Search
Search for projects by name or address
Railgun
About
An onchain privacy system for Ethereum based on encrypted UTXO-style private balances and zk-proven DeFi interactions.
About
An onchain privacy system for Ethereum based on encrypted UTXO-style private balances and zk-proven DeFi interactions.
Railgun is a non-custodial privacy protocol on Ethereum built around encrypted UTXO-style private balances rather than fixed-denomination pools. This design enables in-protocol transfers of shielded tokens and interactions with DeFi smart contracts on L1.
A shield transaction moves assets from a public address on Ethereum into the Railgun contract and creates encrypted commitments in a Merkle-tree state. Later private transfers or unshields use zk-SNARK proofs to spend those commitments without revealing the sender, recipient, token type, or amount. Notes created by deposits and private transactions represents ownership of tokens in Railgun, users must keep them secret and make sure the notes are not lost.
Railgun supports private transfers and cross-contract interactions without fragmenting liquidity across denominations. DeFi calls can be executed through the RelayAdapt contract, which temporarily unshields tokens to Ethereum L1, performs a sequence of contract calls, and shields the resulting assets back into Railgun in a single transaction (facilitated by a relayer).
Railgun has a DAO governed by holders of the RAIL token. The DAO has the authority to arbitrarily change the logic of the protocol and its shielded tokens.
Privacy considerations
Railgun protocol supports relayed withdrawals, in which a relayer processes withdrawals on the user’s behalf for a fee, which enables sending funds to fresh addresses. Transactions from private addresses can be sent through relayers over the Waku network, which increases network-level privacy. Railgun allows interactions between shielded tokens and DeFi, which allows depositing and withdrawing different tokens.
Practical privacy also depends on the timing and amounts of deposits and withdrawals, as well as RPC providers used to send transactions and query the public blockchain state. Syncing a railgun wallet requires a user to make heavy rpc queries because they need to scan all deposits to the protocol to track their own balance. Running a full node or trusted rpc is recommended. Users are advised to research the best OPSEC practices. Users are advised to research OPSEC best practices.
Fees
There are mandatory onchain protocol fees of 0.25% for shields and 0.25% for unshields. The NFT fee field is currently set to 0. Shield and unshield fees are sent to the Railgun Treasury.
Relayers can charge additional offchain fees for submitting transactions on a user’s behalf. These relayer fees are not set by the core protocol contracts.
Compliance
Railgun protocol does not enforce any compliance measures. However it allows using Private Proof of Innocence(PPoI), which can attest to the origin and history of shielded tokens. Relayers and some wallets require a valid PPoI for their services, but they are not generally enforced.
Additionally, Railgun users can share a read-only viewing key to expose all sent and received private transactions, if required by a regulator or enforcer.
Anonymity set
Because Railgun allows private transfers, optional PPoIs that can be enforced by relayers, and interactions with DeFi, its anonymity set depends on many details. A withdrawal from Railgun could be connected with a deposit of another token, or could not correspond to any deposit if a user received a private transfer from another user. The anonymity set, in the best case, corresponds to the set of all Railgun users.
2025 May 26 — 2026 May 26
2025 May 25 — 2026 May 26
Asset | Deposits 7D | Deposits 30D | Deposits Total | Value Locked |
|---|---|---|---|---|
WETH | 275 $4.38 M | 1.45 K $35.26 M | 36.94 K $1.42 B | $40.82 M |
USDC | 70 $1.30 M | 418 $8.90 M | 7.13 K $253.34 M | $16.65 M |
USDT | 99 $2.08 M | 489 $8.78 M | 8.22 K $315.25 M | $16.20 M |
DAI | 6 $348.76 K | 58 $4.33 M | 1.92 K $182.86 M | $7.15 M |
WBTC | 1 $1.04 K | 17 $192.72 K | 600 $39.61 M | $2.52 M |
NEAR | 0 $0.00 | 0 $0.00 | 0 $0.00 | $2.23 M |
RAIL | 8 $22.06 K | 10 $22.15 K | 294 $3.64 M | $1.16 M |
FLUID | 0 $0.00 | 0 $0.00 | 2 $1.55 M | $266.65 K |
| Total | 459 $8.14 M | 2.45 K $57.50 M | 55.11 K $2.22 B | $87.03 M |
Funds can be stolen if
- the zk proof system is broken, allowing invalid spends or withdrawals.
