Token-2022
Solana confidential transfer
Amount privacy on Solana via Token-2022 confidential transfer: ElGamal encryption + ZK proofs encrypt the transfer amount while sender, receiver, and the fact of the transfer stay public. Configure a confidential account, deposit and withdraw between public and confidential balances, transfer privately between wallets, and clean up orphaned proof accounts. Your ElGamal and AES keys are derived in your browser from a wallet signature and never reach the server.
- Change wallet
Connect a wallet to inspect or operate a confidential account.
How it works
Connect your wallet and paste a Token-2022 mint with the confidential-transfer extension. SolKnife reads the mint and your associated token account, classifies the state, and unlocks the operation buttons that apply. The proof worker runs in your browser: it holds the secret keys for the session, builds the ZK proofs (equality, range, validity, zero-ciphertext, 3-handle), and posts only the proof bytes + ciphertexts to the server. The server assembles unsigned transactions, the client re-verifies their structure against a strict allowlist before your wallet signs, and the server self-submits. Multi-tx sagas (Withdraw is 5 transactions, Transfer is 5) are signed in one wallet approval via signAllTransactions.
- Amount privacy
- Only the amount of a transfer is encrypted. The sender, receiver, and the fact a transfer happened are public on Solana, exactly as for any other token transfer.
- Not a mixer
- Confidential transfer is a Token-2022 protocol feature, audited by the Solana ecosystem. It does not obscure addresses, does not pool funds across users, and does not break compliance.
- Auditor key
- An optional ElGamal pubkey set on the mint. Whoever holds the matching secret can decrypt every transfer amount on the mint. A mint with no auditor is private to the parties of each transfer.
- Pending vs available
- Incoming credits land in a pending balance and must be folded into the available balance with ApplyPendingBalance before they can be spent or seen as part of the regular balance.
- Withdraw
- Moves funds from the confidential available balance back to the public token balance. The amount becomes public at this step (that is what makes it a withdraw), but the prior confidential balance is not revealed. Requires two ZK proofs (equality + 64-bit range) and runs as a 5-transaction saga signed in one wallet approval.
- Transfer
- Sends confidential funds to another wallet on the same mint. The amount stays encrypted on-chain (readable only by sender, recipient, and an auditor if one is set); sender, recipient, and the fact a transfer happened are public. Requires three ZK proofs (equality + 3-handle validity + 128-bit range) and runs as a 5-transaction saga signed in one wallet approval. Recipient must already have a configured confidential account on the mint.
- 3-handle validity
- A ZK proof attesting that the same encrypted amount is consistently encoded for three parties at once (sender, recipient, auditor), under a single Pedersen opening. It is what lets a Transfer's amount be readable by each of those three keys while staying private from anyone else.
- Orphan proof accounts
- If a saga is interrupted (tab crash, expired blockhash), the ephemeral context-state accounts the saga created keep holding rent until closed. Withdraw creates two; Transfer creates three. The tool scans the chain for any context-state accounts your wallet authorizes and reclaims the rent in one approval.
Frequently asked
- What does confidential transfer hide, exactly?
- The TRANSFER AMOUNT, and only the amount. Sender pubkey, receiver pubkey, and the fact that a transfer happened on a specific Token-2022 mint are all public on Solana — exactly like every other token transfer. The amount itself is encrypted with ElGamal (readable only by sender, receiver, and an auditor if the mint has one set). This is amount privacy, not pseudonymity, not a mixer.
- Is this anonymous?
- No, and the feature explicitly does not try to be. Anonymity means severing the link between an action and the address that took it; confidential transfer keeps that link fully public. If two wallets you can be tied to use confidential transfer between each other, anyone can see those two wallets transferring on that mint — they just can't see the amounts. For full anonymity on Solana you'd need a shielded pool primitive (none exist natively today).
- How is this different from Aztec, Railgun, or other privacy tools?
- Different category of privacy. Aztec (Ethereum) and Railgun (multi-chain) are SHIELDED POOLS: anyone deposits into a common pool, anyone withdraws to a fresh address, severing the on-chain link between source and destination. That's pseudonymity / unlinkability. Solana's Token-2022 confidential transfer is AMOUNT PRIVACY: the link between sender and receiver stays visible, only the value moved is encrypted. Different scope, different threat model, different use cases — confidential transfer is narrower but native to Solana with no bridging required.
