Hello,

Institutions are here. They are buying our assets, they are tokenising their assets. But they are not fully on-chain in a true sense. Institutions still use their assets off-chain and use blockchains for registry and cheaper, continuous settlement. We think the lack of on-chain privacy when using the asset has been a major deterrent to players moving active capital on-chain.

Starknet is changing that by ensuring that you can use your assets while maintaining privacy. This essay, written in collaboration with Starknet, is about why we think more capital will be on-chain and put to use there once the missing privacy puzzle is solved.

TL; DR:

• Transparency is the trap. Transparency became crypto’s institutional bottleneck. A market needs the trade, not the trader. Public chains exposed everything to everybody.

• That locks institutions out. Funds, treasuries and custodians may use public rails in narrow cases, but they cannot operate at full depth where every position, payment and counterparty relationship becomes public strategy.

• Every previous solution broke a critical component of the market. Most solutions could not get privacy, liquidity, and compliance right. Zcash and Monero created private islands, Solana-style confidential transfers provided partial privacy, and Tornado Cash invited regulators.

• STRK20 is betting that it is better to make existing assets private. USDC, tokenised treasuries, BTC wrappers and stablecoins can become private without becoming new assets with separate liquidity.

In the late 18th century, Jeremy Bentham designed a perfect prison called the Panopticon. The design stacks prison cells around a single watchtower. Every cell is lit from behind so that guards in the watchtower can see into each cell at once. While no inmate could ever tell whether anyone was up in the tower looking back. They never knew when they were being watched, so they behaved as if they always were. Two centuries later, the philosopher Michel Foucault seized on the design as the template for modern power. He said that visibility is a trap. You do not need chains if everyone can be seen. Watching alone does the work.

Crypto built a Panopticon without guards. It just handed every prisoner a pair of binoculars and pointed them at each other.

Don’t trust; verify. That was our industry’s go-to line. For a long time, a public ledger’s transparency was the selling point. More than anything, we hoped that the world would somehow be okay with putting its finances under everybody’s scrutiny.

The hope remained for quite some time. After a decade of opaque intermediaries, blown-up exchanges and rehypothecated claims, a ledger anyone could audit felt like the fix. You could check balances, verify supply and confirm a trade settled without trusting an operator. Transparency was not one feature among many. It was the whole pitch.

The problem is that if crypto wants to attract traditional finance players, it must contradict that original pitch.

The ambition has moved beyond retail speculation to all of finance. Tokenised treasuries, stablecoin settlement, on-chain credit, bitcoin collateral, corporate treasury flows, institutional DeFi. Crypto wants the serious money, and serious money does not want to be watched. They are not doing anything wrong. It is just that they might be hurt by moving money in public.

So, crypto is in a strange place. To win the institutions it has been chasing for years, it must rebuild the one thing it spent a decade defining itself against: privacy. The kind of privacy that every serious financial system already has. The one with regulatory oversight.

One might think this is a retreat from transparency. To an extent, it is. But it is also the realisation that transparency and confidentiality were never the same thing. Early Bitcoin proponents were also advocates of privacy. Ironically, Bitcoin is one of the more transparent systems out there. The thing is, markets need to know that a trade happened so the price can be updated. They have never needed to know who made the trade. Public blockchains fused those two facts into a single data layer, and that fusion stands between crypto and the capital it wants.

Starknet has spent the past few years resolving this tension between transparency, privacy, and compliance. It was designed around provable execution, in which a transaction can be shown to be valid without exposing its contents. This design allows Starknet to embed privacy in the core of the stack rather than add it as a feature. STRK20 is the expression of that idea. It gives any asset already living on Starknet a private mode without reissuing it. And does it while still trading against the same public liquidity everyone else uses and keeping a lawful path open for oversight.

This article is about how crypto can resolve the tension between privacy and publicly verifiable settlement at low cost. The aim should be to rebuild the invisible parts of the financial market structure without abandoning public settlement. This ensures that financial market participants do not have to jump through hoops when they use blockchain rails.

The Cost of Being Seen

Public blockchains are like a transparent fishbowl where everything is visible to everyone, all the time.

Traditionally, finance has separated what the market needs to see to function from what participants are allowed to protect. The market needs prices, liquidity, finality and proof that a trade was settled. There is no need for a perpetual live feed of who is doing what.

