Privacy Pools
Give without leaving a trail. Privacy Pools let you donate to Igor through zero-knowledge proofs. Your wallet stays private while the donation is publicly verifiable and compliant.
Unlike traditional mixers, Privacy Pools let you prove your funds are clean without revealing your identity. This means privacy for you and legitimacy for the campaign.
How it works
Deposit into the pool
You deposit ETH or USDC into a Privacy Pool smart contract on your chosen chain. Your funds join a pool of other deposits, breaking the direct link between your wallet and the donation.
Prove you're clean
Your browser generates a zero-knowledge proof locally, never sending private data to any server. The proof shows your deposit isn't from a sanctioned or stolen source, without revealing which deposit is yours.
Private withdrawal to Igor
A relayer submits the withdrawal on your behalf so your address never appears on-chain. Funds arrive at the same Safe multisig that holds all other donations. Fully accounted for, privately given.
Why Privacy Pools, not a mixer?
Traditional mixers
- Everyone is anonymous, including bad actors
- No way to prove your funds are legitimate
- Regulatory risk for recipients
- Sanctioned in many jurisdictions
Privacy Pools
- Privacy with compliance: you choose your proof
- ZK proof shows your deposit isn't from illicit sources
- Association Set Providers curate allow/block lists
- Non-custodial: smart contract can't lock your funds
What the zero-knowledge proof actually proves
When you withdraw through a Privacy Pool, a Groth16 ZK-SNARK circuit verifies five things simultaneously, all without revealing your identity:
- You made a valid deposit: your secret corresponds to a real commitment in the deposits Merkle tree.
- You haven't already withdrawn: your nullifier hasn't been seen before (prevents double-spending).
- Your deposit is in the chosen subset: proof of inclusion in an allow list, or proof of exclusion from a block list.
- Asset metadata matches: the token and amount you're withdrawing matches what was deposited.
- Withdrawal metadata is correct: the recipient address, relayer, and fees are all locked into the proof.
The circuit uses dual Merkle proofs at depth 20 (supporting over 1 million deposits) with Poseidon hashing for SNARK efficiency.
Association Set Providers
ASPs are the compliance layer. They curate lists of known-bad deposits (sanctions, hacks, scams) so you can prove exclusion from those lists. No ASP can lock your funds. They only provide data.
0xbow
Default ASP operated by 0xbow. Maintains exclusion sets based on publicly known illicit addresses (OFAC, stolen funds).
Chainalysis Blocklist
Community-maintained exclusion set based on Chainalysis sanctions data. Widely used by compliant DeFi protocols.
Supported chains
| Chain | Status | Tokens | Denominations |
|---|---|---|---|
| Ethereum | Active | ETH, USDC | 0.1 ETH, 1 ETH, 10 ETH, 100 USDC, 1000 USDC, 10000 USDC |
| Arbitrum | Active | ETH, USDC | 0.1 ETH, 1 ETH, 10 ETH, 100 USDC, 1000 USDC, 10000 USDC |
| Optimism | Active | ETH, USDC | 0.1 ETH, 1 ETH, 10 ETH, 100 USDC, 1000 USDC, 10000 USDC |
Fixed denominations ensure all deposits in a pool are the same size, maximizing the anonymity set. Pick the amount closest to your intended donation. For larger amounts, make multiple deposits.
Security and trust model
Smart contract custody
The Privacy Pool smart contract is non-custodial. It holds pooled deposits but cannot selectively freeze or redirect funds. Withdrawals are gated only by valid ZK proofs. The contract stores the last 30 deposit tree roots for flexibility, and nullifiers prevent double-spends.
Proof generation is local
Your ZK proof is generated entirely in your browser using pre-compiled circuits (WASM + proving keys). Your secret never leaves your device. No server, no API, no trusted third party sees your private inputs.
Relayer network
Relayers submit your withdrawal transaction so your wallet address never appears on-chain. The relayer cannot steal funds. The proof locks the recipient address, amount, and fee. A small fee is deducted to cover gas costs.
What ASPs can and can't do
Can: Publish allow/block lists identifying known-bad deposits. Emit compressed bitstrings on-chain for anyone to use.
Can't: Lock, freeze, or redirect your funds. The smart contract is neutral. It only checks the math. You can always withdraw by proving exclusion from an empty block list (maximum privacy, no restrictions).
Common questions
Where do the funds actually go?
To the same Safe multisig wallet that holds all other EVM donations. The Privacy Pool withdrawal specifies Igor's Safe as the recipient. Once received, funds are protected by the same 2-of-3 keyholder system described on our trust page.
Can I deposit more than the fixed amounts?
Fixed denominations are a feature, not a limitation. When all deposits are the same size, it's impossible to identify yours by amount. For larger donations, make multiple deposits at different times.
What if I just want to donate normally?
Privacy Pools are entirely optional. You can send directly to our Safe multisig, use Bitcoin, Solana, Monero, or Zcash. See all options on the donate page.
Is this the same as Tornado Cash?
No. Tornado Cash provides blanket anonymity with no compliance mechanism. Privacy Pools add an Association Set layer so users can prove their funds aren't from sanctioned or stolen sources.
This design was co-authored by Vitalik Buterin, Jacob Illum, Matthias Nadler, Fabian Schär, and Ameen Soleimani, specifically to enable privacy that regulators can accept.