Garble.Money: Next-Generation Privacy Solution for Tron Network

GarbleMoney Team
8 min readNov 26, 2022

Garble.Money is a privacy wallet on Tron Network that allows you to deposit, withdraw and transfer assets just like Paypal. Your Tron account is like a bank card. You can deposit your assets to Garble.Money and withdraw your assets from it at any time without restriction. Garble.Money’s most important feature is supporting shielded transfers for TRX and TRC20 tokens. You can pay or receive assets anonymously through Garble.Money, no one can see your transactions, including Garble.Money team. Garble.Money’s contracts are now open-source, and we will analyze them in terms of privacy and security.

Why We Need Shielded Transfers

We believe that privacy is a fundamental human right. Other basic human rights would be compromised without the right to privacy. Looking back at the history of Web 3.0, Satoshi Nakamoto established BTC in a sense to get away from the real-world financial system that is cumbersome and under the prying eyes of governments and financial institutions. Nowadays, the blockchain world based on transparent ledgers has a huge need and justification for shielded transactions.

Therefore, we intend to build a privacy wallet on Tron Network, a tool through which users can enhance the privacy of their transactions. As for why choosing Tron, it is mainly because of its huge cryptocurrency trading volume and community activity.

Privacy Analysis of Garble.Money


When a new user uses Garble.Money, it generates a Tronz privacy account, and the user signs a string to calculate key pairs of Garble.Money. The Tronz Private Key is encrypted with the public key of Garble.Money, concatenated with the Tronz address and submitted to the Registry contract for automatic registration. Here is an example.

The Registry contract has only a simple registration function, which serves two purposes.

- Enable users to use the private key of Garble.Money to decrypt the data on the chain to get Tronz Private Key when logging in. Then, users can operate deposit, withdrawal, transfer, and other operations.

- Map the Tronz address to the Tron address. The user only needs to know the Tron address of the counterparty for shielded transfers.

We can see that the Registry contract does not have any fields to store the user’s balance, which means there is no way to get the balance information in Garble.Money through Tron addresses or public keys.

Garble.Money sets up a privacy contract for each coin, and this architecture makes it very easy to extend privacy to any token on Tron Network. Garble.Money currently supports four coins: TRX, USDT, USDD, and JM. Here is a USDT deposit example:

As we can see, the parameters involved in each deposit are encrypted. Even though an external party can analyze a single deposit through the events of TRC20, the full account details of an account in Garble.Money are still not available in the blockchain browser.

Instead, users can first decrypt the Tronz Private Key using the private key of Garble.Money after login and then decrypt the on-chain information to get all the deposit information through the Tronz Private Key. Therefore, the privacy of the user’s balance is guaranteed.


Shielded transfer is the core function of Garble.Money. Like other well-known privacy projects, Garble.Money is also based on zero-knowledge proof (ZKP) technologies. While Tornado Cash uses circom as its ZKP infrastructure, Garble.Money uses the Tronz Protocol, a ZKP protocol natively supported by Tron. Tornado Cash’s ZKP generation for withdrawals is cumbersome and often makes browsers unresponsive due to complex computation. Garble.Money generates ZKPs tens of times faster than Tornado Cash with little resource consumption.

Tornado Cash requires users to save the generated notes and use them as withdrawal credentials. With the existing cyber security threats, users have to face the loss of funds due to lost and stolen notes. Garble.Money eliminates the need for users to save ZKP notes, and privacy is integrated into the transfers, making it a better experience than Tornado Cash.

Here is a USDT shielded transfer example:

The transaction contains five parameters: input, sendAuthoritySignature, output, bindingSignature, and c.

- input contains nf, anchor, value_commitment, rk, and proof.

  • nf stands for nullifier, preventing double-spent.
  • anchor is the historical root of the Merkle tree, which ensures that the deposit’s commitment actually exists in the Merkle tree.
  • value _commitment is the amount size corresponding to the commitment, which is used to hide the transfer amount.
  • rk is the public key used to verify the spendAuthoritySignature.
  • proof represents the ZKP itself.

- spendAuthoritySignature is the authentication signature of the input.

- output contains note_commitment, value_commitment, epk, and proof.

