> For the complete documentation index, see [llms.txt](https://docs.redacted.money/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.redacted.money/protocol/architecture.md). # Architecture ## System Overview ``` ┌──────────────────┐ ┌──────────────────────────────────┐ │ Public Wallet │──── Deposit ─────→│ Private Reserve │ │ (on-chain addr) │←─── Withdraw ─────│ (Shared Privacy Layer) │ └──────────────────┘ │ │ │ • Aggregates all deposits │ │ • Encrypted stealth addresses │ │ • ZK proof verification │ │ • Balance ledger │ └──────────┬───────────────────────┘ │ Make Spendable / Move to Reserve │ ┌──────────▼───────────────────────┐ │ Spendable (Private Balance) │ │ │ │ • Isolated execution env │ │ • Private DeFi interactions │ │ • Fee deduction (15 bps) │ │ • Cannot call Reserve │ └──────────┬───────────────────────┘ │ Execute / Interact │ ┌──────────▼───────────────────────┐ │ Rujira Applications │ │ │ │ Trade • Perps • Liquidations │ │ Index • Borrow • Launchpad │ │ Strategies • Staking │ └──────────────────────────────────┘ ┌──────────────────────────────────────┐ │ Gas Tank (RUNE) │ │ • ~0.02 RUNE per swap │ │ • Funded from Public Account │ │ • Only needed for swaps/sends │ └──────────────────────────────────────┘ ``` ## Smart Contract Architecture Redacted is built with **CosmWasm** on Rujira and consists of three components: | Component | Role | | ------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------- | | **Private Reserve** (Proxy Contract) | Central privacy pool. Handles deposits, withdrawals, balance tracking, stealth address encryption, and ZK proof verification | | **Spendable** (Sub-Wallet Contract) | Isolated execution environment for each user. Handles DeFi interactions, fee collection, and private transaction execution | | **Protocol Package** | Shared cryptographic library containing Groth16 ZK verification, elliptic curve operations, and common types | ## Security Properties * **Spendable accounts can only be called by the Private Reserve** — No external contract can trigger your Spendable account * **Spendable accounts cannot call the Reserve** — Prevents reentrancy attacks * **Spendable accounts cannot call other Spendable accounts** — Full isolation between users * **Every sensitive operation requires a ZK proof** — Creating a Spendable account, funding it, executing trades, withdrawing ## Zero-Knowledge Proofs Redacted uses **Groth16 zk-SNARKs** (on the BN254 elliptic curve) to let you prove you're authorized to perform an action — without revealing who you are. Every sensitive action requires a proof: | Action | What the Proof Validates | | ------------------------ | --------------------------------------------------------------------- | | Create Spendable account | You own the stealth address | | Fund Spendable | You own the Reserve balance and are authorized to move it | | Execute trade/swap | You own the Spendable account and authorize this specific transaction | | Withdraw | You own the Reserve balance and authorize withdrawal to this address | ### What ZK Proofs Do NOT Hide * **Pool balances** — Total Reserve balances are visible on-chain * **Trade execution** — Swaps execute through THORChain with standard visibility * **Transaction timing** — All operations have visible timestamps * **Transaction amounts** — Deposit and withdrawal amounts are public ZK proofs enforce **authorization without revealing identity**. They prove "I am allowed to do this" without revealing "I am the person who deposited X at time Y." ## Technical Specifications | Parameter | Value | | ---------------------- | ------------------------------ | | Stealth address length | 64 hex characters (32 bytes) | | Encryption algorithm | AES-256-CBC | | Hash function | SHA-256 | | ZK proof system | Groth16 (BN254 curve) | | Protocol fee | 15 bps (0.15%) per interaction | | Gas Tank denomination | RUNE only | | Swap fee | \~0.02 RUNE per transaction | ### Built With * **CosmWasm** — Smart contract framework for Cosmos-based chains * **Rust** — Systems programming language for contract development * **Rujira** — THORChain's omnichain application layer * **Groth16** — Zero-knowledge proof system for efficient on-chain verification * **BN254** — Elliptic curve for pairing-based cryptography ## Security Audits | Audit | Auditor | Date | Scope | | --------------------------- | ---------------- | --------------------- | ---------------------------------------------------------------- | | Rujira Smart Contract Audit | **FailSafe** | January–February 2026 | Proxy contract, Sub-Wallet contracts, Protocol Package on Rujira | | Terra Mixer Contract Audit | **SCV-Security** | September 2022 | Original mixer contracts on Terra | The FailSafe audit covered the full Redacted smart contract suite deployed on Rujira — including the Private Reserve (Proxy), Spendable (Sub-Wallet), and shared Protocol Package. 9 findings were identified (1 High, 1 Low, 7 Informational), with all critical issues resolved. * [FailSafe Audit Report (PDF)](https://getfailsafe.com/pdfs/Redacted%20-%20FailSafe%20Security%20Report%20-%20Final.pdf) * [FailSafe Audit Overview](https://getfailsafe.com/redacted-smart-contract-audit) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.redacted.money/protocol/architecture.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.