Whitepaper · v1.0 · July 2026 · living document

The dollar that can be private.

MaskedUSD is privacy-stablecoin infrastructure on Base: $USDM, a dollar backed 1:1 by native USDC, with an opt-in shielded layer where balances and transfers are proven correct by zero-knowledge proofs instead of being broadcast to everyone. This document describes the system as deployed — its architecture, its privacy design, its compliance posture, and its risks.

Live on BaseImmutable contracts1:1 native-USDC-backedProofs in your browser
00 · Abstract

What this is.

On a public blockchain, every balance and every payment is visible to anyone, forever. That is a strange default for money. MaskedUSD keeps the part of a stablecoin that should be public — that it is fully backed and that every transfer is valid — public, and makes the part that should be personal — who holds what and who pays whom— private, at the holder's option. $USDM mints 1:1 against native USDC and redeems back at any time. An opt-in shielded pool turns dollars into private notes; zero-knowledge proofs generated in the user's own browser guarantee that no value is created, destroyed, or double-spent inside the pool. Screening lives at the public on- and off-ramps, and withdrawals prove membership in an association set — privacy designed to complement compliance, not to defeat it.

01 · Motivation

Financial privacy for normal people.

Your salary, your savings, your rent — none of it should be a public broadcast. Today, a single payment reveals your entire financial history to the counterparty and to anyone watching the chain.

The transparency problem

Pay someone once and they can see your balance, your income, and everyone you've ever transacted with. Businesses leak payroll and supplier relationships. Individuals become targets.

The wrong fixes

Mixers hide provenance indiscriminately — which is exactly why they attract illicit flows and regulatory action. Opaque custodians ask you to trust them with both your money and your data.

The MaskedUSD position

Keep validity and backing publicly provable; make the transaction graph private by default inside an opt-in pool; screen at the legible fiat boundaries. Privacy and accountability, at the same time.

02 · Design principles

Constraints, not slogans.

These principles decided the architecture — each one closes off a whole class of designs.

Immutability is a feature

The vault, ramps, and shielded pool are non-upgradeable. No proxies, no admin withdrawal path, no admin who can freeze your USDM, block your exit, or mint unbacked dollars. What you audit is what runs — forever.

Privacy for normal users

The design target is everyday financial privacy, not evasion. The system follows the Privacy Pools model: association sets and opt-in transparency instead of indiscriminate mixing.

Compliance in the architecture

Screening is enforced by the mint and redeem ramps themselves — the boundary where dollars become legible. It is wired into the immutable contracts, not bolted on beside them.

The freeze is in the threat model

The vault holds native USDC, which its issuer can freeze. We treat that as a real risk to design and communicate around — not something to pretend away.

No Ponzi surface

No yield is promised anywhere in the system. $USDM pays nothing; it is a backed dollar. $MUSD pays nothing; it is a volatile utility token. Numbers that don't exist can't be faked.

Name the trusted parties

The remaining trust is explicit: a guardian that can pause entries and accept association roots — and nothing else. It cannot touch funds, mint, or upgrade anything.

03 · Architecture

A deliberately small immutable core.

Every contract is non-upgradeable and verified on Basescan; the only privileged authority anywhere is pause + association-root acceptance, held by the guardian.

ContractRolePrivileged authority
USDCVaultCustodies the native USDC backing, 1:1 against all outstanding USDM.Pause only
MintRampUSDC in → USDM out. Runs the sanctions-screening hook.Pause only
RedeemRampUSDM in → USDC out. Same screening at the exit boundary.Pause only
ShieldedPoolThe privacy core: a commitment Merkle tree + nullifier set.Pause + accept association roots
Verifiers (×3) + adapterImmutable UltraHonk verification of every shield / transfer / unshield proof.None
USDMStandard 6-decimal ERC-20; mint/burn callable only by the ramps.None
NoteMemoStateless encrypted payment-notice channel. Holds no funds; decoupled from the pool.None

The solvency invariant

USDC in the vault ≥ public USDM supply + shielded value — always. Minting increases both sides; redeeming decreases both. No path exists that creates USDM without locking USDC, and none that releases USDC without burning USDM. Pause halts entries during an incident, but exits keep working by design: a pause can never trap user funds.

04 · The shielded pool

Notes, commitments, nullifiers.

Inside the pool, dollars are notes — UTXOs whose contents only their owner knows. The chain stores commitments; inside the pool, ownership and transfer amounts never appear on the public ledger. (Amounts entering and leaving the pool — shields and withdrawals — are public, like any on-chain transaction.)

commitment = H(value, owner_pub, blinding, asset_id)
owner_pub  = H(owner_priv)
nullifier  = H(owner_priv, leaf_index)

A note commits to its value, its owner, and a random blinding factor with the Poseidon hash. Commitments are inserted into a depth-32 Merkle tree — the same tree the contracts, the circuits, and the client all compute identically. Spending a note reveals only its nullifier, which marks it spent without disclosing which commitment it was: double-spends are impossible, and on-chain unlinkability is preserved.

Private transfers are JoinSplit: spend two input notes, create two output notes (payment + change), and prove in zero knowledge that Σ inputs = Σ outputs + fee — value is conserved without revealing any amount.

