Withdrawals

Shielded Balance

Your shielded balance is the sum of all unspent UTXO notes held in DustPool V2. Each note is an encrypted commitment that only your spending key can unlock. The balance updates automatically as you deposit, withdraw, or receive transfers.

How Withdrawal Works

Withdrawing from DustPool V2 consumes one or two of your shielded UTXO notes and produces an FFLONK zero-knowledge proof that you own them — without revealing which notes are yours. The proof is submitted to the relayer, which verifies it on-chain and transfers funds to your chosen recipient address.

1. 01

   Select input notes

   The app finds the smallest unspent note that covers your withdrawal amount. Any excess is returned as a new change note — similar to Bitcoin's UTXO model.
2. 02

   Generate FFLONK proof in-browser

   Your browser runs the 2-in-2-out transaction circuit (~12,400 constraints) via snarkjs + WASM. The proof takes roughly 2–3 seconds to generate. No trusted setup is required.
3. 03

   Submit proof to relayer

   The proof and public signals are sent to the same-origin relayer at /api/v2/withdraw. The relayer screens the recipient via the Chainalysis sanctions oracle, then submits the proof to DustPoolV2.withdraw() on-chain.
4. 04

   On-chain verification and transfer

   The contract verifies the FFLONK proof, checks nullifier freshness, validates chain ID binding, confirms pool solvency, marks nullifiers as spent, and transfers ETH to the recipient.

Note Selection

The app automatically selects the smallest unspent note whose value is greater than or equal to the withdrawal amount. If the note is larger than the requested amount, the difference is returned as a new shielded change note that appears in your balance immediately.

Pending notes (deposits still awaiting Merkle tree inclusion) are excluded from selection. Only confirmed notes with a valid leaf index are eligible.

The 2-in-2-out Circuit

The transaction circuit consumes up to 2 input notes and produces up to 2 output notes (withdrawal + change). It enforces balance conservation: the sum of inputs equals the sum of outputs plus the public withdrawal amount.

The chain ID is included as the 9th public signal to prevent cross-chain proof replay. A proof generated on Ethereum Sepolia cannot be submitted on Thanos Sepolia.

Denomination Privacy

Withdrawing an unusual amount (e.g. 1.37 ETH) creates a unique fingerprint that can be correlated with deposits. The split circuit (2-in-8-out, ~32,074 constraints, 15 public signals) automatically decomposes your withdrawal into common denomination chunks. Each chunk is submitted as a separate transaction with randomized timing delays, making each one indistinguishable from other withdrawals of the same denomination.

ETH Denomination Table

For example, withdrawing 1.0 ETH splits into three chunks: 0.5 + 0.3 + 0.2 ETH. The relayer submits each chunk with a random delay between them, so an observer sees three standard-denomination withdrawals with no obvious timing pattern.

If the number of chunks is high, the UI suggests nearby round amounts that decompose into fewer chunks — fewer on-chain transactions means less opportunity for correlation.

Compliance Cooldown

Deposits exceeding $10,000 USD (the BSA/AML reporting threshold) trigger a 1-hour compliance cooldown. During this period, withdrawal of the affected notes is restricted to the original depositor's address only. This gives compliance systems time to screen the deposit via the Chainalysis sanctions oracle.

The UI displays an amber countdown timer when a selected note is in cooldown. You can either wait for the cooldown to expire or set the recipient to the original depositor address to proceed immediately.

Recipient Address

The recipient defaults to your currently connected wallet address. For maximum privacy, use a fresh address that has no on-chain history linking it to your identity. The ZK proof hides which notes you spent, but if the recipient address is already associated with you, the privacy benefit is reduced.