ZK Privacy Layer for EVM Networks
ZK privacy infrastructure for EVM networks: a shielded pool with Proof-of-Innocence compliance, deployed end-to-end with proven circuits and live on Telos mainnet.
On a fully transparent ledger, every balance, counterparty, and transaction amount is readable by anyone. For institutional holders, DAOs moving treasury funds, and protocols handling competitive flows, that visibility is a real cost: it exposes trading strategy, signals positions to front-runners, and keeps capital that needs confidentiality off-chain or out of DeFi entirely. Some participants also need selective disclosure for compliance without making every flow fully public.
A ZK privacy layer is shielded-transaction infrastructure that lets users hold and move assets on a public EVM network without exposing balances, counterparties, or amounts on-chain. Zero-knowledge proofs keep transactions private while every transaction still settles on the base chain.
Protofire deploys this layer end to end: a shielded pool plus the relayer, indexer, and wallet around it. We build it for chains and protocols that need on-chain privacy as a production feature, not a year-long research effort: EVM L1/L2 chains closing a liquidity gap, DEXes and protocols with front-running-sensitive flows, DAOs with confidential treasury requirements, and any team that wants private transactions but has no in-house ZK team.
The deployment forks the open-source, audited zkBob protocol, so you ship proven circuits rather than invented cryptography. And it is already running: Protofire built the Telos zkWallet, a production shielded pool live on Telos mainnet today, and that is the same stack we deploy for other networks.
ZK privacy stack we build and operate
From compiled circuits to user-facing wallet, Protofire delivers every layer.
ZK Circuits (Circom/Groth16)
Client-Side Prover
On-Chain Verifier Contract
Shielded Pool Contract
Relayer and Indexer
White-Label Wallet
What we deploy
A shielded pool is the core of a ZK privacy layer: a single contract where users deposit ("shield") assets and then transfer them privately inside the pool, so on-chain observers see deposits and withdrawals but not the transfers between them. We deploy a production pool based on a fork of the open-source zkBob protocol (Groth16 zk-SNARKs generated from Circom circuits), adapted to your EVM network.
It supports shield (deposit), private internal transfers, and unshield (withdrawal) across multiple tokens, typically your dominant stablecoins (USDC, USDT) and the native gas token, with batch transfers of up to 127 recipients in a single transaction. Because the pool reuses audited circuits rather than custom cryptography, the attack surface is known rather than invented, and deposit caps can throttle risk during the early mainnet phase. Benefits: private transactions on a public ledger · proven circuits, not novel crypto · multi-token support out of the box.
The first objection every chain raises is regulatory: does a privacy layer just rebuild Tornado Cash? Our deployment is built the opposite way. Proof-of-Innocence circuits let a user prove their funds are not connected to flagged deposits, and relayer-level screening (TRM Labs) blocks known bad-actor addresses at deposit time, before they ever enter the pool.
For institutional lanes, KYC hooks gate deposits behind a whitelisted-provider signature, and configurable daily limits bound exposure. The result is a permissioned-privacy option that keeps privacy-seeking capital inside a controlled, auditable environment with selective disclosure, instead of pushing it toward sanctioned mixers.
An authorized party can be granted a viewing key to inspect specific flows for audit or reporting without breaking privacy for everyone else. The network gains regulated, confidential capital flow without taking the base layer's compliance risk onto itself. Posture is a per-deployment configuration choice, not an afterthought. Benefits: defensible regulatory story · bad-actor screening at deposit · optional KYC-gated lanes for institutional capital.
Two things decide whether zero-knowledge privacy is actually usable: how long a proof takes to generate, and whether a new user needs the network's gas token to make their first private transfer. We address both. Proofs are generated client-side, so private inputs never leave the user's device, and the relayer abstracts gas entirely: users transact paying only in shielded stablecoins, with no native gas token required to get started.
On the proving side, where the wallet runs on desktop we generate proofs natively rather than in the browser, the difference between a multi-second stall and a near-instant confirmation (see the Telos result below). An indexer reconstructs each user's shielded balance from on-chain commitments, so the wallet shows spendable funds without exposing them publicly.
The relayer, indexer, and gas-abstraction layer are part of the delivery, not left to your team. Benefits: responsive proving · no gas-token onboarding friction · full backend delivered, not contracts alone.
A shielded pool with no front end is infrastructure no one uses. We ship a white-label wallet, a fork of the zkBob UI packaged as a cross-platform desktop application, that your ecosystem can rebrand as a native "private mode." It abstracts the ZK-SNARK machinery behind a normal send-and-receive flow, keeping the experience close to a standard Web3 wallet.
