Privacy-preserving minting

Work in Progress - Not Currently Implemented

This mechanism is not being implemented at this time. Other supply management mechanisms (hold periods, release curves, open interest, and profit-sharing) have been determined to be sufficient for handling Case B scenarios without the added complexity of privacy-preserving techniques.

Note: Privacy-preserving price disclosure becomes especially interesting when combined with Dutch auction mechanisms, as it can prevent strategic gaming of the auction process. This combination may be explored in future iterations.

Privacy-preserving minting is a supply management mechanism that addresses a subtle but critical challenge in Case B scenarios: information-driven panic selling. Even with hold periods and release curves, if the market learns that new assets were acquired significantly below the current pool price, rational holders might sell preemptively, creating the very price crash the mechanisms were designed to prevent.

The solution is a commit-and-reveal scheme where the exact acquisition price is hidden initially and disclosed gradually through banded intervals. This prevents panic while maintaining long-term transparency and accountability.

The information leakage problem

Consider a Case B scenario where the issuer acquires an asset at $4,200 but the current pool price is $5,000. Even with a 7-day hold period and convex release curve:

Without privacy:

Day 0: Issuer announces "acquired asset at $4,200, minting 1,000 tokens"
Immediate reaction: Market participants see 16% discount to pool price
Rational response: Sell now before price adjusts downward
Cascade: Pool price drops to $4,500 before any new supply enters
Result: The announcement itself causes the price crash

With privacy:

Day 0: Issuer announces "acquired asset, minting 1,000 tokens" (no price disclosed)
Gradual disclosure: Price band narrows over tranches (e.g., "5-10% below pool" → "10-15% below" → exact)
Dampened reaction: Market adjusts gradually as information is revealed
Orderly adjustment: Price moves smoothly toward acquisition value
Result: Supply management mechanisms work as intended

Formal structure

Commitment phase (Day 0)

Let $p_{\text{acq}}$ be the true acquisition price and $p_0$ be the pool price at mint time.

Issuer commits to $p_{\text{acq}}$ using a cryptographic commitment:

C = \text{Commit}(p_{\text{acq}}, r)

where $r$ is a random nonce. This commitment is binding (can't change later) and hiding (reveals nothing about $p_{\text{acq}}$ ).

Issuer proves (using zero-knowledge proofs) that:

Range constraint: $p_{\text{floor}} \leq p_{\text{acq}} \leq p_0$ (truly below pool, above sanity floor)
Schedule correctness: For each tranche $i$ , the enforced floor $\hat{p}_{\min}^{(i)}$ satisfies the release schedule
Trigger safety: If $(p_0 - p_{\text{acq}})/p_0 > \Delta$ and mint size exceeds threshold, mark-to-truth auction is armable

The protocol can enforce these constraints without ever seeing $p_{\text{acq}}$ .

Banded disclosure (Tranches 1-K)

Partition the price range $[p_{\text{floor}}, p_0]$ into geometric bands:

B_j = [p_0(1 - \beta_{j+1}), p_0(1 - \beta_j))

where $\beta_{j+1} > \beta_j$ . For example, 5 bands:

$B_1$ : 0-5% below pool
$B_2$ : 5-10% below pool
$B_3$ : 10-15% below pool
$B_4$ : 15-20% below pool
$B_5$ : 20%+ below pool

At each tranche $i$ , the issuer:

Reveals the band $B_{j(i)}$ containing $p_{\text{acq}}$
Proves membership using zero-knowledge: $p_{\text{acq}} \in B_{j(i)}$
Narrows the band progressively (e.g., 5-point bands → 2-point bands → exact)

The enforced floor for tranche $i$ is:

\tilde{p}_{\min}^{(i)} = \max(\text{upper}(B_{j(i)}), f_i(p_{\text{acq}}))

where $f_i(p_{\text{acq}})$ is the release curve floor (e.g., convex approach to $p_{\text{acq}}$ ).

Final reveal (Tranche K or audit)

After all tranches complete (or via time-locked encryption), the issuer reveals $p_{\text{acq}}$ and $r$ , allowing anyone to verify:

C = \text{Commit}(p_{\text{acq}}, r)

This ensures long-term transparency while providing short-term privacy during the critical adjustment period.

Worked example

Setup

Pool price at mint: $p_0 = 5{,}000$ USDC
True acquisition price: $p_{\text{acq}} = 4{,}200$ USDC (16% below pool)
Tokens minted: $m = 1{,}000$
Release schedule: 5 tranches over 30 days
Price bands: 5 bands (0-5%, 5-10%, 10-15%, 15-20%, 20%+)

Day 0: Commitment

Issuer commits to $p_{\text{acq}} = 4{,}200$ using Pedersen commitment:

C = g^{4200} h^r

Issuer proves (via zk-SNARK):

$4{,}000 \leq p_{\text{acq}} \leq 5{,}000$ (range)
Acquisition is in band $B_4$ (15-20% below pool)
Release floors are correctly computed

Market reaction: "New asset acquired, price somewhere between $4,000-5,000. No immediate panic."

Day 7: Tranche 1 (20% of supply)

Issuer reveals: Band $B_4$ (15-20% below pool)

This narrows the range to $[4{,}000, 4{,}250]$ .

Enforced floor: $\tilde{p}_{\min}^{(1)} = 4{,}250$ (upper edge of band)

Market reaction: "Acquisition was 15-20% below pool. Price may adjust, but not immediately. Open interest at $4,500+ absorbs this tranche."

Result: 200 tokens sold to open interest at average price $4,600. No panic.

Day 14: Tranche 2 (30% of supply)

Issuer reveals: Narrower band $[4{,}150, 4{,}250]$

Enforced floor: $\tilde{p}_{\min}^{(2)} = 4{,}250$

Market reaction: "Acquisition around $4,200. Pool price adjusts to $4,700."

