1 of 13

Shadowlings

2 of 13

Nick

@nlordell

Richard

@rimeissner

3 of 13

Receive funds

100 LOVE

4 of 13

Deposit Account

100 LOVE

Require funds for Gas

5 of 13

Empowered Deposit Accounts

100 LOVE

3074 + 4337

Recovery?

6 of 13

Shadowlings

100 LOVE

3074 + 4337

Zero Knowledge Proofs

7 of 13

Shadowlings

  • Privacy preserving
    • Unlimited derived accounts
    • Indistinguishable from normal EOAs
    • Doxing only on recovery�
  • Recoverable
    • Inherit recoverability from primary account (i.e. social recovery via a Safe)�
  • NextGen UX compatible
    • Advanced execution functionality (e.g. batching)
    • Gas Abstracted/ Paymaster compatible
    • Can be ported to EIP-7702

8 of 13

How did we do it

  • Build 3074 Invoker that executes transactions via an EOA
    • Use same precomputed static signature for all accounts (Nicks method)
    • Add 4337 support to invoker for relaying�
  • Use zero knowledge proofs to link owner account to EOA
    • Owner account is private until used to recover assets from an EOA
    • Other linked EOAs are not revealed on recovery

salt_hash

Owner Hash

Commit

Tx Hash

Nullifier

Owner Address

Memo (i.e. location)

Salt

Private

Public

9 of 13

DEMO

10 of 13

Challenges

  • Recoverability and privacy don’t play well together
    • Users should have to remember/ store as little as possible
    • Solution: Introduce an Entropy to increase privacy�
  • Complexity of Zero Knowledge Programs
    • Nested SHA256 result in large verifier programs
    • Multiple circuits necessary (currently 3) to cover different flows
    • Solution: Use ZKP optimized hashing MimcSponge
  • Working with EIPs that are in WIP
    • 3074 is not yet readily available on usual testnets
    • Solution: Local network instances and devnets

11 of 13

Next Steps

  • Increase Privacy
    • Alternative entropy mechanisms�
  • Optimize performance
    • Adjust ZK Circuits�
  • Improve UX
    • Smoother recovery flow

12 of 13

  • Privacy preserving accounts (zkp + 3074)
    • Unlimited derived accounts
    • Indistinguishable from normal EOAs
  • Recoverable deposit addresses (smart accounts + 3074)
    • Should not dox other deposit addresses
  • Gasless (4337)
    • Advantage over mnemonics

  • Intuitive

13 of 13

salt_hash

Owner Hash

Commit

Tx Hash

Nullifier

Secret Flow:�Zkp: hash(salt) === salt_hash && hash(owner_hash, salt_hash) === commit && hash(tx_hash, salt_hash) === nullifier

Invoker: checkSet(nullifier); auth(commit, sig)

Recovery Flow:�Zkp: hash(owner_hash) === commit

Invoker: auth(commit, sig) -> recover address

Owner Address

Memo (i.e. location)

Salt

Privacy

Security