What is ZeroPool

ZeroPool is an experimental non-custodial cost-efficient privacy solution for Ethereum. ZeroPool isn’t a transaction Mixer or something similar. It’s better to think of ZeroPool as a black box. Inside this black box, you can transfer, swap, and store different types of Ethereum assets with a strong privacy set. Before we go further, it’s good to define the notions of anonymity, privacy, and strong privacy that we are going to be used further.

• Anonymity is a common feature for public blockchains such as Bitcoin. It’s simply the fact that wallet addresses can’t be directly associated with a specific person unless the person exposes that. Also, a user can have as many wallets as he wants, which are not linked with each other. Nevertheless, the fact that transaction has happened and transacted amount between anonymous wallets are still exposed and available for everyone. At that point, I would like to separate weak and strong privacy for further usage in the article.
• Weak privacy: the transacted amount is hidden, but the receiver and sender addresses, as well as transactions graph, is publicly available.
• Strong privacy: the transaction graph itself is hidden, 3rd party observers can’t make any assumptions out of it.

There are blockchains that have strong privacy as a core feature, such as ZCash. In this public blockchains, 3rd party observer can’t restore the transaction graph but can verify that blockchains don’t have defects like double spends, or money created from nowhere.

Ethereum doesn’t have privacy features out of the box. However, we have a wide range of smart contract capabilities and several working designs of second-layer solutions. Combining these two things enhanced by Zero-Knowledge cryptography, we can bring missing privacy features into Ethereum.

It’s worth mentioning that there are other projects focused on building strong and weak privacy solutions with there own pros and cons. But ZeroPool is the one that is focused on strong privacy and cost-efficiency.

From a technical perspective, ZeroPool is based on optimistic Rollup. You can find a good explanation of what optimistic Rollup is over here. Rollup gives us an option to make transactions cost-efficient in terms of gas consumption. Using rollup, we move all expensive zkSNARKs computation off-chain. More explanations on ZeroPool under the hood is here: ethresear.ch.

ZeroPool BETA Release

At EthCC, we presented unaudited public beta available both mainnet and testnet. It’s unaudited, so you can use it at your own risk only.

Here how it looks like. First, you generate a ZeroPool account, just like a regular Ethereum account using a seed phrase, with one exception that ZeroPool uses a zkSNARK friendly babyJubJub elliptic curve.

New ZeroPool account creation

Then you see the main screen of the app whenever you try to do your first deposit or transaction app would ask you to make a gas donation.

Main screen & Gas donation request

ZeroPool gas fees are paid to the Relayer for publishing encrypted user transactions within a ZeroPool block in the mainnet smart contract. This smart contract is a key part of Rollup design as well as Relayer. A relayer basically is a server that verifies and aggregates transactions into blocks. Relayer could be a single machine or decentralized network. It’s a matter of particular technical design.

Once users donate gas on the Ethereum Mainnet, we will get an equal amount of ETH on the gas network.

The tricky part here is that we also need to hide gas payments. For this purpose, we simply use the same smart contract and cryptography but on the side chain. In that way, gas spending becomes hidden, just like regular ZeroPool transactions.

After the gas donation is made, you can make a deposit from Ethereum Mainnet to ZeroPool. At that moment, ZeroPool gas is required to transfer ownership of your deposit to your ZeroPool account. Since that point, no one will actually know what your actual ZeroPool address is, because the encrypted transaction contains only a proof of your deposit spent but not your actual address. Thus neither Relayer or any other ZeroPool user won’t be able to identify the owner of the funds.

Once you have ZeroPool balance you can transfer it to another ZeroPool user:

Transfer within ZeroPool

On the other hand, a user that you send money has to wait for the block to be published on ZeroPool smart contract, the client will try to decode all 256 transactions within the block, but what he will actually see is the proof that his balance has increased.

Finally, we have a withdrawal feature implemented as a regular optimistic Rollup withdrawal procedure that require some time-to-finality to be passed.

Withdraw procedure with fraud-proof challenge window

Further plans

At the moment we work on the migration of our codebase to Rust, and there are several reasons for that:

• The key thing for production-ready release is a Trusted Setup Procedure. There is a battle-tested codebase for a trusted setup.
• So far, we have built a browser version that requires Native BigInt support. Unfortunately, it’s not available on iOS. To fix that, we are going to package all computational-extensive parts into a WebAssembly.

The first step that we made is a core lib written in pure Rust. You can find it on our Github as well as all other code that is open source under MIT and Apache license.

If you like ZeroPool and think that privacy is essential, you can support us on GitCoin.