A wallet proves β in zero knowledge β that its counterparties belong to a screened ASP allow-set. A Soroban contract verifies the RISC Zero Groth16 seal on-chain and gates the wallet's stablecoin transfers on that proof. Privacy preserved. Compliance provable.
The proof is a reusable attestation that gates any SEP-41 transfer β the same clearance unlocks USDC, EURC, any token β rather than a one-shot shielded pool.
A Rust no_std guest takes the wallet's private counterparty graph + an ASP allow-set Merkle root and proves every one of K counterparties is a member β without revealing them. Commits a 109-byte journal, emits a selector-prefixed Groth16 seal.
Hashes the journal, calls the Nethermind stellar-risc0-verifier to verify the seal against (image_id, journal_digest) via BN254 host functions, then enforces: image_id, allow_set_root, wallet binding, pass==1, nullifier non-replay.
Reverts NotCleared (#9) unless from is currently cleared. ZK is load-bearing β remove the proof and the gate cannot be satisfied; there is no other path to "cleared".
Every contract and transaction is judge-verifiable on stellar.expert. Persistent entries are bumped to ~100k ledgers, so the deploy stays live for the judging window.
Run on Protocol 27 β public testnet + local standalone. Real seal, image_id, journal, balances.
Flip one byte β #10 ProofVerificationFailed. Verifier traps in bn254_multi_pairing_check ("point not on curve"). A forged seal cannot produce a clearance.
Seal from a different guest β #11 BadImageId, caught before the verifier call.
Guest assert!(k>0) makes the proof un-generatable; registry also reverts #13 ZeroK. The "all compliant" claim cannot be vacuously true.
Aegis is the only RISC Zero zkVM compliance coprocessor in the field β other RISC Zero projects target proof-of-reserves, receipts, or settlement, while the remaining compliance submissions use Noir or Circom hand-written circuits.
Compliance logic is branching and graph-shaped (membership today, deny-set + graph reachability tomorrow). A Rust program compiled by the zkVM is cheaper to get right and to audit than an equivalent hand-rolled Noir/Circom circuit, and composes with standard crates.
RISC Zero on Stellar is one of SDF's named ZK stacks, with an official Nethermind on-chain verifier (stellar-risc0-verifier) that Aegis forks β built on promoted primitives, not a bespoke circuit.
A compliance gate verifies proofs frequently (every transfer). Groth16 seals are ~260 B and verify in a single BN254 pairing_check (~12M instr); STARKs would be ~100 KB and blow the 100M-instruction WASM budget. vs Noir/UltraHonk (~35M instr), Groth16 is cheaper for this access pattern.
The proof is a reusable attestation that gates any SEP-41 transfer β the same clearance unlocks USDC, EURC, any token β rather than a one-shot shielded pool. This is the "proof layer under SDF's Confidential Tokens policy engine" framing.
| Property | Aegis (RISC Zero) | Typical Noir/Circom pool |
|---|---|---|
| ZK backend | zkVM (Rust program) | hand-written circuit |
| On-chain verify cost | ~12M instr (single pairing) | ~35M instr (UltraHonk) |
| Proof scope | reusable attestation (gates N transfers) | one-shot withdraw |
| Tokens gated | any SEP-41 (USDC/EURC/β¦) | single pool token |
| Nullifier binding | wallet β secret β root β ledger | note-secret only (typical) |
| Audit surface | Rust program + standard crates | custom circuit constraints |
What is cryptographically enforced vs what is not. Stated honestly β this is a hackathon prototype, not audited.