The Hitchhiker's Guide to Dark Pools in DeFi

4 months ago 20

In the first two articles of this series, we explored the concept of dark pools in decentralized finance, highlighting their role in addressing critical issues such as frontrunning, quote fading, and MEV (Maximal Extractable Value) extraction. Dark pools are an essential tool for traders as they execute trades without disclosing transactions and their details to third-party observers. For this reason, traders are able to execute their transactions with advantages such as better price execution and reduced price slippage.

In our first article, we introduced dark pools and examined Renegade, which enables privacy-based trades in the privacy ecosystem through exotic technologies such as multiparty-computation matching engines and collaborative SNARKs. The second paper shifted our focus to the speed-oriented Tristero, which is different in the target audience and technological building blocks and can be called the other side of the coin due to the use of TEE instead of often called secure but relatively slow, complicated cryptographic methods.

This article ends the series by examining an alternative approach to building dark pools through the lens of Railgun. Railgun stands out as a privacy-enhancing protocol designed to shield transactions during the trading process and extend privacy beyond settlement. Built on zk-SNARKs and a global Merkle tree architecture, Railgun allows users to engage in decentralized finance activities, such as swaps, liquidity provision, and private token transfers, while preserving anonymity and enabling programmability. Its unique Proof of Innocence mechanism further differentiates it, allowing users to demonstrate compliance by proving their transactions are free from blacklisted funds.

At the end of this series, we'll explore Railgun's privacy-preserving architecture, consider its role in the future of DeFi dark pools, and reflect on how protocols such as Renegade, Tristero, and Railgun provide different technical solutions to the evolving challenges of private, compliant on-chain trading.

Railgun

Railgun is a privacy-enhancing protocol designed to shield blockchain transactions, enabling users to interact with decentralized finance (DeFi) while preserving their anonymity. Built on Ethereum and other EVM-compatible chains, Railgun leverages zero-knowledge proofs (zk-SNARKs) and a single global Merkle tree to create a private, auditable, and scalable environment. Its architecture combines advanced zero-knowledge cryptography with programmability, creating a private ecosystem for seamless and confidential interaction across DeFi applications. Although Railgun employs a unified single-contract architecture, it fundamentally differs from mixers as it does not rely on mixing funds. Instead, privacy is achieved without the need to move funds, while also offering extended programmability.

Introduction to the inner workings of Railgun

At the core of Railgun’s privacy architecture is its global Merkle tree, a cryptographic data structure that serves as the foundation for managing private balances and transaction states. This tree stores all interactions within Railgun—whether shielding tokens, transferring assets, or engaging in DeFi—in the form of cryptographic commitments. Each commitment is a hashed representation of a user’s private balance or transaction, ensuring that no sensitive details are exposed on-chain while maintaining the integrity and verifiability of the system.

When users interact with Railgun, they do so through a single smart contract on the blockchain’s execution layer. This design means that every Railgun transaction, regardless of the user or asset type, interfaces with this unified privacy contract. By aggregating all interactions into a unified privacy layer, Railgun obfuscates the links between inputs (e.g., deposits) and outputs (e.g., transfers or withdrawals), making transactions indistinguishable to external observers. In this way, Railgun functions as a zk-powered privacy wallet, shielding user activity from blockchain surveillance while offering greater programmability and flexibility.

The Merkle tree enables privacy by abstracting all transaction data into cryptographic commitments. These commitments act as leaves in the tree, each representing a user’s private state in a way that is computationally irreversible. For example, when a user shields tokens—converting them from a public 0x account to a private 0zk account—a new commitment is created and added to the tree. This shields the token’s original source and enters the user into Railgun’s global privacy layer. The corresponding public balance is hidden, and the user’s private balance is now managed entirely within the Merkle tree.

Railgun uses nullifiers—cryptographic markers—to prevent double-spending by invalidating spent commitments. Each private transaction records the nullifier of the previous commitment while adding a new commitment with the updated balance to the tree. This transition preserves privacy by breaking the connection between states during updates, while nullifiers prevent commitment reuse. Like Renegade, this system combines a global Merkle tree with nullifiers to achieve scalable privacy.

