// HOW IT WORKS
we oversimplified zcash on purpose.
in 2025, a counterfeiting-class bug was disclosed in Zcash. the cryptography was fine. the surrounding code wasn't. our take: every line you keep is a line that can be wrong. so we kept almost none.
01
one shielded pool. ever.
the recent bug lived in the seams between Zcash's three historical pools. we have one pool. there are no seams.
✓ KEPT
- Orchard-style notes
- Halo 2 proofs (no trusted setup)
✗ REMOVED
- Sprout pool
- Sapling pool
- turnstile migration code
- pool-to-pool accounting
02
three instructions. that's the whole program.
the entire on-chain surface is three instructions and a per-block supply check. there is no admin key, no upgrade path, no flag an attacker can flip.
✓ KEPT
- shield(amount)
- transfer(proof)
- unshield(amount, proof)
✗ REMOVED
- governance ops
- upgrade authority
- admin keys
- fee markets
- feature flags
03
supply is checked every block.
validators reject any block that doesn't conserve supply. you don't need to trust a research team to notice an exploit months later — the chain notices in the next slot.
✓ KEPT
- Σ(in) === Σ(out) + issuance, per block
- deterministic reference client
✗ REMOVED
- off-chain audits as the source of truth
- trust in any single validator
// BY THE NUMBERS
LINES OF PROGRAM CODE
≈ 480
SHIELDED POOLS
1
INSTRUCTIONS
3
ADMIN KEYS
0
UPGRADE AUTHORITY
none
TRUSTED SETUP
none
SETTLEMENT
solana · 400ms
SUPPLY AUDIT
every block
"we didn't patch the bug. we deleted the conditions that made it possible."
— design note 0.3 · the simplest thing that could possibly be private money.