The relayer
Gasless, unlinkable unshield — trusted for liveness, not safety. Fee flow and the single-relayer MVP.
Without a relayer, a user who unshields signs and pays for their own withdrawal transaction — which links that withdrawal to a wallet they control, partially defeating the point. The relayer closes that gap: it submits the withdrawal and pays the gas, so the transaction is signed and paid by the relayer, not the user.
How it works
- The user builds an unshield bound to a chosen relayer address and fee,
both public signals in the proof.
publicAmountOut = amount − fee. - Instead of sending the transaction themselves, the user POSTs the proven op to the relayer's HTTP endpoint. No wallet signature from the user is needed for the chain transaction — the proof authorizes the withdrawal.
- The relayer validates and, if everything passes, signs and submits the transaction, paying gas.
- The recipient receives
amount − feeat a fresh public address unlinkable to any wallet the user controls; the relayer receivesfeefrom the pool.
What the relayer checks (before submitting)
- The op is an unshield, and the bound relayer address is its own (otherwise it would pay gas for someone else's fee).
- The fee clears its configured minimum.
- The proof verifies against the pool's reconstruction of the public signals.
- The root is in the recent-roots window and the nullifiers are unspent.
If any check fails it rejects with a reason and submits nothing.
Trust: liveness, not safety
What the relayer can and cannot do
The relayer is trusted for liveness only — it can refuse to submit (censor). It is not trusted for safety: recipient, amount, relayer, and fee are all bound public signals in the proof, so a malicious relayer can neither redirect funds nor inflate its fee. It can only submit the exact withdrawal the user proved, or nothing.
Single-relayer MVP
Today there is one relayer — a censorship / centralization point, in the same spirit as the single sequencer. A production system wants many relayers (a relayer market) so no single party can censor. That decentralization is future work; the safety guarantees above hold regardless of how many relayers exist.
The self-pay path remains available as a clearly-labeled fallback (linkable to the user's wallet). See Using the app.