The Merkle tree architecture prevents transaction traceability by consolidating all interactions within a unified privacy layer. The global tree structure thwarts blockchain surveillance by making deposits, transfers, and withdrawals unlinkable, rendering even sophisticated on-chain analysis ineffective. This design choice enhances both protocol scalability and user privacy through consistent, predictable state updates.

To ensure that every update to the Merkle tree adheres to Railgun’s privacy and security rules, the protocol uses zk-SNARK proofs. These proofs validate every transaction without exposing sensitive details, ensuring that balances are accurate, nullifiers are correctly applied, and no unauthorized modifications are made to the tree. Unlike traditional systems, where verification relies on direct access to transaction data, zk-SNARKs allow the Railgun smart contract to verify transactions cryptographically. This means that validators can confirm the legitimacy of interactions without needing to see the underlying details, effectively preserving the protocol’s trustless and decentralized nature. This process is fundamental to Railgun’s ability to maintain privacy while ensuring the correctness of its state.

The integration of zk-SNARK proofs with the Merkle tree creates a dual layer of security and privacy that is both robust and scalable. Updates to the system—whether shielding tokens, transferring assets, or conducting other interactions—are cryptographically recorded, ensuring they can be audited at the protocol level without revealing user-specific information. This design not only preserves the privacy of individual users but also reinforces the integrity of the entire system, as every transaction is verifiable yet anonymous. It eliminates the need for intermediaries or custodial oversight, allowing Railgun to operate in a fully decentralized manner.

Railgun’s innovative architecture demonstrates how cryptography can redefine the balance between privacy and usability in decentralized systems. By leveraging advanced tools like the Merkle tree and zk-SNARKs, Railgun enables users to shield their interactions seamlessly while maintaining the integrity and trustlessness of the blockchain. Beyond its technical capabilities, the system sets the stage for exploring how private transactions are executed, validated, and integrated with broader DeFi ecosystems. In the following sections, we delve deeper into the lifecycle of a transaction within Railgun, examining the intricate processes that ensure privacy and security at every step.

Shielding tokens: Entering the Railgun privacy layer

Shielding tokens is the entry point into the Railgun private ecosystem, where user assets are moved from public blockchain visibility into Railgun’s encrypted, shielded state. This process relies on Railgun wallets, cryptographic commitments, and the creation of UTXOs (Unspent Transaction Outputs), all of which work together to ensure assets are shielded without compromising privacy.

Wallets and key structure

Railgun wallets rely on the BIP-32 standard for key derivation, allowing users to generate a hierarchical set of cryptographic keys from a single seed phrase. This architecture simplifies wallet creation while enabling robust privacy features. Two critical keys are derived within Railgun wallets, each serving a distinct role in the system:

  1. Spending key:The spending key is used to prove ownership of shielded tokens and authorize private interactions, such as shielding, transfers, and unshielding. Functionally, it operates similarly to a standard private key but within the Railgun private ecosystem. Spending keys are generated using the Baby Jubjub elliptic curve, which is zk-SNARK-friendly and optimized for efficient cryptographic proofs.The spending key plays a pivotal role in Railgun transactions:
    • It is used to sign and authorize actions while remaining private.
    • It generates zk-SNARK proofs that validate interactions (e.g., shielding or transfers) without leaking sensitive transaction details like token amounts, recipients, or senders.
  2. Viewing key:The viewing key provides read-only access to shielded data, allowing users—or trusted third parties—to decrypt and view specific private interactions. Unlike the spending key, the viewing key cannot authorize transactions, ensuring it does not compromise security. Viewing Keys are implemented using the Ed25519 elliptic curve, making them efficient for decryption tasks.key features of the viewing key:
    • It can decrypt events emitted by Railgun’s smart contract, such as shield or Transfer events.
    • It ensures that private interactions remain secure, as the viewing key cannot modify or authorize transactions.

