How confidential transfer works on Solana

Solana's Token-2022 program ships a confidential transfer extension. Tokens that opt into it can move on-chain with the amount hidden, while sender and recipient stay public. It is amount privacy, not anonymity, and it is enforced by the runtime rather than by a third-party app.

What it hides, what it does not

Confidential transfer is precise about its claim. The amount of a transfer is encrypted under the parties' ElGamal keys, and only they (and the auditor, if one is set) can read it. Everyone else on the chain sees that a transfer happened and which two addresses were involved.

That means it is not a mixer. Sender and recipient do not become anonymous, balances do not pool, and address graphs are still public. If you need address-level privacy on Solana, this is not the tool. What it does give you is that your salary or your invoice no longer sits in plaintext on the public ledger.

What changes for a token to support it

Confidential transfer is an extension on the Token-2022 program, which is the newer SPL Token program. A mint opts in at creation time and that decision is permanent. Classic SPL tokens cannot use confidential transfer at all, and a Token-2022 mint that was created without the extension cannot add it later.

Holders also opt in per account. Even on a confidential-transfer mint, each wallet has to configure its own token account before it can send or receive confidentially. Until that configuration step runs, the account behaves like an ordinary Token-2022 account.

The two balances

A configured confidential account holds two encrypted balances side by side: available and pending. Funds you can spend live in the available balance; funds you have just received land in pending and must be folded into available before they can be sent. The fold step is a free, single-instruction transaction the holder signs themselves.

The split exists for a good reason: it lets the protocol process many incoming credits in parallel without making each one a write that races against the holder's own spends. The cost is one extra step you have to remember. Wallets and tools surface a pending balance when one is present.

The lifecycle

End-to-end, an account moves through a handful of operations:

Configure: a one-time setup that creates the confidential account state and registers the holder's ElGamal public key on-chain.
Deposit: move public token balance into the confidential pending balance. The amount being deposited is public at this step (it was already on the public ledger). Once deposited it becomes part of the confidential pending balance.
Apply pending: fold the pending balance into the available balance. The holder runs this themselves; nobody else can.
Transfer: send confidentially to another wallet on the same mint. The amount stays encrypted; sender and recipient are public. The recipient's confidential account must already be configured. The transfer is signed by the sender alone, the recipient does nothing during the send.
Withdraw: move funds from the confidential available balance back to the public token balance. The amount becomes public at this step (it has to: it is reentering the public ledger). The prior confidential balance is not revealed.
Close: shut the confidential account when you are done with it. Refunds the rent to your wallet. The available balance has to be empty first; the tool prompts you through it.

What the chain actually verifies

Each confidential operation comes with zero-knowledge proofs that the on-chain runtime checks before it accepts the transaction. The proofs answer a small number of structural questions: that an encrypted balance was constructed correctly, that the new balance is non-negative, that a transfer amount is the same value as seen by sender, recipient, and auditor. Nobody on-chain learns the amount itself, but the runtime is satisfied the math is sound.

Because the proofs are checked by Solana itself (via the ZK ElGamal Proof Program, re-enabled on mainnet in 2026), there is no off-chain oracle to trust and no second-system risk. The privacy guarantee is a property of the protocol, not of an app.

Auditor key

A mint can optionally set an auditor ElGamal public key. When one is present, every confidential transfer on the mint is also readable by whoever holds the matching secret. This exists for compliance use cases where the issuer needs to be able to see transfer amounts. A mint with no auditor leaves the amount visible only to the two parties of each transfer.

The auditor is set at mint creation and visible to anyone who reads the mint. Before you opt into a confidential balance on a mint, check who, if anyone, the auditor is.

Where keys live

Confidential transfer relies on two derived keys per wallet, per mint: an ElGamal key for the encryption itself, and an AES key for a fast off-chain decryption of your own balance. Both are derived deterministically from a signature your wallet produces over a fixed message. The signature itself never leaves your wallet, and the derived keys live only in the browser session that needs them.

SolKnife does this derivation inside a Web Worker that holds the keys for the unlock session and disposes of them on disconnect or page leave. The keys are not posted to the server, not written to localStorage, and not echoed in URLs.

What it costs

Transactions cost the usual Solana base fee. The two saga-shaped operations, withdraw and transfer, each run as five transactions because the range proofs are too large to share one transaction; all five sign with a single wallet approval. They temporarily fund a few ephemeral "context-state" accounts for the proofs (about 0.002 SOL each), and the same saga's last transaction closes them and refunds the rent.

If a saga is interrupted mid-flow (a tab crash, an expired blockhash) the ephemeral accounts can be left holding rent. They are recoverable: the tool has an orphan reclaim flow that scans the chain for context-state accounts your wallet authorizes and closes them.

When confidential transfer is the right tool

It is built for ordinary tokens that benefit from amount privacy: payroll, vendor invoicing, anything where the dollar value of a single transfer is private information but the parties are not. It is also a clean fit for stablecoin transfers where the amount is sensitive.

It is the wrong tool for any token you are picking up off a decentralized exchange to trade. Sending a memecoin confidentially does not make the trade private; the prices on the AMM are still public. It is also the wrong tool when the recipient is not yet set up: a transfer cannot land on a wallet that has not configured its own confidential account on the mint.

How to try it

Pick a Token-2022 mint that has the extension. Open the SolKnife Confidential Transfer tool, paste the mint, connect your wallet. The tool reads the mint and your account, then walks you through configure (one tx), deposit (one tx), apply pending (one tx), transfer (five-tx saga, one approval), withdraw (five-tx saga, one approval), and close (one tx). All keys stay in the browser.

Frequently asked questions

Does this make me anonymous?

No. Your wallet address is still visible on every transfer; only the amount is encrypted.

Can I transfer to any wallet?

Only to wallets that have already configured a confidential account on the same mint. If the recipient has not, they need to configure first.

What if I lose access to my wallet?

The encryption keys are derived from your wallet signature, so losing the wallet means losing the ability to read your confidential balance, exactly as losing the wallet means losing access to any tokens it holds.

Can the auditor block transfers?

No. The auditor key can read amounts, not stop transfers. If you need to block transfers a freeze authority is the relevant mechanism, and you can see whether one is active on the rug checker.

Is the SolKnife server able to read my balance?

No. The ElGamal and AES keys are derived inside a Web Worker in the browser and never reach the server. The server only sees proof bytes and the operation's public bookkeeping.