  • note_commitment is computed from the real Tronz note and will be inserted into the Merkle tree.
  • value_commitment is the amount size corresponding to the commitment, which is used to hide the transfer amount.
  • epk is one of the keys used to decrypt the Tronz note.
  • proof is the zero-knowledge proof.

- bindingSignature is used to ensure that the amounts of input and output are balanced.

- c contains c_enc, c_out.

  • c_enc can be decrypted by the recipient of the transaction to get Tronz note information.
  • c_out can be decrypted by the sender of the transaction to get Tronz note information.

Garble.Money uses a Merkle tree to store the asset status. Each time a user makes a deposit, a note_commitment is inserted into the tree. When Alice transfers assets to Bob, she needs to prove that there is a note_commitment of her own in the tree. To prevent others from linking the deposit account with the transferred account via note_commitment, Garble.Money does not submit a note_commitment in the transfer. Garble.Money uses a ZKP of the note_commitment-to-root process. The transfer process does not involve the movement of funds between blockchain accounts; Alice spends her note_commitment, creates a note_commitment for Bob of the same amount, and inserts it into the Merkle tree. Thus, all that is transferred is the right to use the funds in the privacy contract. Since all on-chain parameters are encrypted, neither the recipient nor the transfer amount is visible to the outside world. At this point, the shielded transfer is perfectly implemented.

Contract Security Analysis

The Registry contract only has a simple `register` function. The security team founds no risk in this contract.

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.6;

contract Registry {

mapping (address => bytes) public userOf;

event NewUser(address indexed owner, bytes user);

function register(bytes calldata user) external {
require(userOf[msg.sender].length == 0, "you can only register once");
userOf[msg.sender] = user;
emit NewUser(msg.sender, user);

Privacy contracts for different tokens are similar, such as the USDT privacy contract. The functions mint, burn, and transfer are the implementations of deposit, withdrawal, and transfer. It can be seen from the code that they are implemented in strict accordance with the specifications of the Tronz Protocol, with guaranteed security.

The contract owner can transfer contract privilege, set fee rate, suspend token withdrawals, and prohibit addresses in the SanctionsList from using the Garble.Money but does not have the authority to transfer tokens directly. Therefore, the owner’s rights are within the acceptable range.

Use Garble.Money Correctly and Improve the Privacy

ZKP is so specialized, and it can be difficult for the average user to clearly understand what their actions mean. This section discusses how the average user can use Garble.Money correctly to maximize their privacy.

Rule 1: Use different addresses for deposit and withdrawal

Garble.Money provides three kinds of operations: deposit, transfer, and withdraw. Many people may mistakenly believe they can deposit assets to Garble.Money and directly withdraw them to the original EOA account after depositing assets for some time. However, it will destroy privacy because Garble.Money is a wallet rather than a traditional mixer. Garble.Money obfuscates the flow of funds by shielded transfers. Therefore, users must transfer assets to others after deposit to protect privacy.

Rule 2: Use different amount

Like Tornado Cash, the exact amount of all deposited and withdrawn funds is public because the flow of funds on the chain is public, and we cannot hide events.

Suppose a scenario like this: Alice deposits 935 USDT to Garble.Money at 11:00 am using Address A. And at 11:03 am, there is a 935-USDT outflow from Garble.Money to Address B. Since the amounts are the same and the operation times are so close, others can easily link Alice to Address B, resulting in privacy leaks.

Users with strong privacy needs are recommended to use a fixed denomination of funds in each deposit and transfer after subsequent deposits have reached a certain level. Garble.Money offers these quick options for fixed amounts.

Sanctions and Compliance

Garble.Money is designed to provide privacy-enhancing services only to legitimate users rather than being a breeding ground for criminals. Therefore, Garble.Money provides the contract-level ability to disable specific addresses, and law enforcement can contact Garble.Money to block funds against certain addresses. However, it is worth noting that once a specific address is blocklisted, no one, including the Garble.Money team, will be able to access these blocked funds, and they may be permanently locked in Garble.


Garble.Money is a privacy wallet, and its privacy transfer function is implemented based on Tronz Protocol. The privacy and security of Garble.Money are better than existing solutions. Therefore, Garble.Money can be used without worry. Garble.Money is still in the early stage, and the development team will launch more new features (such as completed-frontend-based ZKP generation)in the coming days.