PHASE A · DEVNET BETA · FEE 0

On-chain privacy hides what you sent.
Zolana also hides that it was you.

Confidential Solana transfers leak at the network layer: your IP, your RPC provider, your timing, your habits. Zolana is the metadata-privacy layer that closes those leaks — riding proven on-chain privacy and a real mixnet, never inventing its own cryptography.

Launch the app → Read the docs
Devnet beta. Use test funds only. Wait-tolerable transfers — real privacy costs seconds, and we say so.
PHASE 1/4 You approve — the proof is built locally, nothing leaves in the clear PHASE 2/4 Three independent mix hops — your packet is indistinguishable from cover traffic PHASE 3/4 The shielded pool locks it — amount and recipient are hidden on-chain PHASE 4/4 A relayer delivers the claim — the recipient pays no gas, leaves no trail Sender your wallet NYM MIXNET origin IP masked · 3 independent hops · cover traffic Shielded pool Umbra · Arcium MPC 0.050 SOL ●●● hidden ●●● Relayer pays the gas · no trail Recipient unlinked from deposit SIGN LOCALLY MIXNET · IP MASKED SHIELDED · AMOUNT HIDDEN RELAYED · NO GAS
one looping transfer, real sequence — every byte (RPC reads, proof assets, relayer submits, MPC polling) leaves through the mixnet, or not at all
THE GAP

Shielded pools don't protect you from your own connection.

Use any on-chain privacy protocol over a normal connection and three observers still learn plenty: your RPC provider sees every account you query and every transaction you submit; your ISP sees when and how often you interact; the protocol's own indexer and relayer see your IP next to your privacy operations. The chain hides the payload — nobody hides the envelope. That envelope is Zolana's entire job.

Origin-IP masking

All app egress is routed through the Nym mixnet — a 3-hop, packet-mixing network with its own anonymity set. Your RPC provider and the protocol's infrastructure see a mixnet exit, not you.

verified live: exit IP ≠ origin IP (T18)

Fail-closed by design

If the mixnet is unavailable in strict mode, the action is blocked — never silently downgraded to a clearnet request. A less-private fallback requires your explicit choice, every time.

CLAUDE §5/§6 enforced in CI

Truthful privacy health

Every privacy statement ships with its observer model and anonymity-set context. We tell you what is protected against whom — and what isn't, including at cold-start when the set is small (minimal on devnet, Umbra's active pool on mainnet).

per-observer, never absolute
HOW IT WORKS

Three layers. We ride two, we build the one nobody ships.

Zolana deliberately writes no cryptography of its own. On-chain confidentiality and the mixnet are proven systems we integrate behind swappable adapters — our layer is the seam that makes them leak-free together, plus the behavioral noise and honest scoring on top.

L1 · ON-CHAIN
Confidential transfers & shielded notesGroth16 zero-knowledge proofs + Arcium MPC hide amount and recipient on-chain. Claims go through a relayer, so the recipient needs no gas and leaves no funding trail.
Umbra Privacy · we ride
L2 · NETWORK
Mixnet transportSphinx-packet mixing over three independent hops with cover traffic. The transport layer for every RPC call, indexer read, and relayer submission Zolana makes.
Nym · we ride
L3 · VEIL
The metadata seamOne injected transport for every egress path (RPC, indexer, prover assets, relayer, MPC monitor) — fail-closed; ZK proving assets bundled locally so proving doesn't phone home; local claim/withdraw scheduling with timing jitter; per-observer privacy health with anonymity-set context.
Zolana · we build
HONEST COMPARISON

Why not just use Umbra directly? Why not an EVM shielded pool?

Both are good systems — this is a scope comparison, not a security ranking. Umbra is our L1; Zolana adds the network/metadata layer around it. EVM pools like Railgun solve L1 confidentiality on Ethereum-family chains and leave network metadata to the user. Zolana is Solana-native and treats the metadata layer as the product.

Capability Zolana Umbra SDK directly EVM shielded pools (e.g. Railgun)
ChainSolanaSolanaEthereum-family (EVM)
On-chain confidentiality (amount/recipient hidden)Yes — via Umbra (Groth16 + Arcium MPC)Yes (same L1)Yes (own ZK pool)
Origin-IP protection for RPC reads & submitsYes — all egress over Nym mixnetNo — your fetch/RPC, your IPNot built-in — user must add Tor/VPN/private RPC themselves
Indexer/relayer see your IP?No — relayer & indexer calls are mixnet-routedYes by default (clearnet fetch)Depends on user setup
ZK proving assetsBundled locally — proving never phones homeFetched from CDN at prove-time by defaultVaries by wallet/integration
Silent clearnet fallbackNever — fail-closed, explicit consent requiredn/a (no transport policy)n/a (no transport policy)
Recipient gas / funding trailNone — relayer-submitted claim, mixnet-routedNone — relayer-submitted claim (clearnet IP visible)Relayer network available
Privacy reportingPer-observer health score with anonymity-set context
Latency postureHonest: seconds per round-trip, stated upfrontFast (clearnet)Fast (clearnet)
Scope comparison as of June 2026, based on public docs and our live measurements; "directly" means the SDK with default transports. No claim here is a security ranking — each system's cryptography is its own and unbroken as far as we know. Corrections welcome.
MEASURED, NOT PROMISED

Numbers from live runs, not a pitch deck.

2.3s
median RPC round-trip over the live mixnet (vs 0.38s direct) — the honest cost of L2 privacy
4/4
stages of a full private A→B transfer verified on-chain on devnet: shield, send, claim, withdraw
0
clearnet requests in strict mode — including ZK assets, indexer reads and relayer submits
0
fees in Phase A — and no token; the beta is free by design
NO MAGIC CLAIMS

What Zolana does — and what it honestly doesn't.

Privacy products fail people when they oversell. Our claims are per-observer and bounded; here is the boundary.

Zolana protects against

  • A single passive observer — your RPC provider, your ISP, or any one network vantage point: the goal is to close this vector to near-chance, and it is tested in CI against devnet.
  • Deposit→claim linkage — the on-chain note hides the amount and the recipient, and the link between a specific deposit and a specific claim is hidden within the pool's anonymity set; the claim is relayer-submitted, so the recipient pays no gas and leaves no funding trail.
  • Network origin — in strict mode your IP and request timing are masked from the RPC, indexer and relayer; no central party sees your address next to your IP.
  • Prove-time leaks — proving uses locally bundled circuits, so "this IP is about to do a private operation" is not broadcast.

Zolana does not claim to defeat

  • That you used the pool — your wallet publicly signs the deposit (and the public indexer lists it as the note's sender), and the relayer's claim transaction publicly names the recipient's wallet. What's hidden is who you paid, the amount, your network origin, and which deposit funded which claim — not the fact that you used Zolana.
  • A global passive observer watching all network links at once — out of scope, stated plainly.
  • Active multi-hop collusion — an adversary running or compromising several mixnet hops has its cost raised, not eliminated; we publish the model, never "closed".
  • Tiny anonymity sets — privacy is statistical and only as strong as the crowd. On devnet the set is minimal (a test crowd), so deposits and claims can be correlated by amount and timing; on mainnet it rides Umbra's active pool. We flag this posture rather than hide it.
  • Your own opsec — pasting an address into a public block explorer, or funding the recipient's wallet from the sender, steps outside Zolana's boundary; we warn, we can't cover it.

Try a private transfer on devnet — watch every step happen live.

Launch the app → Read the docs first