FAQ

Dust gives you strong on-chain privacy for payments and swaps, but it is not a silver bullet. Privacy depends on correct usage: using the Privacy Pool with a large anonymity set, waiting the recommended time before withdrawing, and not reusing claim addresses. Network-level metadata (IP address, timing) is outside what Dust can protect.

To receive and claim payments: no. Stealth claims are gasless — the DustPaymaster sponsors all claim transactions. To send a payment, you need a small amount of ETH in your regular wallet to cover the send transaction gas (~21,000–50,000 gas).

During the testnet phase, .dust name registration is free. Mainnet pricing has not been announced yet.

Funds already claimed to your regular wallet are not affected — they are in your standard wallet, controlled by your seed phrase. Unclaimed stealth payments (sitting at stealth addresses) require your PIN to claim. Private pool and swap deposits require their locally-stored deposit notes to withdraw — neither the PIN nor the stealth keys alone are sufficient for ZK withdrawals.

Yes, and this is expected. Each payment produces a completely different one-time stealth address — the sender picks a fresh random ephemeral key every time. Two people paying alice.dust at the same time produce two entirely unrelated stealth addresses with no on-chain link.

DustPool V2 proofs use FFLONK (no trusted setup) and take approximately 2–3 seconds for the standard 2-in-2-out circuit. Split circuit proofs (2-in-8-out for denomination privacy) take 4–5 seconds. DustSwap proofs use Groth16 and take ~1–2 seconds. The proving key files (~50MB) are downloaded once and cached by the browser.

Yes. All proof generation happens entirely in your browser using WebAssembly. The proving key and circuit WASM are public files hosted alongside the app. No private inputs (nullifier, secret, stealth key) are ever sent to any server.

In DustPool V2, the anonymity set is the number of notes in the off-chain Merkle tree at the time you generate your proof. V2 uses a UTXO model — each deposit creates a note, and the proof references a specific Merkle root. The set includes all notes inserted before that root. Because V2 supports arbitrary amounts (unlike fixed-denomination mixers), the anonymity set grows with every deposit regardless of amount.

Yes. The app is fully responsive. ZK proof generation works on mobile browsers (Chrome/Safari on iOS and Android). Proof generation may take 3–5 seconds on lower-end devices due to the WASM computation.

DustSwap requires Uniswap V4, which is currently only deployed on Ethereum Sepolia in our configuration. Thanos Sepolia has stealth transfers and the Privacy Pool. DustSwap support for Thanos will be added when a V4 deployment is available.

ERC-5564 is an Ethereum standard that defines the format for announcing stealth address payments on-chain. It specifies how the ephemeral public key and the stealth address are published so any recipient scanner can try to detect payments meant for them.

ERC-6538 is a registry standard that maps wallet addresses to stealth meta-addresses. It allows anyone to look up whether a given wallet address has a registered stealth meta-address, enabling payments without requiring a .dust name.

Dust Protocol has undergone an internal security audit covering circuits, contracts, relayer, and frontend. 16 findings were identified and resolved across critical, high, medium, and low severity levels. The contracts include security hardening: Pausable, Ownable2Step, chainId binding, solvency tracking, and compliance screening. A formal third-party audit is planned before mainnet deployment. Do not use mainnet funds on testnet.

V1 uses a simple mixer model with Groth16 proofs and a fixed commitment structure (Poseidon of nullifier, secret, and amount). V2 uses a ZK-UTXO model with FFLONK proofs (no trusted setup), arbitrary-amount deposits, a 2-in-2-out transaction circuit, and a 2-in-8-out split circuit for denomination privacy. V2 also adds compliance screening (Chainalysis oracle), deposit cooldowns, and encrypted note storage.

FFLONK is a zero-knowledge proof system that requires no trusted setup ceremony (unlike Groth16). It is 22% cheaper to verify on-chain than Groth16 when there are 8+ public signals. DustPool V2 uses FFLONK for all pool proofs. DustSwap still uses Groth16.

After depositing to DustPoolV2, there is a 1-hour cooldown period during which withdrawals can only go to the original depositor's address. After the cooldown expires, funds can be withdrawn to any address. This gives compliance systems time to flag suspicious deposits before funds can be mixed.

A view key is a pair of values (ownerPubKey + nullifierKey) derived from your stealth keys that allows a third party to verify your transaction history without gaining spending authority. You can generate a disclosure report from Settings that lists all your notes with Poseidon commitment verification. Useful for tax reporting, audits, or regulatory compliance.

No. The view key contains the ownerPubKey and nullifierKey but not the spending key. The holder can see all your deposits, transfers, and which notes are spent, but cannot generate valid withdrawal proofs. Only the spending key (derived from wallet signature + PIN) can authorize fund movement.

When you withdraw a specific amount (e.g., 7.3 ETH), the amount itself can be used to correlate your deposit and withdrawal. The split circuit breaks withdrawals into common denomination chunks (10, 5, 3, 2, 1, 0.5, etc.) submitted as separate transactions with randomized timing. An observer sees only standard-looking amounts with no obvious pattern linking them to your original deposit.

Yes. DustPoolV2 integrates with the Chainalysis sanctions oracle. Every deposit checks the depositor's address against the sanctions list. If the address is flagged, the transaction reverts. This prevents sanctioned funds from entering the privacy pool while preserving privacy for legitimate users.

The contract maintains a root history (100 past roots). Your proof can reference any recent valid root. If a reorg invalidates the latest root, older roots remain valid. The relayer also maintains tree checkpoints for recovery.

The contract code is available in the project repository. The full source for the circuits, contracts, and app is accessible for review. See the Smart Contracts page for source file paths.

V2 deposit notes are encrypted with AES-256-GCM and stored in your browser's IndexedDB (not plaintext localStorage like V1). Go to Settings to export your notes. Store the exported data in a password manager or encrypted storage. Notes are bearer instruments — anyone with the decrypted note data can generate a withdrawal proof.