Frequently Asked Questions

General

What is ZKMix?

ZKMix is a non-custodial privacy protocol on Solana that allows users to break the on-chain link between a sending address and a receiving address. You deposit a fixed amount of tokens into a shared pool and later withdraw the same amount to a different address using a zero-knowledge proof. The proof demonstrates that you are a legitimate depositor without revealing which deposit is yours. This severs the transaction graph between the two addresses.

Is ZKMix safe to use?

ZKMix's smart contracts and zero-knowledge circuits have been professionally audited. The protocol is non-custodial, meaning your funds are controlled by cryptographic proofs rather than any person or organization. The core cryptographic primitives (Groth16, Poseidon) are well-studied and widely deployed across the blockchain industry. However, as with any smart contract protocol, risks exist. Smart contracts may contain undiscovered bugs, the underlying cryptographic assumptions could theoretically be broken by future advances, and user error (such as losing a note) can result in permanent loss of funds. You should never deposit more than you are willing to lose and should review the audit reports before using the protocol.

Is using ZKMix legal?

ZKMix is a privacy tool, and privacy is a fundamental right recognized in many legal frameworks worldwide. Using ZKMix for legitimate privacy purposes, such as preventing financial surveillance, protecting personal security, or maintaining confidentiality, is legal in most jurisdictions. However, using any tool, including ZKMix, to facilitate illegal activity such as money laundering or sanctions evasion is illegal. Users are responsible for complying with the laws of their jurisdiction. ZKMix does not collect user data, enforce geographic restrictions, or monitor how the protocol is used. The protocol operates autonomously on-chain without any centralized control.

How is ZKMix different from Tornado Cash?

ZKMix shares the same fundamental design as Tornado Cash (fixed-denomination pools, commitment/nullifier scheme, Groth16 proofs) but differs in several important ways:

• Blockchain: ZKMix runs on Solana rather than Ethereum. This means sub-second finality, transaction fees under $0.01, and higher throughput.
• Hash function: ZKMix uses Poseidon instead of MiMC. Poseidon is more efficient in ZK circuits and has received more recent cryptanalysis attention.
• Architecture: ZKMix is implemented as a native Solana program (not an EVM contract), taking advantage of Solana-specific optimizations for proof verification and Merkle tree storage.
• Relayer design: ZKMix relayers are adapted for Solana's transaction model, including compute budget management and priority fees.
• Active development: ZKMix is actively maintained and developed with ongoing improvements to the protocol and user interface.

Who built ZKMix?

ZKMix was built by an independent team of cryptography engineers and Solana developers. The protocol is open source, and the team does not have any special access to or control over the deployed smart contracts. After deployment, the protocol operates autonomously.

Privacy

How does ZKMix protect my privacy?

ZKMix protects privacy through three mechanisms:

1. Fixed denominations: All deposits in a pool are the same size, so the amount transferred provides no linking information.
2. Zero-knowledge proofs: The withdrawal proof demonstrates that you made a valid deposit without revealing which one. An observer sees only that a withdrawal occurred, not which deposit it corresponds to.
3. Nullifier scheme: Each deposit can only be withdrawn once, enforced by publishing a nullifier hash that prevents double-spending. The nullifier hash cannot be linked back to the original commitment without knowledge of the private secret.

Together, these mechanisms ensure that the on-chain data contains no information linking a specific deposit to a specific withdrawal.

Can my transactions be traced through ZKMix?

Under normal operation with proper usage practices, no. The zero-knowledge proof reveals nothing about which deposit is being spent. An observer can see that a deposit was made and that a withdrawal was made, but cannot link the two. However, privacy can be weakened by user behavior:

• Depositing and withdrawing immediately with no other deposits in between.
• Using the same IP address for deposit and withdrawal without a VPN or Tor.
• Depositing a distinctive pattern of amounts across multiple pools that can be correlated.
• Funding the withdrawal wallet from the deposit wallet to pay fees (use a relayer instead).

ZKMix provides the cryptographic tools for privacy, but operational security is the user's responsibility.

What is an anonymity set?

The anonymity set is the group of deposits that a given withdrawal could plausibly originate from. When you withdraw, an observer knows only that you are one of the depositors in the pool. The size of the anonymity set is the number of deposits in the pool. A pool with 10,000 deposits has an anonymity set of 10,000, meaning your withdrawal could have come from any of those 10,000 deposits. Larger anonymity sets provide stronger privacy because the probability of correctly guessing which deposit is yours decreases.