The wallet generates a 0zk address, a private counterpart to the traditional Ethereum 0x address. This address combines the Spending and Viewing Keys into a more complex format, enabling users to transact within the Railgun private ecosystem without exposing their cryptographic keys or wallet activities.

How tokens enter the private system

Shielding tokens in Railgun involves converting assets from public visibility into encrypted private states managed within the global Merkle tree. At its core, shielding generates UTXOs (Unspent Transaction Outputs)—cryptographic representations of user balances—that enable Railgun to preserve privacy while ensuring transaction validity. By leveraging advanced cryptographic commitments, randomness, and zero-knowledge proofs, the Railgun smart contracts ensure the shielding process hides all sensitive information while remaining verifiable and trustless.

Initiating the shielding interaction

Shielding begins when a user decides to move tokens—such as ETH, ERC-20 tokens, or NFTs—into the Railgun privacy system. This action calls the Railgun smart contract and sets the foundation for creating a private balance. Shielding doesn’t simply move assets; instead, the system transforms the user’s publicly held tokens into a cryptographic form that can only be accessed within the Railgun privacy system. At this point, a UTXO is created, encapsulating the transaction details: the token type, token amount, recipient public key, and a randomness factor that ensures each shielding interaction produces a unique output. The use of randomness is critical here because it prevents any external observer from correlating two identical transactions or deducing patterns based on token amounts or recipient data.

Creating a cryptographic commitment

Once the UTXO is generated, Railgun combines its internal values—including the randomness, token amount, and recipient’s public key—into a cryptographic commitment. This commitment is created using the Poseidon hash function, a zero-knowledge-friendly hashing algorithm designed to operate efficiently within zk-SNARK circuits. The resulting hash is irreversible, meaning that no external observer can infer the UTXO’s internal details from the commitment itself. From the perspective of an outside observer, the commitment appears as a single opaque value. This commitment becomes the anchor of the private token within the Railgun system and serves as a reference point when the user later wishes to spend, transfer, or interact with their shielded balance.

Generating the zero-knowledge proof

To ensure that shielding occurs securely and adheres to the Railgun system’s cryptographic rules, the user generates a zk-SNARK proof. This proof, created locally on the user’s device, guarantees that the shielding transaction is valid without revealing any sensitive information

  • The user possesses sufficient funds to shield the specified amount of tokens.
  • The new UTXO adheres to the Railgun system’s cryptographic rules and is properly constructed.
  • No sensitive details—such as the sender’s public address, recipient, token type, or amount—are exposed during the shielding process.

The proof itself is succinct and efficient, allowing the Railgun smart contract to verify it quickly while preserving the privacy of the underlying transaction. This mechanism ensures the protocol remains trustless, as validators do not need to see transaction details to confirm validity.

Updating the Merkle tree

Once the zk-SNARK proof is verified, the Railgun smart contract finalizes the shielding process by adding the new commitment to the global Merkle tree. The Merkle tree is Railgun’s cryptographic ledger for all shielded UTXOs, storing them in a way that ensures both privacy and verifiability. Adding a new commitment updates the Merkle tree’s root hash, which reflects the current state of all shielded balances. Importantly, the tree does not expose the content of individual commitments, only their hashed representations. This design ensures that the protocol remains transparent and verifiable while completely shielding user-specific data. At this stage, the user’s tokens have officially entered the Railgun privacy system, and their prior connection to a public 0x address is fully obfuscated.

Emitting the shield event

As a final step, the Railgun smart contract emits an encrypted shield event containing the commitment and associated transaction metadata. This event is unreadable to the public but can be decrypted using the user’s viewing key. The shield event allows users to monitor their private balance and transaction history securely, while maintaining full anonymity on the public blockchain. This feature also introduces selective transparency, as users can share their viewing keys with auditors or trusted third parties to verify specific transactions without compromising their overall privacy.

