Title: Shielding · Pattern · EthSystems

URL Source: https://original.es-internal.pages.dev/patterns/pattern-shielding/

Markdown Content:
---
description: Enable confidential transfers by shielding balances, sender, and receiver, while still allowing regulators and auditors to verify via selective disclosure (viewing keys, proofs). The logic generalizes beyond ERC-20 to any transferable asset.
title: Shielding · Pattern · EthSystems
image: https://original.es-internal.pages.dev/og.png
---

[Skip to content](#main-content) 

#### Works best when

* You need confidential transfer amounts and counterparties.
* Selective disclosure or auditing is required.

#### Avoid when

* Transparency is mandated by design.

### I2I vs I2U — context differences

Between institutions, both counterparties have legal recourse and KYC-aligned identities. A shielded pool can be permissioned to institutional participants once the anonymity set is large enough to preserve unlinkability within the set. Shielding hides positions from competitors while viewing keys cover audit.

User is asymmetric to the operator. The shielded pool's CR must not depend on an operator who can block withdrawals. Forced withdrawal is required to make the privacy guarantee meaningful; without it, CR is effectively `low`.

Vector

EC-based commitments (Groth16, PLONK/KZG) broken by CRQC; HNDL risk high for encrypted notes.

Mitigation

STARK-based shielded pools with hash commitments. See [Post-Quantum Threats](../domains/post-quantum.md).

## Components

* Shielded pool contract stores commitments, the nullifier set, and a ZK verifier. Deployable on L1 or a shielded L2.
* Hash-based commitments (e.g. Poseidon) hide note contents; notes represent spendable state.
* Nullifier set prevents double-spends by tracking spent notes.
* Prover and verifier, with circuit logic authored in a DSL (Noir, Circom, Halo2, Gnark, etc.); the prover runs client-side.
* Wallet/KMS manages shielded keys and optional viewing keys.
* Relayer/paymaster (optional) for gas abstraction.
* Stealth addresses (optional, ERC-5564) for recipient unlinkability.

## Protocol

1. user Deposit assets into the shielded pool contract.
2. contract Store the commitment submitted by the user in the commitment set.
3. user Construct a shielded transfer: generate a zero-knowledge proof that (a) nullifiers for spent notes are not already in the nullifier set, (b) commitments for spent notes are members of the commitment set, (c) the sum of output note amounts does not exceed the sum of input note amounts, and (d) the sender owns the spending keys.
4. relayer Submit the shielded transaction for gas abstraction (optional).
5. contract Verify the proof, add new commitments, and add spent nullifiers.
6. auditor Verify a specific transfer via the recipient's viewing key.
7. user Withdraw by proving ownership of notes and burning them.

## Guarantees & threat model

Guarantees:

* Hides amounts, sender, and receiver from non-participants within the anonymity set.
* Enables scoped disclosures to auditors via viewing keys.
* Anchors state on the underlying chain (L1 or L2) for integrity.

Threat model:

* Soundness of the zero-knowledge proof system.
* Non-censoring sequencer or validator set on shielded L2s.
* Non-compromised relayer and paymaster. The relayer sees raw transaction data (nullifier, commitment, proof) and can link user IPs to shielded activity even though the contents stay hidden. A colluding paymaster can selectively censor.
* Network-layer metadata (timing, gas payer, IP) is out of scope for the shielding layer; combine with network-level anonymity to cover it.

## Trade-offs

* Cost and latency of zero-knowledge proofs (prover time, calldata/blobspace).
* Metadata leakage at the network layer.
* Gas abstraction is mandatory in practice: paying gas from the user's own EOA links the exit address back to the entry, breaking entry-to-exit unlinkability. A relayer or paymaster is required to break that link.
* Client-side query leakage: fetching a note's Merkle inclusion path (or scanning for incoming notes) from a third-party RPC or indexer reveals to that operator which note is about to be spent or read, undoing on-chain unlinkability for users who depend on shared infrastructure. Mitigable with private information retrieval (see [pattern-private-information-retrieval](/patterns/pattern-private-information-retrieval/)); institutions running their own full node and indexer sidestep this without PIR.
* Monotonic state growth: commitments accumulate indefinitely, so pool state bloats and proof costs drift up over time.