Take Warren Buffett as an example. Berkshire Hathaway has often sought confidential treatment from the SEC to build positions. This way, the market does not get the opportunity to front-run it. Phillips 66 in 2015, Chevron and Verizon in 2020, and most recently Chubb, where it quietly accumulated a roughly $6.7 billion stake through 2023 and 2024 before disclosing it in May 2024. The SEC grants this to large investors from time to time so that they can accumulate shares at a reasonable cost basis. The mechanism exists because information moves prices.

Dark pools exist for the same reason. The SEC describes them as alternative trading systems that operate without displaying specific order information prior to trades. They exist so that a large order does not move the market before it fills. They are not a fringe venue. Dark pools run roughly 15 to 18% of US equity volume on their own, and once you count every off-exchange venue, including bank-run pools like Goldman Sachs’ Sigma X and JPMorgan’s JPMX, more than half of all US equity trading now happens away from public exchanges. FINRA publishes the off-exchange data because it is now an integral part of the market structure.

A public chain has none of this machinery. There is no confidential treatment you can apply for, no dark pool to route your orders through, and no delay before disclosure. When a wallet starts buying in size, it often alerts the market before the order gets filled.

Neither Berkshire’s confidential filing nor the dark pool is the natural state of the market. Both are additional infrastructure built on top of a system whose default is full exposure. They are also gated and rationed. When you place a large order on a public exchange, the book shows your size to everyone, though not your name. Confidentiality in traditional markets is engineered, and access to it is sold to the people who need it.

Crypto is yet to build engineering infrastructure that hides things the way traditional markets do. It makes the exposure worse because when one of your addresses is linked to your identity, it becomes difficult to maintain pseudonymity. Of course, sophisticated users know well to keep changing their addresses often. But they must be perennially vigilant. On a DEX, your trade waits in a public mempool, which means you announce what you are about to do and then wait a few seconds for someone to act on it. And bots do. They buy in front of you and sell into the price your own trade pushes up.

Every serious market is eventually forced to build a confidentiality layer on top of its public one. Because without it, capital will not move in size. Traditional finance built that layer as separate, gated venues. Crypto must build it too. The only question is whether it can be done without walling the private flow off into a room of its own.

The lack of privacy in crypto is not a bug. The openness was deliberate and the whole point of the design. Reading the ledger yourself, trusting no one, was the pitch. And it only works if everything is visible to everyone.

Legibility has never been neutral. In Seeing Like a State, the anthropologist James Scott showed how governments learned to control a society by first making it legible. You cannot control what you cannot read, right? So, they flattened messy local idiosyncrasies into easy-enough-to-read from desk records. Cadastral maps in place of tangled local land claims. Standardised weights. Permanent surnames so people could be taxed and conscripted. Scott argued that whoever can access and read the map ends up controlling the territory.

When you think of it, crypto built the most legible market map in all of finance history. But unlike any state, it handed the map to everyone. Instead of one entity reading the ledger, the whole network does. Just that in this case, the most sophisticated reader wins.

Curve was one of the largest DeFi protocols. In June 2024, Michael Egorov, the founder of Curve, had borrowed close to $96 million in stablecoins against about $141 million of his own CRV tokens. The activity spread across several lending markets, such as Inverse, UwU Lend, Fraxlend, and Curve’s own Llamalend. Since all of it lived on-chain, anyone could read how much he owed, what backed it, and the exact CRV price at which each loan would be liquidated. George Soros’ reflexivity 101 tells us that when a major liquidation point is known, the market usually hunts for it. CRV started sliding as people began to front-run the liquidation. The positions unwound in a cascade that wiped them out, leaving around $10 million in bad debt. A public liquidation price is not essential information to the market’s functioning. It is often a target.

In a small market like crypto, this level of transparency was okay. But if you are a mutual fund where millions of people put money via SIPs, you do not want other funds to know what and how much you are buying. No one with size wants to be in a transparent fishbowl.

Why Privacy Kept Failing

Privacy is not a new idea in crypto. The industry has tried to achieve it many times. Each attempt tried to solve the predecessor’s problems but broke differently. We will look at three prominent approaches here.

Isolated liquidity

The first approach was to make privacy native to the base layer. And this was the correct instinct. Zcash and Monero built privacy into the base layer, so a transaction was private by default or close to it. Although the cryptography was good, everything around it was the problem.

