On-chain privacy pools are smart contract systems that allow users to transact privately by leveraging zero-knowledge proofs (ZKPs). Unlike traditional mixers that pool funds indiscriminately, privacy pools enable users to prove membership in a set of legitimate participants without revealing their specific identity. This is achieved through cryptographic commitments and zk-SNARKs, which verify that a user's deposit belongs to an approved list (an "anonymity set") while breaking the direct on-chain link between deposit and withdrawal. The core contract logic manages deposits, generates proofs, and processes withdrawals, creating a privacy layer for assets like ETH or ERC-20 tokens.
LABS
Guides
Setting Up On-Chain Privacy Pools
A technical guide for developers on implementing privacy pool protocols to break the on-chain link between transaction inputs and outputs.
Chainscore © 2026
introduction
TUTORIAL
Setting Up On-Chain Privacy Pools
A technical guide to implementing privacy pools using zero-knowledge proofs on Ethereum and compatible networks.
To set up a basic privacy pool, you'll need a development environment with Foundry or Hardhat, a ZKP library like circom and snarkjs for circuit compilation, and a wallet for deployment. Start by defining the circuit logic in a Circom file (pool.circom), which typically includes components for verifying a Merkle proof that a user's commitment exists in the pool's deposit tree and that a nullifier hasn't been reused. After compiling the circuit and generating a proving key and verification key, you write a Solidity contract that imports a verifier contract (often auto-generated) and manages the pool's state: a Merkle root of deposits, a mapping of spent nullifiers, and functions for deposit() and withdraw().
The deposit function accepts funds and emits an event with a new commitment, which an off-chain service (like a relayer or indexer) uses to update the Merkle tree. The withdraw function is more complex; it requires a zk-SNARK proof, the current Merkle root, and a nullifier hash as inputs. The contract verifies the proof against the stored verification key, checks the root is current, and ensures the nullifier is new before sending funds to a specified address. For production, you must integrate an off-chain prover service to generate proofs for users and consider using a relayer to pay gas fees for withdrawals, further enhancing privacy by decoupling the withdrawal transaction from the user's identity.
Key security considerations include ensuring the anonymity set is sufficiently large, protecting the proving key, and implementing robust mechanisms to prevent denial-of-service attacks or front-running on withdrawals. Projects like Aztec Protocol and Tornado Cash (pre-sanctions) pioneered this architecture. Developers should audit the ZK circuit for logical errors and the smart contract for reentrancy and overflow vulnerabilities. Testing involves simulating multiple deposits and withdrawals in a local fork, verifying proof validity and state updates. For extensibility, you can modify the circuit to support custom compliance rules, such as proof-of-innocence attestations, which allow users to prove they are not associated with blacklisted addresses without revealing their own.
prerequisites
FOUNDATIONAL CONCEPTS
Prerequisites and Required Knowledge
Before building with on-chain privacy pools, you need a solid understanding of core blockchain mechanics and privacy primitives. This section outlines the essential knowledge and tools required.
A strong foundation in Ethereum development is non-negotiable. You must be proficient with Solidity for writing smart contracts, understand the EVM execution model, and be comfortable with development tools like Hardhat or Foundry. Familiarity with common standards such as ERC-20 and ERC-721 is also essential, as privacy pools often interact with these token types. You should have experience deploying contracts to testnets and mainnet, and managing gas optimization.
Understanding zero-knowledge proofs (ZKPs) is the cornerstone of on-chain privacy. You don't need to be a cryptographer, but you must grasp the core concept: proving a statement is true without revealing the underlying data. Key frameworks to explore include zk-SNARKs (used by Tornado Cash) and zk-STARKs. You should understand the roles of the prover (who generates the proof) and the verifier (the smart contract that checks it), as this interaction is central to privacy pool mechanics.
You will need practical experience with specific privacy-enabling technologies. For many pools, this means working with circom to design arithmetic circuits and snarkjs to generate and verify proofs. An understanding of Merkle trees is critical, as they are used to anonymously commit to deposits without revealing their specific leaf. You should also be aware of the regulatory and compliance landscape surrounding privacy tools, as it directly impacts deployment strategies and user risk.
cryptographic-foundations
CRYPTOGRAPHIC FOUNDATIONS FOR PRIVACY
Setting Up On-Chain Privacy Pools
A technical guide to implementing privacy pools using zero-knowledge proofs, enabling selective anonymity for DeFi transactions.
