OUTPUT // 0X03 — DOCUMENTATION
How DarkDrop
works.
What is DarkDrop
DarkDrop is a privacy protocol on Solana that lets you send SOL to anyone without creating an on-chain link between the sender and receiver wallets. It uses zero-knowledge proofs (Groth16 on BN254) to verify that a claim is legitimate without revealing which deposit it corresponds to. The sender deposits SOL and receives a claim code. The recipient uses the claim code to generate a ZK proof in their browser and withdraw the funds to any wallet — with no connection to the original deposit visible on-chain.
How it works
DarkDrop uses a three-step flow: Deposit, Claim, and Withdraw.
Deposit (create_drop)
You deposit SOL into a shared Merkle vault. A cryptographic leaf is inserted into a Merkle tree. You receive a claim code containing the secret values needed to prove ownership later. The deposit amount is visible on-chain (SOL must physically move).
Claim (claim_credit)
The recipient generates a ZK proof in their browser proving they know the secret for a valid leaf, without revealing which leaf. The proof is verified on-chain. A credit note PDA is created. Zero SOL moves. Zero amounts appear in the transaction. An observer sees only opaque proof bytes.
Withdraw (withdraw_credit)
The recipient opens the commitment, revealing the amount and blinding factor. The program verifies the Poseidon hash on-chain and transfers SOL via direct lamport manipulation — no CPI, no inner instructions, no decoded “Transfer” on any block explorer.
The Credit Note Model
This is what makes DarkDrop different from other mixers. The claim transaction — the on-chain event that connects a deposit to a withdrawal — contains zero amount information and zero SOL movement.
Instead of transferring SOL directly during the claim, DarkDrop creates a credit note: a PDA that stores a Poseidon commitment (Poseidon(amount, blinding_factor)). The amount is a private input to the ZK circuit — it never appears in the instruction data, events, or logs.
The withdrawal is a separate transaction, potentially from a different wallet at a different time. It uses direct lamport manipulation (the program directly modifies account balances) instead of calling system_program::transfer. This means there are no CPI calls, no inner instructions, and no decoded “Transfer X SOL” on Solscan or any explorer.
The IDL uses deliberately uninformative field names — no field is named “amount”, “lamports”, “fee”, or “balance”. Block explorers cannot auto-label the values.
How to use it
Step-by-step guide to creating and claiming a drop.
Connect your wallet
Click the wallet button in the top-right corner. DarkDrop supports Phantom and Solflare on Solana devnet. Make sure you have some devnet SOL for gas fees.
Create a drop
Go to the CREATE page. Enter the SOL amount (up to 100 SOL). Optionally set a password for extra protection — the recipient will need it to claim. Choose Direct deposit or Private deposit (via relayer, so your wallet never appears in the DarkDrop transaction). Click CREATE DROP and approve the transaction.
Save and share the claim code
After the deposit confirms, you will see a claim code starting with “darkdrop:v4:...”. Copy it and share it with the recipient through any channel (DM, email, QR code, paper). Anyone with the code can claim the funds, so keep it secure.
Claim the drop
Go to the CLAIM page. Paste the claim code. If it was password-protected, enter the password. Choose Gasless (relayer pays gas, 0.5% fee) or Direct (you pay gas, no fee). Click CLAIM. Your browser generates a ZK proof (takes 2-5 seconds), then two transactions are submitted: one to verify the proof and create a credit note, one to withdraw the SOL to your wallet.
Verify on-chain
After claiming, check the transaction links on Solscan. You will see that the claim transaction has zero decoded amounts and zero SOL transfers. The withdrawal shows balance changes but no Transfer instruction.
Privacy model
DarkDrop is honest about what is hidden and what is not.
| DATA POINT | DEPOSIT | CLAIM | WITHDRAW |
|---|---|---|---|
| Sender wallet | Visible | Not present | Not present |
| Receiver wallet | Not present | Present | Present |
| Amount | Visible (CPI) | Hidden | Balance delta only |
| Deposit → Claim link | Impossible (Merkle proof hides which leaf) | ||
| Inner instructions | Transfer | CreateAccount (PDAs) | None |
What's visible: The deposit amount is visible because SOL must physically move. The receiver wallet appears in the claim and withdraw transactions. An observer can see that someone claimed from the DarkDrop vault.
What's hidden: The link between sender and receiver. The claim amount. Which deposit corresponds to which claim. The withdrawal uses no Transfer instruction, so explorers cannot auto-label it.
Anonymity set: Privacy improves with more deposits in the vault. On devnet, the anonymity set is small. On mainnet, it would grow with real usage. Using the relayer for both deposit and claim provides maximum unlinkability.
FAQ
What if the relayer is down?
You can always claim directly by selecting “Direct” mode on the claim page. You will pay gas yourself, but the ZK proof and on-chain verification work the same way. The relayer is a convenience feature for gasless claims, not a requirement. The create page also supports direct deposits that bypass the relayer entirely.
What if I lose my claim code?
The claim code contains the cryptographic secrets needed to generate the ZK proof. Without it, there is no way to claim the funds. DarkDrop does not store claim codes anywhere. Treat it like a private key — if you lose it, the SOL remains locked in the vault permanently.
Is DarkDrop audited?
No. DarkDrop is unaudited and currently deployed on Solana devnet only. The code is open source and the ZK circuits have been tested extensively, but it has not undergone a formal security audit. Do not use it with real funds on mainnet without an audit.
What are the fees?
Direct claims have no protocol fee — you only pay Solana gas (~0.000005 SOL). Gasless claims via the relayer have a 0.5% fee deducted from the withdrawal amount. The relayer pays all gas costs.
Can the relayer steal my funds?
No. The ZK proof binds the claim to a specific recipient wallet. The relayer submits the transaction but cannot change the recipient. It can only refuse to relay (censorship), which is mitigated by the direct claim fallback.
What Solana network does DarkDrop use?
DarkDrop is currently deployed on Solana devnet. You need devnet SOL to interact with it. Use a faucet or the Solana CLI to get devnet SOL.