The lifecycle of value
A public deposit creates a note
Your Stellar wallet signs a transaction that moves a standard testnet amount into the pool. Your browser creates the note commitment and encrypts the note for your shielded identity.The deposit boundary is public. The note’s later ownership is not displayed beside your public wallet.
Your browser scans for your notes
Confi.cash reads public pool events and tries to decrypt note payloads locally. Notes that decrypt under your shielded keys form the balance shown in the app.The service does not need a server-side account balance database for your shielded identity.
A proof authorizes a spend
To send, swap, or withdraw, your browser proves that you own an unspent note and that the value rules hold. The proof reveals only the public statement required by that action.A nullifier marks the old note spent without publishing its secret opening.
A send creates a recipient note
For a shielded send, your browser encrypts a fresh note to the recipient’s
cb1... address. The recipient discovers it during their next scan.A swap joins an amount-blind batch for an AMM route
Your browser commits to the order and encrypts its amount for the threshold committee. The ordinary relay path receives no plaintext amount.When you choose Others, the route uses Soroswap, Aquarius, or another supported external AMM. A valid batch settles at a shared price, and only its aggregate net reaches that AMM. You later claim a fresh shielded output note.
Core building blocks
Shielded notes
Encrypted records that hold an asset, amount, and ownership secret inside the pool.
Commitments
Public identifiers that let the pool track notes without publishing their openings.
Nullifiers
One-time values that prevent a note from being spent twice without naming its owner.
Zero-knowledge proofs
Browser-generated proofs that a state transition follows the protocol rules.
Non-custodial does not mean trust-free
Confi.cash does not hold your spend keys or approve spends on your behalf. You still rely on:- Your wallet to produce the same valid signature when recovering your shielded identity.
- The browser application and proving artifacts to match the reviewed deployment.
- The operator for service availability and correct batch operation.
- The operator-controlled threshold committee not to use quorum access to reconstruct individual swap amounts.
- Stellar testnet and the deployed contracts to remain available.