On-chain privacy pools are smart contract systems that allow users to deposit assets and withdraw them to new addresses without revealing the link between deposit and withdrawal. This is achieved using zero-knowledge proofs (ZKPs), specifically zk-SNARKs or zk-STARKs, which prove a user owns a valid deposit note without revealing which one. Unlike mixers that pool all funds, privacy pools can implement selective disclosure mechanisms, allowing users to prove their funds are not associated with a blacklisted address, a concept popularized by Vitalik Buterin's research on privacy-preserving compliance.
The core cryptographic primitive is a Merkle tree of commitments. When a user deposits, say, 1 ETH, they generate a secret nullifier and a secret commitment. The commitment C = hash(nullifier, secret) is added to the tree. To withdraw, the user must provide a ZK proof demonstrating: 1) knowledge of a leaf C in the current tree root, 2) knowledge of the corresponding nullifier, and 3) that the nullifier hasn't been used before. The contract verifies the proof and the unique nullifier, then releases funds. This breaks the on-chain link as the public data is only the root and nullifiers.
Setting up a basic pool requires a verifier contract and a circuit. Using libraries like circom and snarkjs, you define the withdrawal logic in a circuit. A simplified withdraw.circom template proves membership in a Merkle tree. After compiling and generating a proving key, you deploy a verifier contract (e.g., Verifier.sol from snarkjs). Your main PrivacyPool.sol contract then stores the Merkle root, a nullifier set, and calls the verifier. Key functions are deposit(bytes32 commitment) to add leaves and withdraw(uint256 amount, bytes32 nullifierHash, bytes calldata proof) to execute the verified withdrawal.
For developers, the major challenges are trusted setup for zk-SNARKs, requiring a secure multi-party ceremony, and circuit complexity which impacts gas costs. Using incremental Merkle trees (like those in the @zk-kit/incremental-merkle-tree library) allows efficient updates without recalculating the entire tree. Furthermore, integrating semaphore-style signaling can enable users to prove membership in a group (e.g., not a sanctioned entity) without revealing their identity, adding a compliance layer. Always audit the circuit logic, as bugs can lead to loss of funds or broken privacy.
In practice, protocols like Tornado Cash pioneered this model, while newer designs explore privacy sets. When implementing, consider using EIP-712 typed data for signing commitments off-chain to improve UX. Test thoroughly on a testnet like Sepolia using frameworks like Hardhat or Foundry, simulating both normal operation and malicious edge cases. Remember that while the cryptography provides strong privacy, auxiliary metadata from transaction timing or amounts can still leak information, necessitating additional design considerations for full anonymity.
design-patterns
IMPLEMENTATION GUIDE
Core Privacy Pool Design Patterns
Privacy pools use cryptographic techniques to separate transaction history from identity. This guide covers the primary design patterns for implementing on-chain privacy.
03
Anonymity Set Management
The anonymity set is the group of all possible senders for a given transaction. Its size is a direct measure of privacy.
- Fixed-size pools: Like Tornado Cash 1 ETH pool. Privacy scales with total deposits.
- Variable-denomination pools: Allow custom deposit amounts, which can fragment the anonymity set.
- Mixers vs. Rollups: L2 rollups like Aztec create a shared anonymity set across all transactions in a block, which can be larger than isolated mixer pools.
04
Withdrawal Authorization & Compliance
A critical design challenge is allowing legitimate withdrawals while preventing illicit fund laundering. This is the core of the Privacy Pools protocol research.
- Association Set Exclusion: Users can provide a zk-proof that their funds are not associated with a publicly identified set of malicious deposits (e.g., from a hack).
- Membership Proofs: The standard proof shows a deposit exists in the pool's Merkle tree.
- Exclusion Proofs: An optional, additional proof shows the deposit is not in a banned subset, enabling regulatory compatibility.
05
Smart Contract Architecture
The on-chain verifier contract is the core logic. It must be gas-efficient and secure.
- Verifier Contract: Accepts a zk-proof, public inputs (nullifier, root), and verifies it on-chain. This contract is often generated from a circuit.
- State Management: Stores the current Merkle root of all commitments. Updating the root is permissionless for deposits but requires a proof for withdrawals.
- Relayer Network: To preserve IP privacy, users can broadcast withdrawal transactions via a decentralized network of relayers who pay gas fees and get reimbursed.
contract-architecture
SMART CONTRACT ARCHITECTURE AND SECURITY
Setting Up On-Chain Privacy Pools
This guide explains how to implement privacy pools using zero-knowledge proofs to enable private, compliant transactions on Ethereum and other EVM chains.
On-chain privacy pools are a privacy-enhancing technology that allows users to transact confidentially while providing a mechanism for regulatory compliance. Unlike traditional mixers that anonymize funds by pooling them, privacy pools use zero-knowledge proofs (ZKPs) to allow users to prove their funds originate from a legitimate source without revealing the source itself. This architecture, popularized by protocols like Tornado Cash and its successors, separates the act of depositing funds into a pool from the act of withdrawing them to a new address. The core security challenge is preventing Sybil attacks and double-spends while maintaining user anonymity.
