DOCS / CONCEPTS
Hidden on-chain, valid by proof.
Confidential transfers are a Token-2022 extension, live on Solana mainnet and already initialized on institutional stablecoins like PYUSD, USDG and AUSD. The design goal is precise: hide the amounts, keep everything else auditable. Addresses stay public. Mints stay public. Only the numbers go dark.
Balances are encrypted with Twisted ElGamal — each encrypted balance is a Pedersen commitment plus a decrypt handle. Only the account owner's key (or a mint-configured auditor key) can decrypt them. But encryption alone would let you lie: transfer more than you have, or conjure negative amounts. That's what the proofs are for.
The proofs
Range proofs
Committed amounts fit in 64 bits — no negative values, no overflow tricks.
Ciphertext validity
The ciphertexts are well-formed encryptions under the stated keys.
Equality proofs
Sender's debit, receiver's credit and the auditor's copy all encrypt the same amount.
These are verified by a native program — ZkE1Gama1Proof… — inside the validator, not by a smart contract. It was disabled on mainnet in June 2025 after a soundness bug and later re-enabled; our status page probes it live so you don't have to take anyone's word for it.
Lifecycle of a hidden balance
Deposit
Public tokens move into the encrypted pending balance. From this point the amount is a ciphertext.
ApplyPendingBalance
The pending ciphertext rolls into the spendable available balance — bookkeeping, still encrypted.
Transfer
The core move. The same hidden amount is encrypted for sender, receiver (and auditor, if set), with proofs that all three ciphertexts agree and the amount is in range.
Withdraw
Encrypted balance exits back to the public amount, again with an equality proof so nothing is minted on the way out.
Compliance is a key, not a promise
Every confidential mint can set an auditor ElGamal pubkey. If set, every transfer amount is additionally encrypted to that key — a designated third party can decrypt amounts without anyone else gaining access. That single field is the difference between "privacy" and "compliant confidentiality", and it's exactly the kind of fact FlipForge surfaces: check the registry to see who sets it and who doesn't.