Recipient-controlled payments

A MaskedUSD address (musd1…) packs an encryption key and a spending key. Output notes are bound to the recipient's spending key — only they can ever spend what they receive, and the sender cannot claw it back. Real payment finality, privately.

Encrypted payment notices

The sender posts the note's secrets — encrypted to the recipient — on the permissionless NoteMemo contract. The recipient's browser scans and trial-decrypts to discover incoming payments. NoteMemo holds no funds and can't affect the pool.

Proofs in your browser

Circuits are written in Noir and proven with UltraHonk over BN254 — entirely client-side, in WASM. Note secrets never leave the device; the chain's immutable verifier contracts check every proof. There is no trusted proving service.

Encrypted custody

Note secrets are encrypted at rest in the browser under a key derived from one wallet signature. Losing the secrets means losing the notes — users are told to back them up, plainly.

05 · Compliance posture

Not a mixer. By design.

The point is not to hide where money came from — it's that your finances shouldn't be a public feed. The design follows the Privacy Pools approach: keep the graph private inside the pool, screen at the boundaries, and let exits prove they belong to an honest set.

Screen where money is legible

Every mint and every redemption passes an on-chain screening check at the ramp — the point where dollars touch the regulated world. Today that check is a guardian-managed blocklist oracle; a dedicated screening provider is the designed direction. The pool itself never needs to see identities.

Association-set exits

Every withdrawal proves membership in an association root accepted on-chain. The designed model derives that set from the full commitment stream minus a published exclusion ledger — so flagged funds can be excluded from exits without deanonymizing anyone else. Today the guardian accepts the pool's current root; the exclusion ledger is the designed direction and is not yet live.

Validity is public

Backing, supply, and every state transition are publicly verifiable at all times. Privacy applies to who and how much — never to whether the system is solvent and correct.

Privacy for normal people — not a tool for evading the law

06 · Lifecycle

A dollar's round trip.

01

Mint

Deposit USDC at the ramp; receive public USDM 1:1. Screening runs here.

02

Shield

Prove a note commitment in-browser; USDM moves into the pool as a private note.

03

Send

JoinSplit: pay any musd1… address privately. Amounts and recipients stay off the ledger.

04

Withdraw

Prove ownership + association-set membership; the note returns to public USDM.

05

Redeem

Burn USDM at the ramp; native USDC returns to your wallet. Screening runs again.

07 · Tokens

$USDM is the product. $MUSD is not a dollar.

Two tokens, two jobs, kept deliberately distinct.

$USDM

The private dollar.

Backed 1:1 by native USDC held in the immutable vault, redeemable at any time, with privacy as an opt-in property. It pays no yield — it is a dollar, not an investment.

$MUSD

The ecosystem token — volatile, not backed.

A separate utility/access token launching on Clanker. It is NOT a stablecoin, NOT backed by anything, can go to zero, and pays no yield. Its role is utility, access, and community around the protocol. No $MUSD mechanism can ever touch $USDM's backing — the dollar stands on USDC alone.

08 · Security & risks

Stated plainly.

A privacy protocol earns trust by being explicit about what can go wrong — so here it is, without varnish.

Posture

  • All contracts are immutable and source-verified on Basescan — anyone can review exactly what runs.
  • Independent security review and audits are in the works; results will be published when complete. We won't claim an audit we don't have.
  • A public bug bounty is planned.
  • The guardian's authority is pause + association-root acceptance. It cannot move funds, mint, or upgrade anything, and a pause never blocks exits. Root acceptance is the one exit-side power it holds: which association roots are accepted determines which notes can withdraw — that is the compliance lever, named plainly.

Known risks

  • Smart-contract and circuit risk: a flaw in the contracts or the zero-knowledge circuits could put funds at risk. Immutability means bugs cannot be patched in place.
  • Issuer risk: the backing is native USDC; its issuer can freeze the vault's balance. This would halt redemptions while it lasted.
  • Exit liveness: withdrawals require an association root accepted by the guardian. After new deposits, exits depend on the guardian accepting an updated root; if it stops doing so, withdrawals stall until it resumes.
  • Privacy limits: privacy strengthens with pool usage. Early on, the anonymity set is small, and matching public shield/withdraw amounts or timing can narrow who paid whom. Network-level metadata (IP, RPC provider) is outside the protocol's protection.
  • Key loss: shielded note secrets exist only client-side. If a user loses them (and any backup), the notes are unrecoverable by anyone — including us.
09 · Deployment

Live on Base.

The official addresses of the user-facing contracts. Verify by address, not by name or ticker — anything else claiming to be MaskedUSD is not us.

ContractRoleAddress · Base
USDM (ERC-20)The public dollar surface0x09a418950fef
USDCVaultCustodies the 1:1 native-USDC backing0x7dD602e36464
MintRampUSDC in → USDM out (screening hook)0x1615482A3Df3
RedeemRampUSDM in → USDC out (screening hook)0x6D6E4cd23CDb
ShieldedPoolCommitment tree + nullifier set — the privacy core0x0e694fF1CDe6
NoteMemoEncrypted payment-notice channel for private sends0xF276B662C941

Hold dollars. Keep them private.

The app is live on Base. Mint a dollar, shield it, send it privately — and verify every claim in this document on-chain.

This document describes software, not an offer, solicitation, or financial advice. It is a living document and will be revised as the protocol evolves.