- the trusted setup is compromised or all ceremony participants collude, allowing invalid spends or withdrawals.
- the DAO passes a malicious upgrade and users do not react before the 7-day execution delay expires.
Funds can be lost if
- a user loses the private keys required to control their private balance.
Privacy can be lost if
- no broadcaster is available and transactions must be sent from a public address that can be linked to the user.
Railgun features an omnipotent DAO governed by the stakers of the RAIL token. The DAO has the authority to change ZK circuit logic on the core Railgun contract, which can arbitrarily change the rules for shielded tokens; as well as manage blacklisted tokens, mint RAIL tokens and manage governance rewards. See docs here: https://docs.railgun.org/wiki/rail-token/protocol-governance
Governance flow
- Users stake RAIL token in the Staking contract (0xEE6A649Aa3766bD117e12C161726b693A1B2Ee20). Voting power is proportional to the staked amount and can be delegated to another address. Unstaking has 1mo delay.
- Anyone can create a new proposal with an IPFS link and onchain calldata on the Voting contract (0xc480F68A3dcC3EdD82134FAB45C14A0FcF1dA3CC). It enters a Sponsorship stage of 1mo, where it has to be supported by 500 K RAIL stake.
- After a 2d delay, the actual voting starts. “Yay” votes need to be cast within 5d, “Nay” have 6d. Proposal needs to reach the quorum of 2.00 M RAIL.
- A passed proposal (simple majority) waits for 7d before execution and then must be executed within 14d by anyone. Execution goes via the Delegator smart contract (0xB6d513f6222Ee92Fff975E901bd792E2513fB53B), which actually has permissions to modify the Railgun protocol values.
Railgun
Detailed description
Circuit-specific Phase 2 trusted setup for Railgun’s 54 Groth16 circuits (parameterised by
transaction input/output counts) over the BN254 curve. It builds on the
Perpetual Powers of Tau ceremony
as Phase 1 and was run as a separate Phase 2 per circuit. The ceremony was publicly announced,
open to anonymous and identified participants, and wrapped up in late December 2022.
Verified against the ceremony artifact IPFS hash
QmWAySHYhaZqioKi1ufrPJC1n1ZVtHP2w4hLA9XqqJCFne: the
/contributors directory contains 328 sequentially-numbered attestation files with
GitHub or Twitter handles, and the /zkeys directory contains 54 final zkey files (one
per circuit). Parsing the final zkey binary for the 1x1 circuit shows 304 Phase 2
contributions on that circuit.
- Ceremony artifacts on IPFS: https://ipfs.io/ipfs/QmWAySHYhaZqioKi1ufrPJC1n1ZVtHP2w4hLA9XqqJCFne
- Ceremony announcement: https://medium.com/@Railgun_Project/railgun-project-begins-setup-ceremony-with-an-emphasis-on-security-d1c63117c312
- Advanced Circuit ceremony user guide: https://medium.com/@Railgun_Project/railgun-advanced-circuit-setup-ceremony-user-guide-32361c54242
- Docs overview of the trusted setup: https://docs.railgun.org/wiki/learn/privacy-system/trusted-setup-ceremony
- Railgun circuits repository with ceremony scripts: https://github.com/Railgun-Privacy/circuits-v2
Ethereum
Actors:
Token-weighted Railgun governance contract. Proposals must be sponsored, voted through quorum, and then executed through the Delegator.