## Example

* A user shields stablecoins into the pool, transfers them privately to a recipient, and the regulator later verifies the transfer via the recipient's viewing key.

## See also

* [Railgun](/vendors/railgun/)
* [Hinkal](/vendors/hinkal/)
* [Aztec](/vendors/aztec/)
* [Exploring hardened shielded pools](https://ethsystems.org/blog/exploring-hardened-shielded-pools/)
* [Shielded-pool extension PoC](https://github.com/ethsystems/pocs/tree/master/pocs/private-payment/shielded-pool-extension)

### Open-source implementations

* [ github.com Solidity, Circom Railgun shielded pool (L1, production) ↗ ](https://github.com/Railgun-Privacy/contract)
* [ github.com Noir, Solidity EthSystems PoC (UltraHonk/Noir, research) ↗ ](https://github.com/ethsystems/pocs/tree/master/pocs/private-payment)
* [ github.com Noir Aztec Network, privacy L2 with native shielding (production) ↗ ](https://github.com/AztecProtocol/aztec-packages)

CROPS profile

Censorship-resistance: mediumOpen source: partialPrivacy: fullSecurity: medium

CRCensorship-resistancemedium

Reaches `high` on L1 permissionless shielded pools where users can deposit and withdraw without a gatekeeper. Drops to `low` on permissioned L2s with operator-controlled exit. Relies on relayer and paymaster for transaction submission, both of which can censor.

OSOpen sourcepartial

Open-source contracts are available; users can fork and run their own relayer. Some L2 deployments are closed or operator-controlled.

PPrivacyfull

Plausible deniability on amounts, sender, and receiver. Metadata (contract-level patterns, IP addresses, gas payer, timing) remains visible and must be covered at the network layer.

SSecuritymedium

Rides on the soundness of the zero-knowledge proof system and on-chain state integrity. Operator honesty matters on permissioned deployments.

