PRIVACYSEND
PrivacySend
Open PrivacySend
LaunchWhat It Is
Zero-knowledge privacy layer for any Ethereum wallet. Connect MetaMask, Rainbow, or any EIP-1193 wallet and instantly receive a private RAILGUN address. Shield tokens into an encrypted balance, transact invisibly, and unshield to any destination, all from your browser.
Two transaction modes:
- Broadcaster Mode: Unshield transactions submitted through the Waku broadcaster network. Your gas-paying wallet never touches the blockchain. Maximum privacy, small token fee.
- Self-Sign Mode: Submit directly from your connected wallet. You pay gas in ETH. Faster, no broadcaster fee, but links your public wallet to the unshield event.
Every zero-knowledge proof is generated locally in the browser using Groth16 + WASM. Keys never leave the device.
The Problem
Every Ethereum transaction is permanently visible. Your wallet address is your identity, and every token you hold, every contract you touch, every transfer you make is public forever.
- Anyone can trace your holdings, trading patterns, and counterparties
- DeFi and NFT activity exposes net worth and strategy on-chain
- Moving funds to a fresh wallet still requires a traceable public transaction
- Existing privacy tools are custodial, sanctioned, or require trusted operators
- No standard way to give a normal wallet private-balance capability
The Solution
PrivacySend wraps any wallet with RAILGUN's zk infrastructure and gives the user a private-balance ledger that only they control. Shielded tokens move through an encrypted Merkle Tree where amounts, senders, and receivers are cryptographically hidden.
Three steps:
- Connect: Any EIP-1193 wallet, MetaMask, Rainbow, WalletConnect
- Shield: Deposit tokens into your private RAILGUN balance with one click
- Send or Unshield: Transfer privately to any 0zk address, or withdraw to any public wallet
Non-custodial. No KYC. No accounts. No servers hold your keys.
How It Works
Private Address Derivation: Your 0zk address is derived deterministically from a signature of a project-specific message. Sign once with your connected wallet and the same private address is recoverable on any device. Optional random-entropy mode for users who want an independent mnemonic.
Zero-Knowledge Proofs: Every unshield uses a Groth16 zk-SNARK to prove ownership of UTXOs without revealing which ones. Proofs are generated entirely in-browser via snarkjs/WASM, no proving server, no trusted operator.
Encrypted UTXO Ledger: All balances live inside the RAILGUN Relay Adapt contract as an encrypted Merkle Tree. The contract keeps every UTXO individually accounted for while hiding which address owns which commitment.
Broadcaster Network: Unshield transactions can be submitted via the decentralised Waku broadcaster network. Broadcasters relay your signed transaction without learning the sender, recipient, or amount. The broadcaster is paid in the token being unshielded, no ETH required from you.
Proof of Innocence: Before every unshield, the SDK generates POI proofs to demonstrate that your UTXOs are not linked to known illicit sources. This keeps the protocol compliant at the edges while preserving user privacy.
Privacy Primitives
Core Privacy Stack
ViewEvery PrivacySend wallet ships with three primitives built in. Not plugins, not add-ons.
Auto-Provisioned 0zk Address: Connect a wallet and it instantly receives a unique RAILGUN private address. Mnemonic encrypted at rest in browser IndexedDB, never transmitted, never stored on any server.
Groth16 zk-SNARK Proofs: Every unshield is backed by a local zero-knowledge proof. The prover runs fully in the browser via WASM, no remote proving service, no trust assumptions beyond the RAILGUN contracts themselves.
Waku Broadcaster Relaying: Unshield transactions can be relayed through the Waku peer-to-peer network. The broadcaster submits the tx, pays the gas, and takes a fee in the unshielded token. Your public wallet stays entirely off-chain for the operation.
Built-in Privacy Features
Every PrivacySend session ships with a full privacy toolkit on the UI. The user sees exactly what they can do and what each action reveals on-chain.
| Feature | Capability |
|---|---|
| Shield | Deposit ERC-20s from any connected wallet into the private balance |
| Private Transfer | Send between 0zk addresses with zero on-chain trace |
| Unshield (Broadcaster) | Withdraw to any public address without touching your connected wallet |
| Unshield (Self-Sign) | Withdraw directly with your own gas for maximum speed |
| POI Generation | Automatic Proof of Innocence generation before every spend |
| Live Fee Quote | Real-time broadcaster fee preview before submission |
UI Tools
| Component | Function |
|---|---|
| Token Picker | Curated ERC-20 list with logos, plus custom address entry |
| Max Button | One-click max amount with live shielded-balance display |
| Privacy Warning | Alerts when the unshield destination is your own public wallet |
| Status Bar | Live engine, broadcaster, and Merkle-tree scan status |
| Account Pills | Compact public + private address display with copy + reveal |
| Advanced Panel | Self-sign mode, broadcaster selection, proof progress |
Shielded Balance Model
Every user holds a private UTXO set that only they can spend. No observer, including the RAILGUN contracts, can link commitments to identities.
