SHIELDED SATS · 6 PICTURES

ZeroSats

Private UTXOs in one Merkle tree. Zero-knowledge spends. Lightning in and out.

01 — NOTES

A UTXO nobody can see

Value lives in notes. The chain never sees the note — only its hash, the commitment:

NOTE — only you have it value21 000 sats ownerH(your key) ψrandomness ✗ private — never leaves your wallet hash 0x8a4f… commitment · ✓ public
Like a UTXO — but the amount and the owner are inside the hash. ψ makes two identical notes hash differently.
02 — THE TREE

The chain stores one number

Every commitment is a leaf in one sparse Merkle tree, 160 levels deep. Consensus only carries the root:

your note root the only public state · 0x8a4f… drawn: 3 levels · real: 160
Your wallet keeps the note + its Merkle path. Prove membership with 160 sibling hashes — no scanning, no addresses.
03 — THE NULLIFIER

Spending deletes the leaf

No nullifier list à la Zcash — the tree is the nullifier set. A spend proves the old root contained the note and the new root doesn't:

your note root old root · 0x8a4f… NEW root · 0x3f71…
Tap it. The leaf dies, the root changes — double-spend impossible.
04 — NO INFLATION

Nobody prints sats in the dark

Every spend is 2-in-2-out and the circuit enforces Σ in = Σ out — proven, not audited:

in #1 15 000 in #2 6 000 zk circuit Σ in == Σ out to friend 18 000 change → you 3 000 observers see: four random hashes
Inputs die, outputs are fresh leaves — no link between them. Supply provably conserved.
05 — ON-CHAIN FOOTPRINT

A block = one proof

Spends fold into each other recursively. The contract checks one thing: old root → new root, proof valid:

spendspendspend spendspendspend 1 recursive proof rollup contract 0x8a4f… → 0x3f71… anchored to Bitcoin · no rollbacks
That root transition is the entire on-chain footprint of every private payment inside it.
06 — LIGHTNING

⚡ Atomic in, atomic out

You already know the trick: an invoice settles only by revealing its preimage s. The swap escrow is locked to the same s — it's one more HTLC, living on-chain:

LEG 1 — LIGHTNING ⚡ you pay 21 000 sats to the provider settling the HTLCs reveals the secret s along the route reveals s s the preimage one 32-byte secret · two locks s opens it LEG 2 — ON-CHAIN ESCROW 21 000 sats locked → mints your note opens only if SHA256(s) matches unclaimed? refunds after a timeout atomic by math, not by trust
Both legs or neither — nobody custodies your sats. Withdraw is the mirror: your invoice, your preimage, their escrow. A substitutor fronts funds for speed; it can't redirect them.

Edges public.
Middle invisible.

Mints and burns show amount + timing — everything between them is one hash.