Skip to content

ZK Privacy Layer for EVM Networks

In short

ZK privacy infrastructure for EVM networks: a shielded pool with Proof-of-Innocence compliance, deployed end-to-end with proven circuits and live on Telos mainnet.

80%
latency improvement
250+
projects shipped
60+
networks supported
1M+
developers
Trusted by teams building on-chain

On a fully transparent ledger, every balance, counterparty, and transaction amount is readable by anyone. For institutional holders, DAOs moving treasury funds, and protocols handling competitive flows, that visibility is a real cost: it exposes trading strategy, signals positions to front-runners, and keeps capital that needs confidentiality off-chain or out of DeFi entirely. Some participants also need selective disclosure for compliance without making every flow fully public.

A ZK privacy layer is shielded-transaction infrastructure that lets users hold and move assets on a public EVM network without exposing balances, counterparties, or amounts on-chain. Zero-knowledge proofs keep transactions private while every transaction still settles on the base chain.

Protofire deploys this layer end to end: a shielded pool plus the relayer, indexer, and wallet around it. We build it for chains and protocols that need on-chain privacy as a production feature, not a year-long research effort: EVM L1/L2 chains closing a liquidity gap, DEXes and protocols with front-running-sensitive flows, DAOs with confidential treasury requirements, and any team that wants private transactions but has no in-house ZK team.

The deployment forks the open-source, audited zkBob protocol, so you ship proven circuits rather than invented cryptography. And it is already running: Protofire built the Telos zkWallet, a production shielded pool live on Telos mainnet today, and that is the same stack we deploy for other networks.

ZK privacy stack we build and operate

From compiled circuits to user-facing wallet, Protofire delivers every layer.

01

ZK Circuits (Circom/Groth16)

Constraint system that defines a valid private transfer; compiled to proving and verification keys via a public multi-party trusted-setup ceremony.
02

Client-Side Prover

Generates a zero-knowledge proof locally inside the user's wallet (native Rust on desktop); private inputs never leave the user's device.
03

On-Chain Verifier Contract

Validates each submitted proof against the verification key and rejects any duplicate nullifier before updating the pool's Merkle tree.
04

Shielded Pool Contract

Holds shielded balances; handles shield (deposit), private internal transfers, and unshield (withdrawal) with batch support up to 127 recipients.
05

Relayer and Indexer

Relayer abstracts gas and screens deposits via TRM Labs; Subsquid indexer reconstructs each user's spendable balance from on-chain commitments.
06

White-Label Wallet

Cross-platform desktop app presenting a standard send-and-receive interface over all the ZK machinery beneath it.
01

What we deploy

A shielded pool is the core of a ZK privacy layer: a single contract where users deposit ("shield") assets and then transfer them privately inside the pool, so on-chain observers see deposits and withdrawals but not the transfers between them. We deploy a production pool based on a fork of the open-source zkBob protocol (Groth16 zk-SNARKs generated from Circom circuits), adapted to your EVM network.

It supports shield (deposit), private internal transfers, and unshield (withdrawal) across multiple tokens, typically your dominant stablecoins (USDC, USDT) and the native gas token, with batch transfers of up to 127 recipients in a single transaction. Because the pool reuses audited circuits rather than custom cryptography, the attack surface is known rather than invented, and deposit caps can throttle risk during the early mainnet phase. Benefits: private transactions on a public ledger · proven circuits, not novel crypto · multi-token support out of the box.

02

How a deployment works

1

Discovery and Scoping

We map dormant stablecoin capital against active DeFi TVL on your chain, the tokens to support, and your compliance posture, producing a scoped deployment plan.
2

Fork and Ceremony

We adapt the zkBob contracts and circuits to your network and run a multi-party Groth16 ceremony (Perpetual Powers of Tau as the base, public transcript) so no single party holds the toxic waste, then deploy to testnet.
3

Backend and Infrastructure

We stand up the relayer (gas abstraction, TRM screening) and the Subsquid indexer, and provision dev and production environments.
4

Launch and Handover

White-label wallet, integrated testing, mainnet deployment, and an open-sourced relayer so your foundation can run a backup node.
03

What teams deploy a ZK privacy layer for

Private stablecoin payments and payroll
Institutional and RWA settlement that requires confidentiality
Shielded treasury movements for DAOs and foundations
MEV- and front-running-sensitive transfers
KYC-gated private lanes for regulated capital
Activating idle stablecoin TVL by closing the "Privacy Gap"
04

How we cut shielded-payment latency by ~80% on Telos

Telos partnered with Protofire to make private transactions practical for everyday users on Telos EVM. During discovery we found the blockers weren't cryptographic. They were UX friction, the coordination of four moving parts (contracts, circuits, relayer, indexer), and proof latency: browser-based proof generation took 15-25 seconds per private transfer, long enough to make the feature feel broken.

