Portal Deposit Addresses
A portal is a reusable, public deposit address — like a centralized-exchange deposit address, but self-custodial. The owner publishes one fixed addressE;
any number of senders fund it with ordinary ERC-20 transfers (no Privacy Boost
software, no per-deposit ceremony); and the funds are later swept into the
owner’s shielded balance. Crediting is permissionless and decoupled from the
deposit, so the recipient does not have to be online for any individual deposit.
Public observers see the portal address, token, amount, timing, and sender — but
never which Privacy Boost account receives the funds.
How it works
A portal addressE is a normal Ethereum EOA that the owner controls, upgraded
via EIP-7702 so it can only do two
things: sweep supported tokens into the pool, and let the owner reclaim funds
resting at it. It can never spend from the pool.
- Create. The owner derives a fresh portal address
Efrom their seed, delegates it to the shared portal implementation, and registers a public on-chain bindingHthat commits to their account without revealing it. - Publish. The owner publishes a private registry entry (
E → blind) so the server’s indexer can credit deposits to the right account. A missing or wrong entry only delays crediting — it can never send funds to the wrong account. - Fund. Anyone sends standard ERC-20 to
E. This is an ordinary token transfer; the sender needs nothing from Privacy Boost. - Sweep. Anyone (at launch, an operator) calls the permissionless sweep, which measures the actual received balance and escrows it in the pool.
- Credit. The relay submits an epoch proof that credits the swept amount to
the owner’s shielded balance as a new note. The owner’s identifying key stays
private throughout — the proof binds the credit to the public
Hwithout revealing the account. - Reclaim / withdraw. If a swept deposit is never credited, the owner
reclaims it after a cancel delay. Funds that were never swept (e.g. an
unsupported token) can be withdrawn directly from
E.
SDK API shape
The SDK exposes the same high-level portal lifecycle across TypeScript, CLI, WASM, iOS, Android, and React Native:create/createPortalderivesE, gaslessly delegates and registers it, and publishes discovery.list,deposits, andstatusexpose portal and deposit state.sweep/sweepPortaltriggersrequestPortalDepositfrom the connected wallet when an app needs a self-sweep backstop.reclaim/reclaimPortalDepositreclaims an uncredited swept deposit after the cancel delay.withdraw/withdrawPortalsigns an escape-hatch transaction fromEfor raw funds resting at the portal.
E’s key inside core; it never crosses
the binding boundary. Low-level generatePortalEoa and encodePortalWithdraw
remain only as custodial escape hatches for integrations that intentionally
manage their own portal EOA key.
Trust and privacy
The portal is a deposit-only extension: it can only add notes to the shared note tree, never spend or alter existing notes, and it grants no new capability to the relay or TEE.| Actor | Can | Cannot |
|---|---|---|
| Owner | register once; spend credited funds; reclaim / self-withdraw | — |
| Sender | send ERC-20 to public E | learn which account E funds; spend it |
| Sweeper | move E’s balance into the pool | redirect the credit; learn the recipient; alter the amount |
| Relay / prover | build the proof from non-spend values; submit the epoch | change amount/recipient; credit a different account; spend |
| TEE | observe deposits; derive the owner’s note via its registry | sign anything; custody, move, or seize funds |
E was funded. Because a reusable public address makes the
sender ↔ E link public, use one portal per counterparty or rotate portals
when unlinkability between funders matters — these are product-layer mitigations,
not cryptographic guarantees. The discovery registry (E → blind) is
privacy-load-bearing and should be treated as confidential.
Launch limitations
These are known constraints of the current (pre-audit) launch; design around them:status.delegatedalways reportsfalse. The discovery server does not yet compute on-chain delegation status. A portal you just created is delegated regardless of what this field says — do not gate a “ready” check on it.deposit.cancellableAtBlockis always0. The reclaim-eligibility block is not yet computed by the server. Treat0as unknown, not “reclaimable now.”- Sweeping is operator-run with a zero fee. The gross swept amount equals the net credited amount today. A permissionless keeper market with a capped, per-token fee is a later step.
- Registration is write-once per
E. A portal binding cannot be changed after it is set; derive a new portal instead. - Single-chain. Portals credit on a chain that hosts a pool. Multi-chain portals are a planned additive extension, out of first-audit scope.