- Shield: Public tokens enter the contract and become encrypted commitments owned by your 0zk address
- Transfer: Commitments are consumed and new ones are created for the recipient, all inside the Merkle Tree
- Unshield: A zk-proof authorises the contract to release public tokens to any recipient you choose
The flywheel: more users means a larger anonymity set, which means stronger privacy for every user.
Features
| Feature | Description |
|---|---|
| One-Click Shield | Deposit any ERC-20 from a connected wallet in seconds |
| Live Balance | Real-time private balance with token logos and symbols |
| Token Picker | Curated token list plus custom address support |
| Max Button | Instant max with live balance display |
| Broadcaster Fee Quote | Live fee preview in the unshielded token |
| Privacy Warning | Alerts when destination equals your public wallet |
| Self-Sign Mode | Direct submission with your own gas |
| Deterministic Recovery | Same 0zk address on any device from wallet signature |
| Full Self-Custody | Optional random mnemonic for independent recovery |
| Browser-Native Proofs | Groth16 + WASM proof generation, no remote prover |
| Non-Custodial | Keys never leave the browser, encrypted in IndexedDB |
| Multi-Wallet Support | MetaMask, Rainbow, Coinbase, WalletConnect, and more |
Supported Networks
| Network | Status | Notes |
|---|---|---|
| Ethereum | Live | Full shield / transfer / unshield |
| Polygon | Live | Low-fee mainnet privacy |
| Arbitrum | Live | L2 shielding supported |
| BNB Chain | Live | Full RAILGUN contract support |
Security Model
PrivacySend is a client-side interface to audited RAILGUN contracts. It does not hold user funds, never has custody, and cannot move balances on behalf of users.
What the system does NOT do:
- Does not expose raw private keys. Mnemonic encrypted at rest in browser IndexedDB
- Does not transmit signing material. All signing happens locally in the user's wallet
- Does not store conversation or transaction history on any server
- Does not require KYC, email, or personal information
- Does not control which address receives an unshield. The user signs every action
What happens:
- Private keys exist only in browser memory at runtime
- Every transaction settles on-chain with cryptographic verification
- zk-proofs are verified by the RAILGUN smart contracts, not any off-chain party
- Broadcasters cannot see or modify the contents of the transactions they relay
- The UI is open-source; the underlying protocol is audited
Integration with Portal Ecosystem
| System | Integration |
|---|---|
| Clawtrl | Agent wallets can shield balances and pay privately via RAILGUN |
| Portal Create | Private checkout for AI content purchases using shielded USDC |
| Portal AI Bot | Private tipping and service payments via 0zk addresses |
| Agent Marketplace | Agent-to-agent payments with full on-chain privacy |
| Hermes Swarm | DeFi strategy agents with shielded operational balances |
| Portal SDK | Shield / unshield / transfer modules for developers |
Fees
| Action | Fee |
|---|---|
| Shielding (deposit) | 0.25% protocol fee |
| Unshielding (withdraw) | 0.25% + gas |
| Broadcaster fee | Variable, quoted live in the unshielded token |
| Private transfer (0zk → 0zk) | Gas only |
The 0.25% protocol fee is paid to the RAILGUN DAO. Broadcaster fees are set by individual broadcasters on the Waku network and quoted in real time before you submit.
Development Status
| Milestone | Target | Status |
|---|---|---|
| Core wallet (shield / unshield) | Q1 2026 | Live |
| Deterministic 0zk address derivation | Q1 2026 | Live |
| Groth16 in-browser proof generation | Q1 2026 | Live |
| Waku broadcaster integration | Q1 2026 | Live |
| Live broadcaster fee quoting | Q1 2026 | Live |
| Token picker + live balance + max button | Q1 2026 | Live |
| Proof of Innocence auto-generation | Q1 2026 | Live |
| Self-sign fallback mode | Q1 2026 | Live |
| Multi-network support (Polygon, Arbitrum, BNB) | Q2 2026 | In Progress |
| NFT shielding and private transfers | Q2 2026 | Planned |
| Mobile-responsive UI | Q2 2026 | In Progress |
| Private address book + contact labels | Q3 2026 | Planned |
| Batch unshield + scheduled withdrawals | Q3 2026 | Planned |