The shielding process marks a crucial entry point into the Railgun privacy system. By creating cryptographic commitments and UTXOs, Railgun transforms publicly visible tokens into shielded states that are indistinguishable to external observers. The use of randomness and zk-SNARK proofs ensures that shielding is secure, trustless, and private, while the global Merkle tree provides a scalable and efficient mechanism for managing the state of shielded balances. Once tokens are shielded, they are ready to be used within private 0zk addresses and on-chain in transfers, swaps, or other DeFi activity.

Role of broadcasters in Railgun

Even though the Railgun shielding process ensures robust privacy within the system, Ethereum’s transparent nature introduces a unique challenge when interacting with the Railgun smart contract. To initiate state transitions, someone must send transactions to Railgun’s contracts on-chain. If users were to directly interact with these contracts, external observers could potentially link their external 0x Ethereum addresses to their private 0zk accounts, compromising their anonymity.

This challenge is further amplified by Railgun’s single contract architecture. Since Railgun operates as a single contract handling all shielded interactions, every user must interact with the same contract to initiate transactions. While this design provides strong internal privacy, it means that external observers can see opaque actions interacting with the Railgun contract. Although they cannot decipher what these transactions entail or who is performing them, the visibility of the interaction itself could provide exploitable patterns.

To mitigate this issue, Railgun introduces broadcasters, decentralized entities that act as intermediaries to maintain privacy during transaction submission.

What are broadcasters and how do they work?

Broadcasters in Railgun are wallets that act as permissionless relayers, submitting encrypted transactions to the blockchain on behalf of Railgun privacy users. Their primary role is to anonymize the interaction process by ensuring that private transactions appear to originate from Broadcaster addresses rather than the user’s public Ethereum address. By acting as intermediaries, Broadcasters preserve the privacy of users while maintaining the integrity of Railgun’s privacy guarantees.

From a technical perspective, Broadcasters are permissionless–as they are essentially just wallets–and can theoretically be operated by anyone. They run a lightweight Node.js client that connects to Railgun-equipped wallets, processing encrypted interactions as they are received. Broadcasters also broadcast gas requirements to Railgun wallets and automatically handle interactions sent to them, ensuring efficient processing.

When a user initiates a private interaction within Railgun, they select a broadcaster based on factors such as gas fees and availability. The interaction data is encrypted locally by the user’s wallet and sent to the selected Broadcaster. During this process:

  1. The broadcaster receives the encrypted transaction and decrypts only the gas fee metadata, which is packaged as a reward for their services.
  2. The interaction’s encrypted contents—such as zk-SNARK proofs, commitments, and transaction metadata—cannot be decrypted or modified by the Broadcaster.
  3. The broadcaster validates that the gas fee is sufficient, then submits the transaction to the blockchain on behalf of the user.

This process ensures that the interaction obscures critical details, such as the sender’s public 0x address, the transaction amount, and the recipient’s information. The blockchain ledger reflects that the transaction originated from the Broadcaster’s wallet, breaking any direct traceability to the user.

Broadcasters are critical to the Railgun privacy system's ability to anonymize interactions with its smart contract, breaking any observable link between a user’s public Ethereum account and their private 0zk account. By submitting transactions on behalf of users, Broadcasters ensure that Railgun’s privacy guarantees extend beyond the shielding process to cover the entire lifecycle of blockchain interactions. This added layer of obfuscation is essential for preventing external observers from deducing user identities or transaction patterns based on visible interactions with the Railgun contract. Without this intermediary, users would risk compromising their anonymity whenever they interact with the blockchain.