Result: 300 tokens sold at $4,500-4,700. Orderly adjustment.

Day 21: Tranche 3 (30% of supply)

Issuer reveals: Exact price $p_{\text{acq}} = 4{,}200$

Enforced floor: $\tilde{p}_{\min}^{(3)} = 4{,}200$

Market reaction: "Now we know the exact price. Pool has already adjusted to $4,500."

Result: 300 tokens sold at $4,400-4,500. Market has converged.

Day 30: Tranche 4-5 (20% of supply)

Remaining tokens released at floor $p_{\text{acq}} = 4{,}200$ .

Result: All tokens distributed, pool price stabilized at $4,300-4,400, reflecting new supply and acquisition value.

Why it works

Prevents information-driven panic

Without privacy, the announcement of a low acquisition price triggers selling before any supply enters. With privacy:

Initial uncertainty: Market knows acquisition happened, but not at what price
Gradual revelation: Each tranche narrows the band, allowing incremental adjustment
Dampened volatility: No single "shock" moment; price adjusts smoothly
Supply absorption: Open interest and release curves have time to work

Maintains long-term transparency

The commitment is binding—issuer can't change the price after committing. Final reveal ensures:

Auditability: Anyone can verify the commitment matches the revealed price
Accountability: Issuer can't manipulate or misrepresent acquisition value
Trust: Long-term transparency builds confidence in the protocol

Aligns with other mechanisms

Privacy works in concert with:

Hold period: Prevents immediate dumping while commitment is hidden
Release curve: Gradual supply entry matches gradual information disclosure
Open interest: Demand signals absorb tranches before AMM exposure
Issuer bond: Slashed if issuer violates floors or misrepresents price

Implementation approaches

Minimal viable (no heavy cryptography)

Merkle commitment to a pre-declared band tree:

Issuer commits to a Merkle tree with 5-7 bands
At each tranche, reveals the Merkle leaf (band) + proof
Exact price time-locked via threshold multisig (revealed at final tranche)
On-chain checks enforce floors and quotas

Advantages: Simple, no custom circuits, fast to implement

Disadvantages: Coarse bands, requires trust in multisig for final reveal

Advanced (zero-knowledge proofs)

zk-SNARKs / Bulletproofs for fine-grained control:

Commit to exact $p_{\text{acq}}$ using Pedersen commitment
Prove range constraints and schedule correctness in-circuit
Reveal progressively narrower bands via membership proofs
Final reveal via commitment opening

Advantages: Fine-grained bands, trustless, cryptographically secure

Disadvantages: Complex, requires custom circuits, higher gas costs

Outcome

Advantages

Prevents panic selling:

No single "shock" moment revealing low acquisition price
Market adjusts gradually as information is disclosed
Supply management mechanisms have time to work

Maintains transparency:

Commitment is binding and verifiable
Final reveal ensures long-term auditability
Accountability for issuer actions

Protects issuer alpha:

Competitors can't immediately copy acquisition strategies
Sourcing advantages preserved during critical period

Enables profit-sharing:

Surplus between acquisition and clearing price can be distributed fairly
Market participants benefit from issuer's sourcing efficiency
Distribution follows protocol's profit-sharing structure (see Coordinated supply management)

Disadvantages

Complexity:

Requires cryptographic infrastructure (commitments, proofs)
More complex than transparent minting
Potential for implementation bugs

Delayed transparency:

Full information not immediately available
Some participants may distrust hidden information
Requires education about the mechanism

Gas costs:

Zero-knowledge proofs can be expensive
Multiple tranche reveals increase transaction costs

Coordination risk:

Requires careful timing of reveals
Issuer must manage disclosure schedule
Potential for errors in band selection

Trade-offs vs. other mechanisms

vs. Transparent minting:

Privacy: Prevents panic, but adds complexity
Transparent: Simpler, but risks information-driven crashes

vs. Dutch auction:

Privacy: Hides acquisition price during release
Dutch auction: Transparent price descent, but surplus can be shared

vs. Bonded minting:

Privacy: Information control, no capital lock
Bonded: Price floor guarantee, but requires collateral

Configuration

Privacy parameters are configurable per collection:

Number of bands: Coarseness of initial disclosure (e.g., 5-7 bands)
Band geometry: Linear, logarithmic, or custom spacing
Reveal schedule: How bands narrow across tranches
Final reveal timing: Immediate at last tranche or time-locked
Proof system: Merkle trees (simple) or zk-SNARKs (advanced)

These parameters balance:

Privacy strength: More bands = finer control, but more complexity
Transparency timeline: Faster reveals = more transparency, but less dampening
Implementation cost: Simple Merkle vs. advanced zk proofs

Price dynamics and risks for detailed Case B analysis
Coordinated supply management for how privacy works with other mechanisms
Hold period mechanism for preventing immediate dumping
Release curve mechanism for gradual supply entry
Open interest mechanism for demand signals

The information leakage problem​

Formal structure​

Commitment phase (Day 0)​

Banded disclosure (Tranches 1-K)​

Final reveal (Tranche K or audit)​

Worked example​

Setup​

Day 0: Commitment​

Day 7: Tranche 1 (20% of supply)​

Day 14: Tranche 2 (30% of supply)​

Day 21: Tranche 3 (30% of supply)​

Day 30: Tranche 4-5 (20% of supply)​

Why it works​

Prevents information-driven panic​

Maintains long-term transparency​

Aligns with other mechanisms​

Implementation approaches​

Minimal viable (no heavy cryptography)​

Advanced (zero-knowledge proofs)​

Outcome​

Advantages​

Disadvantages​

Trade-offs vs. other mechanisms​

Configuration​

Related reading​