- Can upgrade with no delay
- GovernorRewards Delegator → ProxyAdmin
- LegacySweeper Delegator
- Treasury Delegator → ProxyAdmin
- RailgunSmartWallet Delegator → ProxyAdmin
- Can interact with VerificationKeySetter_64DA
- switch the VKeySetter into COMMITTING so its owner can push stored verification keys to the verifier Delegator
- Can interact with VerificationKeySetter_9086
- switch the VKeySetter into COMMITTING so its owner can push stored verification keys to the verifier Delegator
- Can interact with GovernorRewards
- add or remove allowed reward safety vectors Delegator
- add or remove reward tokens from the distribution set Delegator
- change the per-interval reward rate Delegator
- pause, unpause, transfer proxy ownership, or upgrade the GovernorRewards implementation Delegator → ProxyAdmin
- Can interact with LegacySweeper
- pause, unpause, transfer proxy ownership, or upgrade the legacy Sweeper implementation Delegator
- Can interact with Delegator
- grant or revoke delegated caller permissions and transfer ownership of the Delegator
- Can interact with Rail Token
- mint additional RAIL up to the hard cap and transfer token ownership Delegator
- Can interact with Treasury
- grant or revoke treasury roles, including who can move ETH and ERC20s out of the treasury Delegator
- pause, unpause, transfer proxy ownership, or upgrade the treasury implementation Delegator → ProxyAdmin
- transfer ETH or ERC20s out of the treasury Delegator → ProxyAdmin → GovernorRewards - or Delegator → LegacySweeper - or Delegator
- Can interact with RailgunSmartWallet
- add or remove allowed SNARK safety vectors Delegator
- add or remove tokens from the shielding blocklist Delegator
- change the shield, unshield, and NFT fee schedule Delegator
- change the treasury that receives protocol fees Delegator
- pause, unpause, transfer proxy ownership, or upgrade the Railgun smart wallet implementation Delegator → ProxyAdmin
- Can upgrade with no delay
- GovernorRewardsSweeper
- Can interact with GovernorRewardsSweeper
- pause, unpause, transfer proxy ownership, or upgrade the Sweeper implementation
- Can interact with VerificationKeySetter_9086
- stage replacement verification keys and manage the helper’s local SETTING and WAITING states
- Can interact with VerificationKeySetter_64DA
- stage replacement verification keys and manage the helper’s local SETTING and WAITING states
Ethereum
Collects Railgun fees. Managed through access control roles.
- Roles:
- admin: ProxyAdmin; ultimately Voting
- defaultAdminRoleMembers: Delegator; ultimately Voting
- transferRoleMembers: Delegator, GovernorRewards, IntervalPayouts, LegacySweeper; ultimately Voting
Main system contract and escrow that accepts shielded deposits, verifies private transactions and unshields, and maintains the commitment tree.
- Roles:
- admin: ProxyAdmin; ultimately Voting
- owner: Delegator; ultimately Voting
Admin interface for Railgun’s pausable upgradeable proxies. It does not hold funds, but its controller can operate every proxy attached to it.
- Roles:
- owner: Delegator
Reward distributor that pulls assets from the Railgun treasury and allocates them to stakers via token voting.
- Roles:
- admin: ProxyAdmin; ultimately Voting
- owner: Delegator; ultimately Voting
Older Railgun sweeper generation that still holds Treasury transfer rights. It is upgradeable and forwards balances to an immutable receiver.
- Roles:
- admin: Delegator; ultimately Voting
Permission router proxy owned by Railgun governance.
- Roles:
- owner: Voting
- verificationKeyDelegates: VerificationKeySetter_64DA, VerificationKeySetter_9086
RAIL governance token contract with a capped (100,000,000 RAIL total supply) mint schedule and an early anti-bot transfer override.
- Roles:
- owner: Delegator; ultimately Voting
RAIL staking contract that tracks delegated voting power, enforces a 1mo unstake delay, and snapshots staking balances for governance every 1d. Its parameters define the governance voting system.
Immutable payout stream that can pull a fixed amount of a configured asset from the Railgun treasury to a fixed beneficiary whenever the next interval is due.
Helper that forwards all ETH or ERC20 balances it holds to a fixed receiver.
- Roles:
- admin: EOA 1
Immutable payout stream that can pull a fixed amount of a configured asset from the Railgun treasury to a fixed beneficiary whenever the next interval is due.
Immutable payout stream that can pull a fixed amount of a configured asset from the Railgun treasury to a fixed beneficiary whenever the next interval is due.
Immutable payout stream that can pull a fixed amount of a configured asset from the Railgun treasury to a fixed beneficiary whenever the next interval is due.
Immutable payout stream that can pull a fixed amount of a configured asset from the Railgun treasury to a fixed beneficiary whenever the next interval is due.
Read-only helper contract that batches governance snapshot and reward-view calls.
Immutable payout stream that can pull a fixed amount of a configured asset from the Railgun treasury to a fixed beneficiary whenever the next interval is due.
Execution adapter contract for Railgun. To interact with public contracts from shielded pools, tokens are unshielded to RelayAdapter, which performs specified calls and shields tokens back to the same user.