Architecture
System Overview
┌─────────────┐ ┌──────────────┐ ┌───────────────┐
│ Frontend │────→│ Relayer │────→│ Smart │
│ (Browser) │ │ Network │ │ Contracts │
└─────────────┘ └──────────────┘ └───────────────┘
│ │
│ ┌──────────────┐ │
└──────────→│ ZK Prover │─────────────┘
│ (Browser) │
└──────────────┘Core Contracts
| Contract | Description |
|---|---|
| MainPool | Central pool — handles deposits, withdrawals, Merkle tree |
| ERC1967Proxy | Upgradeable proxy for MainPool |
| WithdrawVerifier | Groth16 ZK proof verifier (auto-generated) |
| DepositFactory | Creates one-time deposit addresses |
| RelayerRegistry | Relayer registration, staking, fee tracking |
| OFFToken | Governance and utility token (100M fixed supply) |
| Governance | On-chain proposal and voting system |
| Timelock | Treasury and execution delay for governance |
| Staking | Revenue share staking with lock multiplier (1x–2.5x) |
| TokenVesting | Vesting schedules for Treasury and Team allocations |
| PriceOracleV2 | ETH→OFF price conversion — reads spot price directly from Uniswap V4 PoolManager via extsload (no oracle hooks needed) |
| Echoer | Utility for off-chain note relay |
Fee Model
Relayers collect 100% of the ETH withdrawal fee from users. The protocol charges 0.3% of each withdrawal amount in OFF tokens, deducted from the relayer's stake. This OFF is distributed to stakers as revenue share.
ZK Circuit
The withdraw circuit (Groth16) proves:
- Knowledge of a valid
(secret, nullifier)pair - The corresponding leaf exists in the Merkle tree
- Public inputs: root, nullifier, recipient, token, amount, relayer, fee, newCommitment, changeAmount
9 public inputs • ~6,500 constraints • Poseidon hash
Token Support
Currently ETH only. ERC-20 tokens (USDT, USDC, DAI) planned for future release.