The full stack we hand over is: shielded-pool smart contracts (Pool, Verifier, Parameters), Circom privacy circuits with a public trusted-setup ceremony, a relayer service, and an indexer (a Subsquid processor with a GraphQL API). Typical delivery is 8-12 weeks across testnet and mainnet, run by a 4-6 person team of ZK, Solidity, backend, and DevOps engineers.
The result is a private-transaction product your users can install and your ecosystem can rebrand, not a pile of contracts to integrate. Benefits: installable product, not a bare protocol · your brand and UX · senior ZK + infra team, no hiring needed.
How a deployment works
Discovery and Scoping
Fork and Ceremony
Backend and Infrastructure
Launch and Handover
What teams deploy a ZK privacy layer for
How we cut shielded-payment latency by ~80% on Telos
Telos partnered with Protofire to make private transactions practical for everyday users on Telos EVM. During discovery we found the blockers weren't cryptographic. They were UX friction, the coordination of four moving parts (contracts, circuits, relayer, indexer), and proof latency: browser-based proof generation took 15-25 seconds per private transfer, long enough to make the feature feel broken.
Our approach was to deploy the full privacy stack as one system and move the slowest part off the browser. We adapted the open-source zkBob protocol to Telos EVM, deployed the shielded-pool contracts, ZK-SNARK circuits, relayer, and Subsquid indexing, ran a trusted-setup ceremony, and, in the key move, reimplemented proof generation in native Rust inside an Electron desktop app for macOS, Windows, and Linux.
The outcome: proof latency dropped from 15-25 seconds to roughly 3-5 seconds, an improvement of up to 80%, giving Telos a production privacy wallet on mainnet with a UX comparable to a standard Web3 wallet. It is live at privacy.telos.protofire.io, with open-source contracts, circuits, and infrastructure. See the full case study: Telos zkWallet.
ZK privacy from a team that ships infrastructure
Protofire is an engineering company that has shipped 250+ projects across 60+ networks and 95+ protocols since 2016, so our ZK privacy work comes from a team that runs production blockchain infrastructure rather than a single-product privacy startup. We maintain Solhint, the open-source Solidity linter used by 1M+ developers; we serve as a Safe Guardian with deployments across 120+ EVM networks securing $2B+ in assets; and we operate a top-3 indexer in The Graph ecosystem.
The Telos zkWallet pool is live on mainnet today. On Telos we cut shielded-payment latency from 15-25 seconds to roughly 3-5 seconds, an up-to-80% improvement, and open-sourced the contracts, circuits, and infrastructure so the foundation can run its own backup node. For a chain or protocol that needs private transactions but has no in-house ZK team, that combination is the point: a shielded pool we have actually deployed, plus the discipline to operate it.
“Private transactions on a public ledger, with compliance and regulatory defensibility built in.”
Deployed a full zkBob-based shielded pool on Telos EVM (upstream circuits audited by ChainSecurity, Jan 2023); moved proof generation to native Rust, cutting latency from 15-25 s to ~3-5 s and making private transactions practical for everyday users.
ZK Privacy Layer: Build In-House vs. Turnkey Deployment
| Build ZK privacy layer in-house | Protofire | |
|---|---|---|
| Cryptography & proving circuits | Novel crypto design; bears full security risk of new implementation | Proven zkBob circuits (forked from audited protocol, Groth16 zk-SNARKs); known attack surface |
| Deployment speed | 6+ months for a team building the full privacy stack from scratch | 8-12 weeks for turnkey deployment to mainnet (testnet, trusted-setup ceremony, production) |
| Team size & expertise required | 4-6+ ZK specialists, Solidity engineers, and DevOps (expensive, rare) | Protofire provides 4-6 person team (ZK, Solidity, backend, DevOps) on engagement |
| Operational completeness | Build shielded-pool contracts, relayer, indexer, wallet separately | Full stack delivered: pool contracts, ZK circuits, relayer (with gas abstraction), Subsquid indexer, white-label wallet |
FAQ
What is a ZK privacy layer?
Is a ZK privacy layer compliant or regulator-friendly?
How long does it take to deploy a shielded pool?
How much does a ZK privacy layer cost?
We're an EVM chain losing liquidity to larger ecosystems. How does this help?
We already have an in-house ZK team. Why use Protofire?
Reviewed by Luis Medeiros, Field CTO at Protofire. Last reviewed: June 2026.


