DOCS / CONCEPTS

Hidden on-chain, valid by proof.

Confidential transfers are a Token-2022 extension, live on Solana mainnet and already initialized on institutional stablecoins like PYUSD, USDG and AUSD. The design goal is precise: hide the amounts, keep everything else auditable. Addresses stay public. Mints stay public. Only the numbers go dark.

Balances are encrypted with Twisted ElGamal — each encrypted balance is a Pedersen commitment plus a decrypt handle. Only the account owner's key (or a mint-configured auditor key) can decrypt them. But encryption alone would let you lie: transfer more than you have, or conjure negative amounts. That's what the proofs are for.

The proofs

Range proofs

Committed amounts fit in 64 bits — no negative values, no overflow tricks.

Ciphertext validity

The ciphertexts are well-formed encryptions under the stated keys.

Equality proofs

Sender's debit, receiver's credit and the auditor's copy all encrypt the same amount.

These are verified by a native program — ZkE1Gama1Proof… — inside the validator, not by a smart contract. It was disabled on mainnet in June 2025 after a soundness bug and later re-enabled; our status page probes it live so you don't have to take anyone's word for it.

Lifecycle of a hidden balance

01

Deposit

Public tokens move into the encrypted pending balance. From this point the amount is a ciphertext.

02

ApplyPendingBalance

The pending ciphertext rolls into the spendable available balance — bookkeeping, still encrypted.

03

Transfer

The core move. The same hidden amount is encrypted for sender, receiver (and auditor, if set), with proofs that all three ciphertexts agree and the amount is in range.

04

Withdraw

Encrypted balance exits back to the public amount, again with an equality proof so nothing is minted on the way out.

Compliance is a key, not a promise

Every confidential mint can set an auditor ElGamal pubkey. If set, every transfer amount is additionally encrypted to that key — a designated third party can decrypt amounts without anyone else gaining access. That single field is the difference between "privacy" and "compliant confidentiality", and it's exactly the kind of fact FlipForge surfaces: check the registry to see who sets it and who doesn't.