The broadcaster network is designed to be both resilient and decentralized, ensuring robust privacy guarantees for users. Anyone can operate a broadcaster, allowing users to freely choose one based on factors like gas costs or availability. This flexibility not only keeps the system permissionless and fault-tolerant but also ensures that participants always have access to cooperative broadcasters, even if one fails or refuses to relay a transaction. Moreover, users who prefer to avoid intermediaries can opt to self-sign their transactions, taking full control over their interactions with the Railgun smart contract. By directly submitting their transactions to the blockchain, users preserve their privacy while bypassing potential delays or costs associated with Broadcasters. This dual approach of decentralized Broadcasters and self-signing ensures the Railgun protocol remains adaptable, trustless, and aligned with the core principles of blockchain privacy.

In addition to privacy, broadcasters provide practical benefits for users. By enabling gasless transactions, users can pay transaction fees in tokens of their choice, such as DAI or USDC, rather than relying on the native currency of the blockchain. This feature simplifies interactions and enhances user convenience while maintaining Railgun’s stringent privacy standards. Together, broadcasters ensure Railgun protocol’s privacy and functionality remain robust, providing users with a seamless experience for private transactions and interactions on Ethereum.

How privacy is maintained and its advantages in Railgun

Railgun’s architecture is meticulously designed to ensure that all sensitive details—such as sender, recipient, and transaction amounts—are fully obfuscated during every interaction. By operating entirely on the execution layer of the blockchain (L1), Railgun integrates its privacy mechanisms seamlessly into the native chain without relying on additional layers, bridges, or intermediaries. This design provides users with a robust privacy system while preserving the decentralized and trustless nature of the underlying blockchain.

At the core of Railgun’s privacy system is the global Merkle tree, which consolidates all shielded states into a single cryptographic structure. This tree ensures that no external observer can link inputs (e.g., deposits) to outputs (e.g., transactions or withdrawals), effectively breaking the traceability chain inherent in transparent blockchains. User balances, transaction details, and token information are stored as cryptographic commitments, ensuring that no public link exists between public deposits and shielded assets. This comprehensive privacy mechanism shields user data from blockchain explorers, adversarial actors, and analytics tools, creating an environment where transactions remain indistinguishable to outsiders.

Railgun’s design also provides a unified execution layer, allowing it to operate entirely on the main blockchain without fragmentation. Unlike privacy solutions that rely on separate chains or mixers that isolate users in standalone pools, Railgun ensures that users remain connected to the broader blockchain ecosystem. This seamless integration avoids the inefficiencies and security risks associated with cross-chain migrations or custodial mixing services. Users can participate in DeFi applications, execute token transfers, and even shield NFTs (ERC-721 and ERC-1155) without leaving the L1 environment, maintaining composability and access to the full range of blockchain functionality.

However, as with any privacy system, Railgun is not without limitations. One challenge arises from the similar aspect it shares with mixers: timing and behavioral patterns can sometimes expose user identities. For instance, if a user shields 1000 ETH and, shortly after, unshields the same amount to a new account, external observers may infer a connection between the two transactions. This potential for linkage underscores the importance of thoughtful usage patterns to maximize privacy within Railgun’s system.That said, broadcasters play a critical role in mitigating this issue to some extent. By serving as intermediaries and submitting transactions on behalf of users, broadcasters obfuscate the origin of the interactions, breaking direct links between public 0x addresses and private 0zk accounts. While this does not eliminate the risk of linkage caused by observable patterns such as transaction timing or amounts, it significantly reduces the likelihood that external observers can associate interactions with specific users. Combined with mindful transaction behavior, broadcasters provide an additional layer of protection to help users maintain their anonymity within Railgun’s ecosystem.

Despite this limitation, Railgun’s architecture offers enhanced functionality that far exceeds traditional privacy solutions. The system supports private interactions across multiple token standards, including ERC-20, ERC-721, and ERC-1155. Beyond basic transfers, Railgun enables programmable privacy through its SDK, allowing decentralized applications (dApps) to natively integrate privacy features. This programmable layer empowers developers to build applications where users can shield their interactions directly, creating a privacy hub that extends the functionality of the blockchain while preserving anonymity.

