Privacy (informal)
What observers see (or don’t) in practice:| Topic | What leaks / what’s protected |
|---|---|
| Sender | External observers see paymaster as sender; paymaster may see IP. |
| Receiver | Hidden except when a new channel is opened (recipient address on-chain once per sender–recipient pair). |
| Amounts | Encrypted in normal notes; deposits, withdrawals, and open notes expose amounts (and tokens) as designed. |
| Auditor | Can decrypt registered users’ viewing keys when authorized; cannot sign spends. |
Fund security
- Double-spend — nullifiers are unique and recorded; proof ties nullifier to existing note.
- Unauthorized spend — requires valid account signature in proof; auditor has viewing key only, not signing authority.
Limitations
- New channel + deposit/withdraw in same tx or tight timing — can link recipient to public address activity; wallets should separate these flows when possible.
- Deposit/withdraw heuristics — distinctive amounts or immediate in/out weaken privacy (common to all pools).
- Reverted txs — if a note slot was touched then reverted, reusing the same note id can link txs; mitigations include burning dummy writes to exposed ids (paper §11.3.3).