Our approach was to deploy the full privacy stack as one system and move the slowest part off the browser. We adapted the open-source zkBob protocol to Telos EVM, deployed the shielded-pool contracts, ZK-SNARK circuits, relayer, and Subsquid indexing, ran a trusted-setup ceremony, and, in the key move, reimplemented proof generation in native Rust inside an Electron desktop app for macOS, Windows, and Linux.

The outcome: proof latency dropped from 15-25 seconds to roughly 3-5 seconds, an improvement of up to 80%, giving Telos a production privacy wallet on mainnet with a UX comparable to a standard Web3 wallet. It is live at privacy.telos.protofire.io, with open-source contracts, circuits, and infrastructure. See the full case study: Telos zkWallet.

05

ZK privacy from a team that ships infrastructure

Protofire is an engineering company that has shipped 250+ projects across 60+ networks and 95+ protocols since 2016, so our ZK privacy work comes from a team that runs production blockchain infrastructure rather than a single-product privacy startup. We maintain Solhint, the open-source Solidity linter used by 1M+ developers; we serve as a Safe Guardian with deployments across 120+ EVM networks securing $2B+ in assets; and we operate a top-3 indexer in The Graph ecosystem.

The Telos zkWallet pool is live on mainnet today. On Telos we cut shielded-payment latency from 15-25 seconds to roughly 3-5 seconds, an up-to-80% improvement, and open-sourced the contracts, circuits, and infrastructure so the foundation can run its own backup node. For a chain or protocol that needs private transactions but has no in-house ZK team, that combination is the point: a shielded pool we have actually deployed, plus the discipline to operate it.

Private transactions on a public ledger, with compliance and regulatory defensibility built in.

ZK privacy layer in production on Telos EVM
~80% latency reductionShielded pool on mainnet

Deployed a full zkBob-based shielded pool on Telos EVM (upstream circuits audited by ChainSecurity, Jan 2023); moved proof generation to native Rust, cutting latency from 15-25 s to ~3-5 s and making private transactions practical for everyday users.

ZK Privacy Layer: Build In-House vs. Turnkey Deployment

Build ZK privacy layer in-houseProtofire
Cryptography & proving circuitsNovel crypto design; bears full security risk of new implementationProven zkBob circuits (forked from audited protocol, Groth16 zk-SNARKs); known attack surface
Deployment speed6+ months for a team building the full privacy stack from scratch8-12 weeks for turnkey deployment to mainnet (testnet, trusted-setup ceremony, production)
Team size & expertise required4-6+ ZK specialists, Solidity engineers, and DevOps (expensive, rare)Protofire provides 4-6 person team (ZK, Solidity, backend, DevOps) on engagement
Operational completenessBuild shielded-pool contracts, relayer, indexer, wallet separatelyFull stack delivered: pool contracts, ZK circuits, relayer (with gas abstraction), Subsquid indexer, white-label wallet

