SHADEPrivacy
Hides exactly what can be hidden. Honest about the rest.
Four production primitives, each addressing a different leak point. The boundary between what is hidden and what isn't is a property of building privacy on a public chain — not a marketing decision.
The four primitives
Each addresses a different leak point.
Semaphore
Each user posts a Poseidon commitment to an on-chain Merkle tree 𝒯. A Groth16 proof π over BN254 attests to four facts: knowledge of a leaf in 𝒯, knowledge of a wallet w with balanceOf(w) ≥ T at a recent Base block, a per-epoch nullifier, and a bound signal payload. The wallet is never transmitted.
XMTP
The Signal Protocol stack adapted for wallet-keyed identities. Initial agreement via X3DH over Curve25519, ongoing message keys via Double Ratchet, AES-256-GCM under per-message keys. XMTP nodes — including any operated by SHADE — store only ciphertext.
Phala TEE
Ad-hoc research queries run inside Intel SGX or AMD SEV-SNP enclaves under a unified attestation API. The user fetches an attestation α proving the running code matches a published binary hash, then encrypts under the enclave's ephemeral pubkey epk bound to α. Plaintext never appears outside enclave memory.
Railgun
Shielded UTXOs over Base. The user deposits v ETH from primary wallet w into Railgun, waits Δ drawn from a stochastic distribution 𝒟 to break timing correlation, and withdraws to a fresh wallet w' that executes the trade — unlinkable within the pool's anonymity set |S| at withdrawal time.
Formal properties
Three guarantees, under stated assumptions.
Subscription unlinkability
For any wallet w holding ≥ T $SHADE that authenticates via Semaphore proof π, no adversary in {𝒜_N, 𝒜_O, 𝒜_S} can link π to w with non-negligible advantage.
Query confidentiality
For any research query q submitted by an authenticated session, no adversary in {𝒜_N, 𝒜_O, 𝒜_S} outside the TEE enclave can recover q or its result r.
Trade-attribution unlinkability
For any trade t routed through Railgun or fresh-wallet rotation, 𝒜_C cannot link t to identity wallet w with probability better than the anonymity set allows: Pr[link(t,w)] ≤ 1/|S| + negl(λ).
Cryptographic assumptions
- DDH
- Decisional Diffie-Hellman over Curve25519
- Groth16
- Knowledge-of-exponent and AGM in BN254
- TEE integrity
- SGX / SEV hardware attestation soundness
Threat model
The adversaries we model — and the ones we don't.
Network adversary
A passive observer of all network traffic. Cannot break TLS 1.3, AES-256, or Curve25519.
On-chain adversary
Full read access to Base, mempool, and connected L2s. Correlates timestamps, addresses, and gas fingerprints.
Operator adversary
SHADE itself, honest-but-curious. Controls servers and frontend. Cannot break TEE attestation or zk soundness.
Subscriber adversary
A paying subscriber attempting to deanonymize peers, harvest signals, or correlate on-chain activity.
Out of scope
- Global active adversaries controlling all network paths and the TEE vendor.
- Side-channel attacks on the user's local device.
- Out-of-band identity leaks (e.g. tweeting your own trades).
- On-chain settlement visibility — a property of Base, not SHADE.
What SHADE hides
- User identity at the application layer (Semaphore-gated subscription).
- Research queries and their results (TEE inference).
- The link between user identity and executed trades (Railgun routing).
What SHADE does not hide
- The trades themselves — Base is a public chain.
- On-chain state and settlement, visible to all observers.
- Aggregate timing patterns of message bursts (mitigated, not eliminated).
Anonymity-set analysis
Privacy is a number, surfaced before you trade.
The effective anonymity set is the count of comparable-magnitude deposits within a rolling time window. SHADE displays |Seff| before each route and recommends delaying execution if it is below a configurable threshold.
- ε
- 0.10 — 10% magnitude tolerance
- W
- 24 hours, default rolling window
- di
- Deposits to Railgun in window of size W