacks. As interoperability protocols evolve, native token transfers using this model are becoming a standard feature for DeFi and gaming applications that operate across multiple ecosystems.
core-mechanisms
SUBMARINE SENDING
Core Privacy Mechanisms
Submarine sending is a privacy technique that hides transaction amounts and recipients by routing funds through a series of intermediate, obfuscating steps. This guide covers the core mechanisms and tools for implementing it.
01
Understanding the Basic Flow
A submarine send typically involves three parties: the sender, a relayer, and the recipient. The sender deposits funds into a shared pool or a commitment contract. The relayer, who cannot see the final recipient, forwards an equivalent amount from the pool to the destination. This breaks the on-chain link between the original deposit and the final withdrawal.
Key steps include:
- Commitment: Locking funds with a secret hash.
- Relay Proof: Providing a zero-knowledge proof of a valid deposit to the relayer.
- Withdrawal: The recipient claims the funds with the secret pre-image.
04
The Relayer Network & Incentives
Relayers pay the gas fee for the withdrawal transaction, enabling privacy for recipients without ETH. They are reimbursed the gas cost plus a small fee from the withdrawn amount.
To implement a relayer:
- Listen for
Withdrawalevents from the pool contract. - Fetch the corresponding zk-proof from the user (via a secure channel).
- Submit the
withdrawtransaction, attaching the proof. - The contract sends the fee (e.g., 0.1% of the pool denomination) to
msg.sender(the relayer).
This creates a permissionless, incentivized network for forwarding transactions.
05
Addressing Privacy Leaks & Risks
Naive implementations have significant privacy leaks. Key mitigations include:
- Uniform Deposit Amounts: All deposits must be identical (e.g., 1 ETH) to prevent amount-based linking.
- Decoupling Deposit & Withdrawal: Using a relayer ensures the withdrawal TX comes from a different address than the deposit.
- Nullifier Schemes: Prevents double-spending without revealing which commitment was spent.
- Anonymity Set Considerations: Privacy increases with the size of the deposit pool. A pool with 10,000 commitments offers stronger anonymity than one with 10.
IMPLEMENTATION OPTIONS
Submarine Send Protocol Comparison
Comparison of popular protocols for implementing private cross-chain transfers.
| Feature / Metric | Railgun | Aztec Connect | Tornado Cash Nova |
|---|---|---|---|
Privacy Model | ZK-SNARKs (zk-SNARKs) | ZK-SNARKs (zk-SNARKs) | ZK-SNARKs (zk-SNARKs) |
Supported Chains | EVM (Ethereum, Polygon, BSC, Arbitrum) | EVM (Ethereum only) | EVM (Ethereum, Polygon, Arbitrum, Optimism) |
Native Bridge Integration | |||
Average Relay Time | 2-5 minutes | ~15 minutes | 5-10 minutes |
Fee Structure | 0.3% + gas | 0.3% + gas | 0.1% + network fee |
Minimum Deposit | 0.01 ETH | 0.1 ETH | 0.1 ETH |
Smart Contract Audits | |||
Developer SDK | TypeScript, Go | TypeScript | JavaScript, Python |
STRATEGIES
Implementation Examples
Simple Submarine Send
A basic submarine sending strategy involves a single, direct transaction from a fresh wallet to the final destination. This is suitable for low-value transfers where privacy is desired but maximum security is not critical.
Key Steps:
- Generate a new, non-custodial wallet (e.g., using ethers.js or web3.js).
- Fund the wallet via a private method (e.g., a decentralized exchange or a peer-to-peer transaction).
- Execute the final transfer from the new wallet to the target address.
Considerations:
- Privacy: Breaks the direct on-chain link between your primary wallet and the destination.
- Cost: Incurrs gas fees for the final transfer.
- Traceability: Sophisticated chain analysis may still link the funding source if not done carefully.
compliance-considerations
COMPLIANCE AND REGULATORY CONSIDERATIONS
How to Implement a Submarine Sending Strategy
A submarine sending strategy is a compliance technique for executing large cryptocurrency transactions by breaking them into smaller, less conspicuous transfers. This guide explains the technical implementation and its regulatory context.
A submarine sending strategy involves splitting a single, large cryptocurrency transaction into multiple smaller transactions that are sent over time. The primary goal is to avoid triggering automated compliance flags on centralized exchanges (CEXs) or blockchain surveillance tools, which often monitor for large, sudden movements of funds. This is not inherently illegal but exists in a gray area; its legality depends entirely on the sender's intent and jurisdiction. Using this technique to evade legitimate Anti-Money Laundering (AML) or Know Your Customer (KYC) requirements is prohibited.
From a technical standpoint, implementation requires careful wallet management and transaction scheduling. You cannot simply batch-send from one wallet, as the source address remains a clear link. Instead, funds should be routed through a series of intermediary wallets or smart contracts that act as buffers. A basic script using Ethers.js or web3.py can automate the process: it would pull a total amount from a vault, divide it, and schedule sends to a final destination from several ephemeral addresses. Critical parameters to configure are the amountPerTx (staying below exchange reporting thresholds), delayBetweenTx (varying intervals to avoid pattern recognition), and the number of intermediateHops.