The lack of liquidity was the first major issue. When an asset is private on its own island, it must build the entire financial stack there. Without exchanges, lending markets, fiat ramps, and custodians, it means nothing. But why will anyone build these things without liquidity? Without the financial plumbing, the private asset has nowhere to go. So, achieving scale was difficult.

The second problem was that users had to take action to make their assets private. Others could watch assets entering and exiting the privacy pools. It is like entering the event horizon. People can see you until you get in. Capital markets cannot work with strong privacy and weak access.

Zcash made shielding optional. Users had little reason to park their assets in the privacy pool. So, the crowd never formed. When the pool is relatively empty, it becomes easier to ascribe assets to their respective owner. One study reconstructed roughly a third of all coins ever sent to shielded addresses, just by matching amounts, timing, and the steady traffic between shielded and transparent accounts. There was simply nobody to hide among.

Another problem with this design is that when you hide everything, you hide what you need to verify as well. In 2018, an Electric Coin Company cryptographer found a flaw in the zk-SNARK construction behind Zcash’s shielded pool. An error in the setup allowed a cheating prover to forge valid-looking proofs, but it also allowed an attacker to mint unlimited counterfeit shielded ZEC. The invisibility made the bug more frightening. Because the shielded supply was private, the counterfeiting would have left no trace. You cannot audit what you cannot see. Zcash patched it quietly in late 2018 and disclosed it the following year, and there is no evidence anyone ever exploited it (Electric Coin Company).

Zcash’s trusted setup had a bug. Think of a trusted setup as a group of people gathering around one secret ingredient. They mix their individual secrets together to create a master key. If any participant had kept their share of it, they could have forged proofs forever. The safety of the whole system rested on the bet that at least one of them had destroyed their secret.

A shielded Zcash transaction really does conceal its sender, receiver and amount. The catch is that hiding the contents of a transaction does not hide the transaction. An observer still sees that a shielded transfer happened, when it happened, and the amounts going into the shielded pool and coming back out. Turning those visible facts into an identity only requires that there be few enough candidates. If a thousand people shield similar amounts at similar times, yours is lost in the pile. If three people do, you are one of three. Cryptography cannot fix this. You have exactly as much anonymity as there are people you could be confused with.

Partial privacy

The second approach kept the public chain and hid only part of the activity on it. Solana’s Token-2022 confidential transfer extension is the clearest example. It encrypts an account’s balance and the amount of a transfer while the token remains on Solana, shipped as part of Solana’s Confidential Balances suite in 2025, with a built-in auditor key so a regulator can still decrypt it when required.

A year on, it sits almost entirely unused. PayPal’s PYUSD can support confidential transactions. However, major wallets like Phantom and Solflare still do not support it natively; the proofs are generated off-chain, and an account must be set up with an encryption key before it can receive a confidential transfer at all. It exists as a feature without much ecosystem support.

Confidential transactions hide the amount but leave the remaining transfer parameters, such as the accounts, counterparties, and timing, public. And it does not compose with other primitives like swaps or lending. A confidential transfer is only a transfer. The moment you want the money to do something, swap it, lend it, post it as collateral, the protocol on the other side needs a number it can act on. So, the figure you encrypted is decrypted the instant you use it, which leaves you with privacy that holds only while the asset is passively held. Almost nobody wants privacy that they must pay for with their own money.

Mixing

The third approach was to break the trail by combining everyone’s assets. Tornado Cash lets users deposit on Ethereum and withdraw to a fresh address. Because users transferred from their addresses to the pool and then to new addresses, the on-chain link between their addresses was severed. Instead of asking people to leave Ethereum, it simply interrupted traceability by adding a black box in between.

The US Treasury sanctioned Tornado Cash in 2022, alleging that over $7 billion had been laundered through it. It also included funds tied to North Korea’s nefarious Lazarus Group. A federal appeals court ruled the sanction unlawful in late 2024, noting that immutable smart contracts are not property the government can sanction, and Treasury formally delisted the protocol from sanctions in March 2025. Despite that, one of its founders was convicted in August 2025 of running an unlicensed money-transmitting business, while the jury hung on the heavier money-laundering and sanctions charges.

Although you can interpret the whole thing as a win for privacy, institutions would not care for such a victory. The sanction was reversed, but only after years of litigation, a criminal trial, and a developer facing charges that carried a sentence of up to 20 years in prison. No financial institution wants to deploy capital and wait for the law to eventually catch up.