Railgun’s approach balances robust cryptographic privacy with seamless blockchain integration. By leveraging its global Merkle tree, zk-SNARK proofs, and decentralized execution, Railgun creates a comprehensive privacy layer that operates natively within the blockchain ecosystem. While users must remain cautious of behavioral patterns that could compromise anonymity, Railgun’s combination of privacy, functionality, and composability makes it a powerful tool for ensuring confidentiality in decentralized finance.

Final thoughts and the future of dark pools

Dark pools are receiving more attention as mechanism designers look to make DeFi more secure and efficient. Besides the protocols mentioned in this article, other examples like Labyrinth, Penumbra, and Fairblock exist to enable private onchain trading. Dark pools will need to answer several questions about their viability, however:

  • How can liquidity be improved in dark pools? Dark pools like Renegade use peer-to-peer trading instead of the default peer-to-pool model. When there are enough counterparties available to fulfill intents, this system works; but availability of order matching isn’t guaranteed and that trades remain private can worsen the problem (potential liquidity providers don’t know if they should supply liquidity). Renegade mitigates this problem by providing optional “indications of interests” that allow users to reveal specific information about a pending order (e.g., number of tokens and trading pair) to incentivize faster order matching. This reintroduces previously discussed issues and essentially represents a tradeoff between execution quality and execution latency. 
  • How can compliance be achieved in a dark pool? After the OFAC sanctions of 2022, we have seen an increase in the number of DeFi protocols designed to remain compliant with jurisdictional laws. Dark pools are non-discriminatory and cannot natively separate “toxic order flow” from “good order flow”. This can create problems and make dark pools unappealing to institutional investors that care about where they trade and who they trade with. Renegade allows users to specify KYC/AML requirements before being matched, while Railgun allows users to generate a proof of innocence (POI) that proves funds haven’t mixed with illicit assets.
  • How best to ensure privacy–software or hardware-based approaches? MPC and ZKPs provide strong guarantees of privacy because they allow computation over private inputs, but incur extra overhead from the requirements to compute proofs. TEEs provide weaker guarantees of privacy (dependent on the hardware manufacturer), but can provide more performance and better UX for end-users. Mechanism designers may choose to explore a defense-in-depth approach that combines these approaches or invest in mechanisms to improve efficiency of MPC-ZKP mechanisms. 
  • How to make dark pools good for efficient price discovery?Efficient price discovery in dark pools requires balancing privacy with visibility into market dynamics. Renegade achieves this through optional indications of interest (IOI), which allow selective disclosure of order parameters, attracting counter-flow while preserving privacy. Railgun focuses on maintaining anonymity while supporting DeFi interactions like private swaps, indirectly contributing to market efficiency through increased trading activity. Tristero, on the other hand, leverages TEE-based architecture for low-latency order matching and intent hashing, ensuring verifiable trades while preventing manipulation. Mechanism designers may explore hybrid approaches combining these techniques to optimize liquidity and transparency for price discovery. 

The evolution of decentralized dark pools faces interconnected challenges in liquidity, compliance, privacy, and price discovery. Leading protocols demonstrate diverse technical approaches: Renegade and Railgun leverage cryptographic solutions like zero-knowledge proofs and multiparty computation, while Tristero employs hardware-based TEEs. These implementations establish secure, private trading environments that compete with traditional financial markets in both sophistication and trustworthiness. 

As dark pools mature, their technological frameworks will evolve to meet the demands of a broader user base. Continuous improvements in privacy-preserving techniques and computational efficiency will lower costs and enhance usability, making dark pools accessible to both institutional traders and retail participants. Moreover, the integration of compliance mechanisms, such as KYC/AML protocols and proofs of innocence, will likely position dark pools as a preferred choice for regulated entities seeking both security and transparency. With their potential to foster deeper liquidity, fairer pricing, and more robust privacy guarantees, dark pools stand poised to play a transformative role in the decentralized finance landscape, becoming indispensable tools for traders across the spectrum.

Follow @2077Research for more research articles and visit the website for long-form deep dives into Ethereum R&D topics.

Read Entire Article