Standards 2 
* `ERC-20`
* `ERC-5564`

#### Referenced by

approaches7
* [Atomic DvP Settlement](/approaches/approach-dvp-atomic-settlement/)
* [Private Bond Issuance & Trading](/approaches/approach-private-bonds/)
* [Private Money Market Funds](/approaches/approach-private-money-market-funds/)
* [Private Payments](/approaches/approach-private-payments/)
* [Private Smart Derivatives](/approaches/approach-private-derivatives/)
* [Private Trade Settlement](/approaches/approach-private-trade-settlement/)
* [Private Transaction Broadcasting](/approaches/approach-private-broadcasting/)
use cases1
* [Resilient Disbursement Rails](/use-cases/resilient-disbursement-rails/)
building blocks38
* [Blob-Anchored State With KZG Dispute](/patterns/pattern-blob-anchored-state-with-dispute/)
* [Compliance Monitoring](/patterns/pattern-compliance-monitoring/)
* [Cross-Chain Privacy Bridge](/patterns/pattern-cross-chain-privacy-bridge/)
* [Delegated Proving (co-SNARKs)](/patterns/pattern-co-snark/)
* [ERC-3643 Tokenized RWAs](/patterns/pattern-erc3643-rwa/)
* [Forced Withdrawal (L1 Escape Hatch)](/patterns/pattern-forced-withdrawal/)
* [Hybrid Public-Private Modes](/patterns/pattern-hybrid-public-private-modes/)
* [Hybrid TEE + ZK settlement](/patterns/pattern-tee-zk-settlement/)
* [Low-cost L2 + Off-chain Encrypted Audit Log](/patterns/pattern-l2-encrypted-offchain-audit/)
* [Mixnet Anonymity](/patterns/pattern-mixnet-anonymity/)
* [Modular Privacy Stack](/patterns/pattern-modular-privacy-stack/)
* [Native Account Abstraction (EIP-8141)](/patterns/pattern-native-account-abstraction/)
* [Noir Private Contracts](/patterns/pattern-noir-private-contracts/)
* [Origin-Locked Cross-Chain Confidential Ledger](/patterns/pattern-origin-locked-confidential-ledger/)
* [Permissionless Spend Auth](/patterns/pattern-permissionless-spend-auth/)
* [Pre-trade Privacy (Encrypted Order Flow)](/patterns/pattern-pretrade-privacy-encryption/)
* [Privacy L2s](/patterns/pattern-privacy-l2s/)
* [Private Information Retrieval](/patterns/pattern-private-information-retrieval/)
* [Private Intent-Based Vaults](/patterns/pattern-private-vaults/)
* [Private ISO 20022 Messaging & Settlement](/patterns/pattern-private-iso20022/)
* [Private PvP (cash to cash) Settlement via ERC-7573](/patterns/pattern-private-pvp-stablecoins-erc7573/)
* [Private Shared State (FHE)](/patterns/pattern-private-shared-state-fhe/)
* [Private Shared State (MPC + ZK / co-SNARKs)](/patterns/pattern-private-shared-state-cosnark/)
* [Private Shared State (TEE)](/patterns/pattern-private-shared-state-tee/)
* [Private Stablecoin Shielded Payments](/patterns/pattern-private-stablecoin-shielded-payments/)
* [Private Transaction Broadcasting](/patterns/pattern-private-transaction-broadcasting/)
* [Proof of Innocence (Association Set Proofs)](/patterns/pattern-proof-of-innocence/)
* [Safe Proof Delegation](/patterns/pattern-safe-proof-delegation/)
* [Selective Disclosure (Viewing Keys + Zero-Knowledge Proofs)](/patterns/pattern-regulatory-disclosure-keys-proofs/)
* [Stateless Plasma Privacy](/patterns/pattern-plasma-stateless-privacy/)
* [Stealth Addresses](/patterns/pattern-stealth-addresses/)
* [TEE-Assisted Network Anonymity](/patterns/pattern-tee-network-anonymity/)
* [Threshold-Encrypted Mempool](/patterns/pattern-threshold-encrypted-mempool/)
* [TLS Payment Bridge](/patterns/pattern-tls-payment-bridge/)
* [User-controlled viewing keys](/patterns/pattern-user-controlled-viewing-keys/)
* [vOPRF Nullifiers](/patterns/pattern-voprf-nullifiers/)
* [ZK Proof Systems](/patterns/pattern-zk-proof-systems/)
* [zk-promises (stateful anonymous credentials)](/patterns/pattern-zk-promises/)
vendors11
* [Aztec Rollup](/vendors/aztec/)
* [EY](/vendors/ey/)
* [Hinkal](/vendors/hinkal/)
* [Miden](/vendors/miden/)
* [Paladin](/vendors/paladin/)
* [Privacy Pools](/vendors/privacypools/)
* [Railgun](/vendors/railgun/)
* [Soda Labs](/vendors/soda-labs/)
* [TACEO Merces](/vendors/taceo-merces/)
* [Zama](/vendors/zama/)
* [ZKsync Prividium](/vendors/zksync/)
RFPs1
* [Privacy Pools Institutional Integration](/rfps/rfp-privacy-pools/)

×

```json
{"@context":"https://schema.org","@graph":[{"@type":"Organization","@id":"https://ethsystems.org/#organization","name":"EthSystems","url":"https://ethsystems.org/","logo":"https://ethsystems.org/icon-maskable.png","sameAs":["https://x.com/eth_systems","https://www.linkedin.com/company/ethsystems/","https://github.com/ethsystems"]},{"@type":"WebSite","@id":"https://ethsystems.org/#website","url":"https://ethsystems.org/","name":"EthSystems","publisher":{"@id":"https://ethsystems.org/#organization"}}]}
```