There was one more problem with Tornado Cash. You could “anonymise” your ETH in pools with different denominations of 0.1 ETH, 1ETH, and so on. The higher you went, the more difficult it was to hide because there was not enough of a crowd.

From all these attempts, it is clear that privacy needs to satisfy the following criteria.

1. It cannot be on an island where the whole finance stack must be rebuilt. Expecting users to bypass the existing infrastructure is a terrible UX. So, existing liquidity cannot be broken.

2. You must ensure that the solution complies with the existing regulations. Without regulation, you cannot achieve critical mass and hoping that regulation comes around is a terrible strategy.

Each one solved a piece of the problem and broke on another. Institutions want privacy, market access, and a compliance solution all at once. No system offered all three.

That is the gap Starknet is aiming at.

Proving it, Instead of Showing it

Eli Ben-Sasson, co-founder of Starknet, also co-invented Zerocash, the protocol underneath Zcash. He had seen first-hand how strong cryptography could still leave money stranded. Privacy cannot be a layer you bolt onto a transparent system. It must be a property of the system.

To see why that matters, let’s start with how an ordinary chain checks that a block is real. On Ethereum, when you send 100 USDC, every validator checks the transaction by re-executing it locally. It is like a room of accountants balancing assets and liabilities of a balance sheet from the income statement. If validators must check everything, they must have all the information. Re-execution is the reason the entire state must be public. You cannot recompute what you cannot see, so transparency was never really a choice those chains made. A consequence of this is also that privacy cannot be added afterwards, because hiding the numbers would blind the very accountants the system relies on.

Starknet does not ask every node to redo the computation. One party runs it and produces a STARK proof, and everyone else just checks the proof. Re-running a computation to check it requires its inputs. But verifying a proof has no such requirement. The validator confirms the result is correct without knowing any values. So, correctness no longer depends on disclosure.

Starknet distinguishes between two things: whether a transaction is correct and whether its contents are visible. As a result, privacy can be at the base layer.

In May 2026, a researcher auditing Zcash’s newest shielded pool (called Orchard) found a soundness bug in its zero-knowledge circuit. It had been live since Orchard launched in 2022. It could have been used to counterfeit ZEC inside the pool. The Zcash Foundation disabled Orchard with an emergency soft fork and patched it two days later. There is no sign that suggests anybody is exploiting the bug.

However, Zcash cannot prove that. The balances inside the Orchard pool are hidden, so there is no way to open the books and check that no coin was forged. The bug could forge coins in the pool but removing them would be difficult. Zcash runs a turnstile on every pool, a rule that tracks what goes in and never lets more come out than went in. So, however much was forged inside Orchard, the pool could not release more ZEC than people had deposited, and no counterfeit value could reach circulation. That check holds only because the pool’s deposits and withdrawals are public. No one can be certain that the balances inside Orchard still add up.

A hidden supply makes a bug like this invisible and unprovable after the fact. It was not the old kind of failure. Orchard runs on a proof system with no trusted setup, so there was no ceremony and no toxic waste to blame. The bug was a mistake in the circuit, which is an integral part of the proof system. Removing the trusted setup did not remove the danger.

This is why privacy must be close to execution. When you add privacy to public systems, they leak information at junctions. Say you have a private wallet that is compatible with the public chain. There would need to be a bridge mechanism to move your assets from regular addresses to private ones. The bridge is likely to expose asset movement. Privacy is tougher to break when it is native to the chain, i.e., inside the execution.

The same machine for privacy

Programs on Starknet are written in Cairo, a language built so that everything on it produces a mathematical trace that can be turned into a STARK proof. The same proving system that verifies a whole block also proves a single private transaction. Both are just STARK proofs that Cairo code runs correctly, so the chain handles them with a single set of machinery. Unlike in earlier cases where privacy was an add-on, the privacy engine is treated like the rest of the system components.

Starknet uses STARKs rather than the SNARKs Zcash used for two reasons. The first is that STARKs do not need a trusted setup. A SNARK begins with a one-time ceremony as mentioned before. Although Zcash ran elaborate ceremonies to lower the risk, and one participant destroyed their hardware with a blowtorch, the assumption that there is at least one honest participant must hold.

STARKs do not need this assumption. No ceremony, and no master secret for anyone to hold. But the setup secret is only one of two ways a shielded system can be forged. The other is a bug in the proof circuit itself, a flaw that lets an invalid transaction pass as valid. This has nothing to do with the trusted setup.