The smart contract architecture for a basic privacy pool involves two main functions: deposit and withdraw. When a user calls deposit, they send a fixed amount of ETH (e.g., 1 ETH) to the contract, which generates a cryptographic commitment. This commitment, typically a hash of a secret nullifier and a public note, is stored in a Merkle tree on-chain. The user securely stores the secret nullifier and a secret key off-chain. The contract holds the pooled funds, making all deposits fungible and breaking the on-chain link between depositor and withdrawal.
To withdraw funds privately, a user must generate a zk-SNARK proof. This proof cryptographically demonstrates three things without revealing the underlying secrets: 1) The user knows a secret corresponding to a valid commitment in the pool's Merkle tree. 2) They can compute a valid nullifier for that commitment. 3) This specific nullifier has not been used before. The smart contract's withdraw function verifies this proof on-chain. If valid, it adds the nullifier to a spent set (preventing reuse) and transfers the funds to a specified address. The entire process severs the link between the original deposit and the final withdrawal on the public ledger.
A critical advancement is the concept of anonymity sets with compliance. Basic pools create an anonymity set comprising all users in the pool. Advanced designs, like those proposed in the Privacy Pools paper, allow users to generate proofs showing their funds are not associated with a flagged subset of deposits (e.g., those from known illicit addresses). This is achieved by allowing withdrawers to specify an exclusion set—a list of deposit commitments they wish to dissociate from—and proving their commitment is not in that Merkle tree subset. This enables private transactions that are compliant with regulatory frameworks.
When deploying a privacy pool, key security considerations include: - Trusted setup: Most zk-SNARK circuits require a one-time trusted setup ceremony; a compromised setup can break the system's security. - Circuit correctness: The ZKP circuit logic must be formally verified to prevent logical flaws that could leak data or allow fraud. - Denial-of-service (DoS): The contract must be designed to handle gas costs for proof verification and Merkle tree updates efficiently to avoid being bricked. - Upgradeability: Given the complexity, contracts often use proxy patterns; however, upgrade keys must be managed via a robust multisig or DAO to prevent malicious changes.
To implement a basic version, you can use libraries like circom for circuit design and snarkjs for proof generation. The Solidity contract would verify proofs using a verifier contract, often deployed from the output of these tools. Always audit the circuit logic and the smart contract extensively, and consider starting with a testnet implementation using a pre-compiled verifier. Remember, the regulatory landscape for privacy tools is evolving, so legal review is as crucial as technical security.
TECHNICAL SPECS
Comparison of Privacy Pool Implementations
A comparison of core technical features, security models, and operational characteristics for leading on-chain privacy pool protocols.
| Feature / Metric | Tornado Cash | Aztec Connect (Deprecated) | Railgun | Semaphore |
|---|---|---|---|---|
Core Privacy Technology | zk-SNARKs (Groth16) | zk-SNARKs (Plonk) | zk-SNARKs (Groth16) | zk-SNARKs (Groth16) |
Trusted Setup Required | ||||
Native Token | TORN | AZTEC | RAIL | |
Deposit/Withdraw Gas Cost (ETH) | $50-150 | $80-200 | $30-80 | $20-60 |
Withdrawal Delay | ~30 min | Instant | Instant | Instant |
Supported Assets | ETH, DAI, USDC, etc. | ETH, DAI via bridges | ETH, ERC-20s, NFTs | ETH, ERC-20s |
Smart Contract Audits | ||||
Relayer Network Required | ||||
Anonymity Set Size | Large (1000s) | Medium | Growing | Configurable |
Development Status | Active (Community) | Deprecated | Active | Active |
compliance-considerations
COMPLIANCE AND REGULATORY CONSIDERATIONS
Setting Up On-Chain Privacy Pools
Privacy-enhancing protocols like Tornado Cash and Aztec face intense regulatory scrutiny. This guide explains the compliance challenges and technical mechanisms for building privacy pools that can meet regulatory requirements.
On-chain privacy pools, such as Tornado Cash, use zero-knowledge proofs (ZKPs) to break the linkability of transactions. While they protect user privacy, they have drawn regulatory action from bodies like the U.S. OFAC for their potential use in money laundering. Developers must now design systems that provide privacy without enabling illicit finance. This involves implementing compliance features like selective disclosure and regulatory-compatible anonymity sets, moving beyond simple mixing to accountable privacy.
