Shielded Swap

Function Signature

function shieldedSwap(
    ShieldedSwapParams calldata params,
    bytes calldata proof
) external nonReentrant

Parameters Struct

struct ShieldedSwapParams {
    bytes32[6] noteNullifiers;
    bytes32 txNullifier;
    bytes32 root;
    bytes32 noteChangeCommitment;
    bytes32 noteFeeChangeCommitment;
    bytes32 selector;                    // Uniswap function selector
    SwapRouterArgs routerArgs;
    bytes32 receivingKeyCommitment;      // Owner commitment for output note
    bytes32[9] ciphertextChange;
    bytes32[9] ciphertextFeeChange;
    bytes32[6] ciphertextSwap;           // Half-encrypted swap output
    GasFee gasFee;
    bytes32 nullifiersHash;
    bytes32 fee;
    bytes32 feeTokenAddress;
}

struct SwapRouterArgs {
    bytes32 amountIn;
    bytes32 amountOutMin;
    bytes32[4] path;                     // Token addresses (max 4)
    bytes32 pathLength;
    bytes32 deadline;
}

Execution Steps

Check transaction nullifier is unused
Check Merkle root is valid
Build public inputs (52 elements: VIRTUAL_CHAIN_ID + UNISWAP_V2_ROUTER + 50 params)
Validate public inputs and verify ZK proof
Spend note nullifiers and record transaction nullifier
Build swap path from routerArgs.path and pathLength
Check output token is whitelisted
Snapshot balance before swap
Execute Uniswap V2 swap (see below)
Measure output via balance delta
Compute swap output note commitment using actual output amount
Build full ciphertext (circuit's 6 fields + value + coinId + 0)
Add 3 note commitments to Merkle tree (swap output, change, fee change)
Pay relayer fee
Emit ShieldedSwap event

Swap Execution

The contract selects the appropriate Uniswap V2 function based on the selector:

Selector

Function

Fee-on-Transfer Variant

0x38ed1739

swapExactTokensForTokens

swapExactTokensForTokensSupportingFeeOnTransferTokens

0x7ff36ab5

swapExactETHForTokens

swapExactETHForTokensSupportingFeeOnTransferTokens

0x18cbafe5

swapExactTokensForETH

swapExactTokensForETHSupportingFeeOnTransferTokens

The contract automatically selects the fee-on-transfer variant if any token in the swap path is marked as ERC20_FEE_ON_TRANSFER in the whitelist.

For ERC-20 input tokens, the contract approves the Uniswap router to spend amountIn using forceApprove.

Output Note Computation

The swap output note commitment is computed on-chain:

commitment = _commitNote(
    receivingKeyCommitment,                        // From circuit
    _commitNoteValue(amountOut, outputToken, 0),   // From swap result
    nullifiersHash                                 // From circuit
);

The full 9-field ciphertext is assembled from:

Fields 0-5: Circuit's ciphertextSwap (ownership encryption)
Field 6: amountOut (actual swap output)
Field 7: outputToken address
Field 8: 0 (value_trapdoor is always 0 for swaps)

PreviousShielded Withdrawal NextKey Registry

Last updated 4 minutes ago

Good morning

hashtagFunction Signature

hashtagParameters Struct

hashtagExecution Steps

hashtagSwap Execution

hashtagOutput Note Computation

Function Signature

Parameters Struct

Execution Steps

Swap Execution

Output Note Computation