How long should I wait before withdrawing?

There is no enforced minimum wait time, but longer waits generally provide stronger privacy. The key factor is not elapsed time but the number of new deposits that occur after yours. If 500 deposits have been made since yours, you have a meaningful anonymity set regardless of whether those deposits happened over one hour or one month. As practical guidelines:

• Acceptable privacy: 50+ subsequent deposits.
• Good privacy: 200+ subsequent deposits.
• Strong privacy: 1,000+ subsequent deposits.

The ZKMix interface shows the current anonymity set size for each pool and indicates when privacy is sufficient based on these thresholds.

Can I deposit and withdraw different amounts?

No. ZKMix uses fixed-denomination pools, and you must withdraw the exact same denomination you deposited. This is a deliberate design choice because variable amounts would allow statistical analysis to link deposits and withdrawals. If you deposited 7.3 SOL and later someone withdrew 7.3 SOL, the unusual amount would strongly suggest a link. Fixed denominations eliminate this vector. If you need to mix a larger amount, make multiple deposits across one or more pools and withdraw them to different recipient addresses at different times.

Technical

How do ZK-SNARKs work?

ZK-SNARKs (Zero-Knowledge Succinct Non-Interactive Arguments of Knowledge) allow a prover to convince a verifier that a statement is true without revealing any information beyond the truth of the statement. In ZKMix, the statement is: "I know a secret and nullifier that hash to a commitment contained in the Merkle tree." The proof is:

• Zero-knowledge: The verifier learns nothing about the secret, nullifier, or which commitment is involved.
• Succinct: The proof is small (a few hundred bytes) regardless of the tree size.
• Non-interactive: The prover generates the proof independently; no back-and-forth communication with the verifier is needed.
• Argument of knowledge: The proof guarantees that the prover actually knows the secret values, not just that they exist.

ZKMix uses the Groth16 proving system, which produces the smallest proofs and fastest verification times among deployed ZK-SNARK systems. The tradeoff is that Groth16 requires a circuit-specific trusted setup.

What is the trusted setup?

The trusted setup is a one-time ceremony that generates the proving and verification keys used by the Groth16 proof system. During the setup, random secret values (often called "toxic waste") are used to compute these keys. If any single participant in the ceremony honestly destroys their secret contribution, the resulting keys are secure, and no one can create fraudulent proofs.

ZKMix conducted its trusted setup ceremony with over 100 independent participants from the Solana community. Each participant contributed randomness and attested to destroying their secret values. The security guarantee is that as long as at least one participant was honest, the system is sound. The ceremony transcripts and verification tools are publicly available for anyone to audit.

What is a Poseidon hash?

Poseidon is a cryptographic hash function designed specifically for use in zero-knowledge proof circuits. Traditional hash functions like SHA-256 are efficient on CPUs but extremely expensive inside arithmetic circuits because they use bitwise operations that must be decomposed into many arithmetic constraints. Poseidon operates natively over prime fields using only additions and multiplications, making it roughly 8 to 10 times more efficient in ZK circuits. In ZKMix, Poseidon is used to compute commitments, nullifier hashes, and Merkle tree node hashes.

What is a nullifier and why is it needed?

A nullifier is a random value generated at deposit time alongside the secret. Its purpose is to prevent double-spending. When you withdraw, you reveal the hash of the nullifier (not the nullifier itself). The smart contract records this hash and rejects any future withdrawal that attempts to use the same nullifier hash. Because the nullifier hash is computed inside the ZK circuit alongside the commitment verification, it is cryptographically bound to a specific deposit but cannot be linked to that deposit by an observer who does not know the raw nullifier value.

Is the code open source?

Yes. All ZKMix components are open source:

• Smart contracts: The Solana program that manages pools, verifies proofs, and processes deposits and withdrawals.
• ZK circuits: The Circom circuits that define the zero-knowledge proof logic.
• Client SDK: The TypeScript library for generating commitments, computing witnesses, and creating proofs.
• Web interface: The React-based frontend for interacting with the protocol.
• Relayer: The Node.js service that submits withdrawal transactions on behalf of users.

The source code is available on GitHub, and contributions are welcome.

Has ZKMix been audited?

