Circuits

Spend circuit

The most complex circuit. Proves five things simultaneously, all in zero knowledge:

1Both input notes belong to the caller — the spending key matches both commitments.
2Both input commitments are members of the current Merkle tree (membership proof).
3Nullifiers are correctly derived: nullifier = Poseidon2(privkey, commitment).
4Output commitments are correctly formed for the specified recipients.
5Conservation of value: sum(inputs) == sum(outputs).

Public inputs

typescript

token:            Field  // ERC-20 address as field
merkleRoot:       Field  // current on-chain root
nullifiers[2]:    Field  // consumed input notes
newCommitments[2]:Field  // output notes
amount:           Field  // total output to recipient
recipient:        Field  // address(0) for private transfers

←Shield circuit

Poseidon2 hash→