- Can I use this on any Solana token?
- Only on Token-2022 mints with the confidential-transfer extension enabled at creation. Classic SPL Token mints don't support it (no extensions exist), and Token-2022 mints without the extension can't have it added later (extensions are fixed at creation). Most existing Solana tokens — including the major stables and memecoins — are classic SPL Token, so they're out. New tokens deployed with the extension are in.
- How do I enable confidential transfer on my own Solana token?
- Create the mint via SolKnife's create-mint tool with the Confidential Transfer extension toggle on. The extension can't be added to an existing mint — it's fixed at creation time. SolKnife's create-mint sets your wallet as the confidential-transfer config authority and leaves the auditor key unset (so transfers are private to sender and receiver only). Once the mint exists, anyone holding the token can use this tool to operate a confidential balance for it.
- What's an auditor key and should I set one?
- An auditor is an optional ElGamal pubkey set on the mint. Whoever holds the matching secret can decrypt every confidential transfer amount on that mint — useful for regulated stablecoins, compliance-required tokens, or any case where the issuer needs a window into amounts. For a memecoin or a community token, default to NO auditor (which is what SolKnife's create-mint does); leaving it unset keeps transfers fully private between sender and receiver.
- Why does a transfer take multiple transactions?
- Solana imposes a per-tx instruction limit, and the ZK proofs confidential transfer requires (equality + 3-handle validity + 128-bit range for Transfer) are large enough that posting them individually + executing the transfer takes 5 transactions in a saga. SolKnife pre-signs all 5 in one wallet approval via signAllTransactions, then submits them serially. From the user's perspective it's one approval; behind the scenes the chain sees a 5-tx sequence.
- What happens if a transaction fails mid-saga?
- The first few transactions in a saga create ephemeral 'context-state' accounts that hold the ZK proof bytes for later verification. If the saga is interrupted (blockhash expires, tab crashes, RPC hiccup), those context-state accounts stay on-chain holding rent. SolKnife's orphan-reclaim flow scans for any context-state your wallet authorizes and closes them — you get the rent back. This is exposed in the same tool under the orphan-reclaim section.
- What does this cost?
- Per operation: the Solana network fee per transaction (a few thousand lamports each), rent for any newly created accounts (the confidential balance account is rent-funded once when configured), and a small SolKnife fee per operation type (deposit, apply, withdraw, transfer, reclaim) — each shown before you sign, configurable by the operator and listed on the pricing page. Withdraw and Transfer cost more network fees because they're 5-tx sagas; the SolKnife fee on each is a single flat amount per saga, not per sub-tx.
- How are my ElGamal and AES keys generated? Are they custodial?
- They're derived in your browser from a wallet signature — the SPL Token CLI standard. Specifically: the wallet signs a fixed seed message (always the same bytes for a given mint), the signature is deterministic (RFC 8032 ed25519), and SolKnife runs a Web Worker that hashes the signature into the ElGamal seed and the AES key. The keys live in the Web Worker's memory for the session and are discarded when you close the tab. The server never sees them. This is fully non-custodial — disconnect the wallet and the keys regenerate the next time you connect.
- Is the underlying ZK Proof Program audited?
- The Solana ZK ElGamal Proof Program is part of the protocol itself — implemented and audited by the Anza team (formerly Solana Labs) and the Solana Foundation. It was temporarily disabled in 2024 over a verifier issue and re-enabled on mainnet in May 2026 (verified live on-chain). SolKnife's confidential-transfer tool stayed dark during the disable window and lit back up when the program returned. The proof program is shared infrastructure; not specific to SolKnife or any individual app.
- Can wallets and explorers display my confidential balance?
- Wallets see the public balance plus a separate 'confidential balance' line. Explorers see the encrypted ciphertext as opaque bytes — they can't decrypt. To see the actual decrypted balance, you need to sign with the wallet (the signature gives the worker the ElGamal secret). That's what SolKnife shows when you open this tool: the public balance, plus the decrypted confidential balance after a single wallet signature for key derivation.
New to this? Read how Solana confidential transfer works.