Yes. ZKMix has undergone professional security audits covering:

• Smart contract audit: The Solana program was audited for logic errors, access control issues, arithmetic overflows, and reentrancy-like vulnerabilities specific to the Solana runtime.
• Circuit audit: The Circom circuits were audited for constraint soundness, under-constrained signals, and potential for proof forgery.
• Cryptographic review: The choice of hash functions, proof system, and parameter sizes was reviewed by independent cryptographers.

Audit reports are published in the project's documentation repository. Despite audits, no software can be guaranteed free of bugs, and users should assess their own risk tolerance.

Practical Usage

What tokens does ZKMix support?

ZKMix currently supports:

• SOL: Native Solana token in denominations of 1, 10, and 100 SOL.
• USDC: SPL token in denominations of 100, 1,000, and 10,000 USDC.
• USDT: SPL token in denominations of 100, 1,000, and 10,000 USDT.

Additional tokens and denominations may be added through governance proposals. Each token and denomination has its own independent pool with its own Merkle tree and anonymity set.

What are the fees?

ZKMix itself charges no protocol fees. The costs you incur are:

• Solana network fees: Approximately 0.001 SOL per transaction (deposit or withdrawal). These fees go to Solana validators.
• Relayer fees (optional): If you use a relayer to submit your withdrawal, the relayer charges a fee, typically 0.1% to 0.5% of the denomination. This fee is deducted from the withdrawn amount.

There are no deposit fees, no withdrawal fees, and no percentage-based protocol fees.

What happens if I lose my note?

If you lose your note, your funds cannot be recovered. The note contains the secret and nullifier that are required to generate the withdrawal proof. Without these values, no one, including the ZKMix team, can produce a valid proof for your deposit. The funds will remain locked in the smart contract permanently.

This is why saving your note securely is the most critical step in the deposit process. Use an encrypted password manager, create multiple backups, and verify that your note is correct by checking it against the pool before relying on it.

What is a relayer?

A relayer is a service that submits your withdrawal transaction to the Solana network on your behalf. The primary use case is withdrawing to a fresh wallet that has no SOL to pay transaction fees. Instead of funding the new wallet from a connected address (which would create a link), you send your proof to a relayer, which submits the transaction and pays the fee. The relayer fee is deducted from the withdrawn amount by the smart contract, so the relayer is paid atomically and trustlessly.

Relayers do not have access to your private data. They receive the same information that becomes public on-chain: the proof, nullifier hash, and recipient address. They cannot steal your funds because the recipient address is cryptographically bound into the proof.

Can I use ZKMix on mobile?

Yes. The ZKMix web application is responsive and works on mobile browsers. However, proof generation is computationally intensive, and mobile devices may take 20 to 45 seconds to generate a proof. Make sure your screen stays active during proof generation to prevent the browser from throttling the computation. Mobile wallets like Phantom's mobile app support dApp connections via the in-app browser.

Can I use ZKMix programmatically?

Yes. ZKMix provides a TypeScript SDK that allows you to integrate deposits and withdrawals into your own applications. The SDK handles commitment generation, Merkle tree state fetching, witness construction, proof generation, and transaction building. See the SDK documentation for API references and examples.

What happens if the ZKMix website goes down?

Your funds are stored in a Solana smart contract, not on the ZKMix website. If the website goes down, you can still withdraw using:

• The ZKMix CLI tool.
• The TypeScript SDK.
• Any custom client that can interact with the deployed Solana program.

The smart contract is immutable and will continue to function as long as the Solana network is operational. The circuit files, proving keys, and verification keys are distributed and available from multiple sources.

How does ZKMix handle Solana network congestion?

During periods of high network congestion, transactions may take longer to confirm or may be dropped. ZKMix handles this in several ways:

• Root history: The smart contract stores a history of recent Merkle roots, so your proof remains valid even if new deposits occur between proof generation and transaction confirmation.
• Retry logic: The client and relayers implement automatic retry with increasing priority fees.
• Proof validity: Once generated, a proof remains valid as long as its Merkle root is in the contract's root history (currently the last 100 roots). You do not need to regenerate the proof if your transaction is delayed.

Can the ZKMix team access my funds?

No. The ZKMix smart contract is deployed without any admin keys, upgrade authority, or emergency withdrawal mechanism. There is no multisig, no timelock, and no backdoor. The only way to withdraw funds from the contract is to present a valid zero-knowledge proof, which requires knowledge of the secret and nullifier from the deposit note. The ZKMix team does not have access to any user's notes and cannot produce valid proofs for any deposit they did not make themselves.