Privacy & security

Privacy & security model

Be precise about what is hidden and what is not. PoolPass hides the link between a subscription and an identity. It does not hide the amount, the timing, or the on-chain wallet.

What stays private versus what becomes public

Who sees what

ValueInvestorIssuerContractPublic observer
investor_id··
cap··
investor_secret···
leafvia root·
merkle_root
amount
nullifier·
commitment·
subscribing wallet

What is NOT hidden

The amount is a public input, the commitment over the amount does not hide it. The timing of a subscription is observable. The on-chain identity of the subscribing wallet is visible to everyone. If a wallet is already linked to a real-world identity, the subscription is too.

What the issuer knows

Everything about its own investors. The issuer builds the tree, so it holds every investor_id and cap. The privacy guarantee is against the public ledger and third parties, not against the issuer that accredited you. This is the correct trust model for a regulated pool: the issuer keeps its audit trail.

Cross-epoch linkability

The nullifier is Poseidon2(investor_secret, epoch). Because the secret is folded in with the epoch, an investor’s nullifier in epoch 1 and epoch 2 are unlinkable without the secret, a public observer cannot tell that the same investor subscribed in two different epochs. Within one epoch, the nullifier prevents a double subscription: a replay finalizes FAILED with NullifierUsed.

Security assumptions

  • Discrete log on BN254. Groth16 soundness rests on the hardness of the discrete logarithm in the BN254 pairing groups. BN254 targets roughly 100-bit security, adequate for a testnet build, and a known consideration for a mainnet curve choice.
  • Poseidon collision resistance. Leaf, nullifier, and commitment integrity depend on Poseidon being collision-resistant over BN254 Fr with the stated round parameters.
  • Groth16 trusted setup. This build uses a Phase-1 (powers-of-tau) hackathon setup, not a ceremony-grade Phase-2. A leaked toxic-waste value would let a forger mint proofs. A multi-party Phase-2 ceremony is on the roadmap before any mainnet deployment.

Honest framing

Anyone can verify a subscription; no one is asked to trust the team. The trust you do extend is to the issuer (which accredited you) and to the trusted-setup assumption (which the roadmap addresses with a public ceremony).