FAQ

What is a ZK privacy layer?
A ZK privacy layer is infrastructure that adds private transactions to a public blockchain using zero-knowledge proofs. Users shield assets into a pool and transfer them privately inside it; the chain still settles every transaction, but balances, amounts, and counterparties stay hidden from on-chain observers. Protofire deploys it end to end: a shielded pool plus the relayer, indexer, and wallet around it, based on a fork of the open-source, audited zkBob protocol (Groth16 zk-SNARKs generated from Circom circuits). The pool supports shield (deposit), private internal transfers, and unshield (withdrawal) across multiple tokens, typically dominant stablecoins like USDC and USDT plus the native gas token, with batch transfers of up to 127 recipients in a single transaction. Because it reuses audited circuits rather than custom cryptography, the attack surface is known rather than invented, and deposit caps can throttle risk during the early mainnet phase.
Is a ZK privacy layer compliant or regulator-friendly?
It can be, by design: our deployment is built the opposite way from an unfiltered mixer. Proof-of-Innocence circuits let a user prove their funds are not connected to flagged deposits, and relayer-level screening via TRM Labs blocks known bad-actor addresses at deposit time, before they ever enter the pool. For institutional lanes, KYC hooks gate deposits behind a whitelisted-provider signature, and configurable daily limits bound exposure. An authorized party can be granted a viewing key to inspect specific flows for audit or reporting without breaking privacy for everyone else. The result is a permissioned-privacy option that keeps privacy-seeking capital inside a controlled, auditable environment with selective disclosure, instead of pushing it toward sanctioned mixers. The network gains regulated, confidential capital flow without taking the base layer's compliance risk onto itself.
How long does it take to deploy a shielded pool?
Typically 8-12 weeks for a turnkey deployment, run by a 4-6 person team of ZK, Solidity, backend, and DevOps engineers. The first phase is discovery: mapping dormant stablecoin capital against active DeFi TVL, the tokens to support, and your compliance posture. We then fork and adapt the zkBob contracts and circuits to your network and run a multi-party Groth16 trusted-setup ceremony (Perpetual Powers of Tau as the base, public transcript) before deploying to testnet. Next we stand up the backend (the relayer with gas abstraction and TRM screening, plus the Subsquid indexer) and provision dev and production environments. The final phase is mainnet launch: the white-label wallet, integrated testing, mainnet deployment, and an open-sourced relayer so your foundation can run a backup node. We confirm the exact scope and timeline on the first call.
How much does a ZK privacy layer cost?
Engagements are scoped per chain rather than sold at a list price, because the work varies with what you need. The main variables are token support (how many stablecoins plus the native gas token the pool must handle), the compliance modules you switch on (Proof-of-Innocence circuits, TRM Labs screening, KYC-gated lanes, daily limits, and viewing keys for selective disclosure), and the infrastructure footprint: the relayer, the Subsquid indexer, and the white-label desktop wallet. A typical turnkey deployment runs 8-12 weeks with a 4-6 person team of ZK, Solidity, backend, and DevOps engineers, and includes the multi-party trusted-setup ceremony. We size the engagement after a short discovery call, where we map your dormant stablecoin capital against active TVL, and give you a fixed scope and estimate before any work starts.
We're an EVM chain losing liquidity to larger ecosystems. How does this help?
Most EVM chains hold stablecoin capital that won't move into DeFi because the ledger is fully transparent, leaving a "Privacy Gap" between stablecoin supply and active TVL. Institutional and privacy-sensitive holders won't transact when every balance, counterparty, and amount is public. A compliant shielded pool closes that gap: it gives them a controlled, auditable place to make private stablecoin payments and payroll, settle institutional and RWA flows that require confidentiality, move DAO and foundation treasuries without telegraphing strategy, and run MEV- and front-running-sensitive transfers. Because the pool pairs privacy with Proof-of-Innocence, TRM screening, and optional KYC-gated lanes, it attracts regulated capital rather than sanctioned-mixer traffic. The result is dormant capital turned into on-chain activity, and a sticky differentiator that generic chain forks can't match: native confidentiality that keeps liquidity inside your ecosystem instead of leaking it to larger ones.
We already have an in-house ZK team. Why use Protofire?
Building a production ZK privacy layer from scratch is a long effort requiring rare expertise and carrying real cryptographic risk, and most of that risk sits in the cryptography, not your core protocol. We deliver a forked, audited shielded pool in 8-12 weeks with a live mainnet reference: Telos zkWallet, where we cut shielded-payment latency from 15-25 seconds to roughly 3-5 seconds by moving proof generation into native Rust. You ship proven Groth16 circuits rather than invented cryptography, and we hand over the full stack: contracts, circuits, relayer, indexer, and white-label wallet. Because the relayer is open-sourced, your foundation can own and run the stack long-term, including a backup node. Even teams with ZK expertise use us to stay focused on their protocol while a senior ZK, Solidity, and infra team delivers the privacy layer in parallel.

Reviewed by Luis Medeiros, Field CTO at Protofire. Last reviewed: June 2026.

Book a call with Alejandro Losa

Schedule a call with our Web3 Solution Architect to receive practical recommendations and a prompt proposal for upgrading your solution.

Protofire 2026. All rights reserved

Message us on Telegram