A key technical approach is the use of privacy pools with compliance logs. In this model, users generate a zero-knowledge proof that their funds originate from a whitelisted set of deposits, not from a banned address. Projects like the "Privacy Pools" prototype by A. Juels et al. demonstrate this. Users submit a proof to a smart contract verifying membership in a valid "association set," allowing exchanges or regulators to confirm compliance without exposing all transaction links.
Implementing this requires a Solidity verifier contract for the ZK-SNARK proof. The contract checks that a user's nullifier hasn't been spent and validates the proof against a public list of approved deposit commitments. The association set is often managed via a merkle tree, allowing for updates. Here's a simplified interface:
solidityfunction withdraw( bytes calldata _proof, bytes32 _root, bytes32 _nullifierHash ) external { require(!nullifierSpent[_nullifierHash], "Already spent"); require(verifyProof(_proof, _root, _nullifierHash), "Invalid proof"); nullifierSpent[_nullifierHash] = true; // Transfer funds }
Legal considerations are paramount. Developers should consult counsel to understand jurisdiction-specific rules like the EU's MiCA regulation or the U.S. Bank Secrecy Act. Building with optional KYC integration or transaction monitoring oracles like Chainalysis can mitigate risk. The goal is privacy-by-design with regulatory visibility, where the protocol architecture itself provides avenues for lawful intervention, rather than being an opaque black box that invites blanket bans.
Future developments point towards interoperable reputation systems and proof-of-innocence protocols. These systems allow users to leverage attestations from trusted entities to prove their funds are clean, creating a granular privacy landscape. Building compliant privacy requires balancing cryptographic guarantees with real-world legal frameworks, focusing on creating tools for selective transparency that protect users while satisfying regulatory requirements for anti-money laundering (AML) and counter-terrorist financing (CFT).
development-tools
ON-CHAIN PRIVACY
Development Tools and Libraries
Tools and frameworks for developers to integrate privacy-preserving features like zero-knowledge proofs and confidential transactions into their applications.
DEVELOPER TROUBLESHOOTING
Privacy Pool Implementation FAQ
Common technical questions and solutions for developers building or integrating with on-chain privacy pools.
This error occurs when the nullifier you are generating for the deposit does not match the pool's expected format. The nullifier is a unique identifier that prevents double-spending of deposited funds. Common causes include:
- Incorrect hashing: Ensure you are using the same hash function (e.g., Poseidon, MiMC) and parameters as the pool's zero-knowledge circuit.
- Wrong input order: The nullifier is typically computed as
hash(secret, commitment_index). Verify the order and data types of inputs. - Chain ID mismatch: Some pools include the chain ID in the nullifier hash to prevent cross-chain replay attacks. Ensure you are using the correct chain ID for the network you're on.
To debug, compare your locally generated nullifier with the one expected by the pool's smart contract using a tool like Foundry's cast or by examining the circuit constraints.
resource-links
DEVELOPER RESOURCES
Further Resources and Documentation
Primary documentation, protocols, and tooling for designing, deploying, and analyzing on-chain privacy pools using zkSNARKs and related cryptography. These resources focus on real implementations, audits, and production constraints.
conclusion
IMPLEMENTATION SUMMARY
Conclusion and Next Steps
This guide has walked through the core concepts and practical steps for deploying and using privacy pools. Here's a summary of key takeaways and resources for further exploration.
You have now configured the foundational components for on-chain privacy. The key steps involved deploying a custom Semaphore group for your application, integrating the zk-kit library for zero-knowledge proof generation, and connecting your smart contracts to a relayer service for gasless transactions. Remember, the privacy guarantee stems from the zero-knowledge proof, which allows a user to prove membership in an approved set (the privacy pool) without revealing their specific identity. This setup is commonly used for private voting, anonymous attestations, and shielded transfers within a defined community.
For production deployments, several critical considerations must be addressed. First, manage your group's nullifier scheme to prevent double-signaling or double-spending. Second, carefully design the criteria for your privacy set (the allowlist); a poorly curated set can degrade anonymity. Third, audit the entire stack, especially the circuit logic (e.g., your .circom files) and the integration points in your application. Tools like snarkjs for proof verification and hardhat for contract testing are essential here. Finally, consider the UX: abstracting away the complexity of generating ZK proofs is crucial for mainstream adoption.
To continue your learning, explore these resources. Study the official Semaphore documentation for advanced group management. Review the zk-kit GitHub repository for additional utilities and examples. For a deeper dive into the cryptography, the original Semaphore paper is an excellent resource. The next logical step is to build a frontend interface using a library like @semaphore-protocol/ui-components and to experiment with different relayer infrastructures like OpenZeppelin Defender or Gelato to handle transaction submission.