The regulatory risks are significant. Authorities and blockchain analytics firms like Chainalysis or Elliptic specialize in detecting transaction clustering and peeling chains, which are hallmarks of structuring activity. If identified, all associated addresses may be blacklisted, freezing funds across DeFi protocols and CEXs. Furthermore, the Travel Rule in many jurisdictions requires VASPs to share sender/receiver information for transfers over certain amounts, which a submarine strategy attempts to circumvent, potentially leading to severe penalties.
For developers building compliant applications, transparency is paramount. If implementing features that could be used for transaction structuring, include clear user warnings and audit logs. Consider integrating compliance tooling APIs from providers like TRM Labs to screen transactions against sanctions lists directly within your application's workflow. The code example below shows a simplistic, non-compliant structure for educational purposes, highlighting the need for robust compliance checks in production systems.
javascript// EXAMPLE: Basic, non-compliant scheduling logic (for illustration only) async function scheduleTransfers(vaultWallet, destination, totalAmount, chunks) { const amountPerChunk = totalAmount.div(chunks); for (let i = 0; i < chunks; i++) { const tempWallet = Wallet.createRandom(); // Fund temp wallet from vault await sendFunds(vaultWallet, tempWallet.address, amountPerChunk); // Schedule send from temp wallet to final destination setTimeout(async () => { await sendFunds(tempWallet, destination, amountPerChunk); }, i * getRandomDelay()); } }
In practice, the most secure and compliant method for moving large sums is to work directly with regulated institutions. Many custodians and financial institutions offer over-the-counter (OTC) trading desks that facilitate large, off-exchange settlements with full KYC/AML compliance. For on-chain DeFi operations, using privacy-preserving protocols with legitimate audit trails, like Aztec Network or Tornado Cash Nova (where legally permissible), can provide confidentiality without the legal risks of deliberate obfuscation. Always consult with legal counsel to ensure your strategy adheres to FATF guidelines and local regulations like the Bank Secrecy Act (BSA) in the U.S.
SUBMARINE SENDING
Frequently Asked Questions
Common technical questions and solutions for implementing a submarine sending strategy, focusing on privacy, gas optimization, and contract integration.
Submarine sending is a privacy technique that hides the origin and destination of a token transfer until a later reveal. It works by using a commit-reveal scheme and a relayer network.
- Commit: The sender deposits tokens into a smart contract, generating a cryptographic commitment hash (e.g.,
keccak256(recipient, secret)). Only this hash is published on-chain. - Relay: An off-chain relayer observes the commitment and forwards an equivalent amount to the intended recipient on the destination chain, funded from its own liquidity pool.
- Reveal: Later, the sender (or anyone) submits the original
recipientandsecretto the source contract. The contract verifies they hash to the commitment. This proves the relayer's payment was valid and allows the contract to refund the relayer from the initially locked funds.
The recipient receives funds immediately from the relayer, while the on-chain transaction linking sender and recipient is delayed until the reveal phase, obscuring the trail.
resource-links
DEVELOPER GUIDE
Tools and Resources
Submarine sending reduces MEV exposure by keeping transactions out of the public mempool until execution. These tools and resources help developers implement private transaction flow, simulate outcomes, and manage execution risks in production systems.
05
Nonce and Replacement Management
Nonce control is a frequent failure point in submarine sending setups.
Key rules:
- Private transactions still consume nonces when included
- Public and private transaction streams must be coordinated
- Replacement rules differ because transactions are not gossiped
Recommended strategies:
- Use a dedicated sender address for private flows
- Track pending private submissions off-chain
- Avoid mixing public mempool transactions with the same nonce range
Advanced setups maintain a local nonce manager that reconciles on-chain state with expected private inclusions to prevent deadlocks.
conclusion
IMPLEMENTATION SUMMARY
Conclusion and Next Steps
You have learned the core mechanics of a submarine sending strategy, from the initial stealth deposit to the final on-chain reveal. This guide has provided the foundational code and concepts to build your own implementation.
A successful submarine sending strategy hinges on three pillars: privacy, reliability, and cost-efficiency. The off-chain component must securely hold the secret preimage and manage the timelock, while the on-chain contract must enforce the cryptographic conditions without vulnerabilities. Always use audited libraries for cryptographic operations like keccak256 and ensure your timelock logic is robust against blockchain reorgs. For production use, consider integrating with a decentralized oracle or a secure off-chain signing service like Gelato or Chainlink Functions to automate the reveal transaction, preventing funds from being locked if the sender goes offline.
To extend this basic implementation, explore advanced patterns. You could implement batch reveals to consolidate multiple pending transfers into a single transaction, significantly reducing gas costs for users. Another improvement is adding support for ERC-20 tokens alongside native ETH, requiring the contract to safely handle token approvals and transfers. For enhanced privacy, research zk-SNARKs or stealth addresses to obfuscate the link between the initial deposit and the final recipient address, moving beyond the simple hash commitment model demonstrated here.
Your next steps should involve rigorous testing and security auditing. Deploy your contracts to a testnet like Sepolia or Holesky and simulate various scenarios: a normal reveal, a refund claim after the timelock expires, and malicious attempts to claim with a wrong preimage. Use tools like Foundry for fuzz testing the claim function and Slither for static analysis. Finally, review similar real-world implementations such as the Umbra protocol for stealth payments or Tornado Cash for privacy pools to understand how they solve related challenges at scale.