Skip to main content
Most privacy solutions force a choice: full privacy or full transparency. Privacy Boost doesn’t. For regulated deployments — stablecoin networks, RWA platforms, payment systems — Privacy Boost provides scoped disclosure: authorized auditors can inspect specific accounts without breaking privacy for everyone else. Every query leaves an immutable onchain trail.

What This Enables

For regulators: Verified, account-level access with cryptographic identity binding (EIP-712 signatures). No way to query without leaving a trail. For users: Privacy by default. Only explicitly authorized auditors can access your data, and you can verify onchain exactly who accessed what and when.

How It Works

The audit system combines three components:
  1. AuditGateway contract — An onchain registry of authorized auditors. Only registered addresses can query.
  2. Audit API — Server-side endpoints that return account-specific data to verified auditors.
  3. Onchain audit log — Every query is logged immutably onchain.
Note: Audit logging is performed asynchronously — the log transaction is submitted in the background after the query response is returned. In practice, audit logs appear onchain within seconds of the query.

Access Control

Audit requests pass through three verification layers:
LayerMechanismRejects if
Server-level keyInfrastructure secret headerMissing or invalid
EIP-712 signatureAuditor signs the query with their EOA keySignature invalid or address mismatch
Onchain registryContract checks auditor registrationAddress not registered as auditor

What Auditors Can Access

Auditors can query two things for a specific account:

Transaction History

Paginated list of all transactions (deposits, transfers, withdrawals) for a given account, including:
  • Transaction type and direction (in/out)
  • Token ID and amount
  • Counterparty (account ID for shielded transfers, Ethereum address for deposits/withdrawals)
  • Timestamp

Current Balances

Aggregated token balances for a given account, including the number of unspent notes per token.

How Auditors Get the Data

Auditors don’t decrypt anything themselves. They don’t need viewing keys and never interact with onchain ciphertexts. Here’s what happens:
  1. The TEE server has already decrypted all transaction metadata as part of its normal indexing process. This data is stored inside the TEE’s encrypted database, organized by account.
  2. When an auditor submits a signed query for a specific account, the TEE verifies their authorization.
  3. If authorized, the TEE returns only the requested scope — that one account’s history or balance.
  4. The query is logged onchain asynchronously.
The auditor never sees encryption keys, other accounts’ data, or anything beyond the specific account they queried.

What Auditors Can and Cannot Do

CanCannot
View transaction history for a specific accountAccess private keys or viewing keys
View current balances for a specific accountMove funds or modify pool state
Filter transactions by typeQuery without leaving an onchain audit trail
Perform blanket surveillance across all accounts
Decrypt onchain ciphertexts directly

Onchain Audit Log

After every audit query, the server logs it onchain. This creates an immutable record that:
  • Cannot be deleted or modified by anyone
  • Is publicly verifiable — anyone can check the audit trail
  • Holds auditors accountable — excessive or unauthorized access is permanently recorded
The AuditGateway contract is standalone. It has no connection to the shielded pool and cannot affect fund storage or movement.

Auditor Lifecycle

ActionWhoHow
Add auditorContract ownerRegister address in AuditGateway
Remove auditorContract ownerRemove address from AuditGateway
Query dataRegistered auditorSign EIP-712 request, call audit API
Review audit trailAnyoneRead audit events from the contract
Audit queries use EIP-712 typed data signatures, so the auditor’s wallet displays structured, human-readable fields instead of opaque hex. The domain separator prevents cross-chain replay.

Next Steps