The second reason is the longer horizon. SNARKs rely on elliptic-curve cryptography, which a sufficiently powerful quantum computer could eventually break. STARKs use only hash functions, which are quantum-resistant to attacks known today. A system designed to keep financial records private for decades must address quantum threats. Besides, governments and banks are already moving to post-quantum standards.

With the architecture and cryptography now in place, one piece was still missing. For privacy to be genuinely useful, it needs to work on all devices. A good design does not make users spend a lot of money. So, users should be able to build proofs on their devices without handing them over to servers.

A single STARK proof is tens of thousands of numbers. Checking one such proof required running it through a smart contract. But the proof was too bulky for a single transaction, so verification was slow and costly. The answer was to somehow make users do less work. So, the April 2026 Shinobi upgrade moved verification out of a smart contract and into the network’s own consensus. This transferred verification work from the user/developer to the chain validators. So, the chain now checks a privacy proof as routinely as it checks a block. A private transaction that could not be verified at scale before now settles in seconds. Everything else in this piece depends on that change.

What STRK20 does

STRK20 gives an asset that already exists on Starknet a private mode. You do not have to mint a new asset. A stablecoin, a tokenised treasury, wrapped bitcoin, or any ERC-20 token can enter a shared privacy pool and gain confidentiality. Nothing is reissued, forked or migrated. The liquidity and the protocols already on Starknet can become privacy-capable from where they are.

The pool behaves like a drawer of sealed envelopes. When you deposit funds, they become a note. It is a private record of how much you hold and a secret that only you know. That note is sealed inside an envelope with what cryptographers call a commitment, and the envelope is placed in a drawer shared by everyone in the pool. Anyone can see the drawer is full of envelopes. No one can see inside any of them.

When you want to spend your assets, you do two things, both on your own device. You prove that you hold the secret to one of the envelopes in the drawer, without revealing it. And you publish a nullifier, a short marker built from that note’s secret. One note can produce only one nullifier, so publishing it marks the note as spent. The nullifier cannot be traced back to any envelope, so it retires your note without showing which one it was.

This prevents anyone from spending the same note twice, even when no balances are displayed. There is no balance to check against, so the chain instead keeps a public list of every nullifier ever published. Spend a note once, and its nullifier joins the list. Try spending it again, and the same nullifier is already there, so the network rejects it. A bug in this exact machinery is what cost Zcash its soundness, more than once.

The full cycle for a user’s asset is deposit, hold, transfer, trade, withdraw. A transfer inside the pool hides the sender, the receiver, the amount, and even which asset moved. To everyone else, it is just another entry in the pool. The pool is built to hold many assets at once, so one person can keep USDC, wrapped BTC and tokenised treasuries together, with no one able to read the portfolio. And because account abstraction is native to Starknet, the design carries over multisig, smart accounts and social recovery from the start, so an institution keeps the security model it already runs on rather than trading it away for privacy. The protocol behind it is set out in its technical paper.

A transfer only concerns two parties. A swap must touch a shared market. How does a market that knows nothing about a trade reprice against it? Every earlier system broke right here. STRK20’s answer is to control what each party in a swap can see.

When you swap privately on avnu or Ekubo, the trade performs as a single atomic action against the same liquidity as public swaps. The pool observes the size and direction of the trade because it needs those parameters to adjust its price and reserves. It does not care about who made it, what else they hold, or how this swap connects to their previous one. Your order never waits in a public mempool. So, there’s no question of frontrunning it. Unlike other attempts that split liquidity into several private buckets, STRK20 maintains a single shared market while hiding the participant. This way, the market gets the price it needs but never gets the person or address behind it.

A key for the regulator

None of this matters if regulators come for it the way they came for Tornado Cash. Crypto-natives tend to read compliance as surrender. The instinct is principled and naive about how regulated finance works. A custodian, a bank, a fund or a payment firm cannot opt out of oversight. It needs confidentiality from the public and its competitors. It cannot get immunity from the law, and it is not asking for it. Your bank does not publish your transactions, yet a court can compel disclosure, and an auditor can inspect the books.

STRK20’s answer is a viewing key that each user holds. The key can decrypt only its own history. Think of a safe-deposit box that only you can open. When you are renting it, you must lodge a sealed spare key with a custodian. The custodian is a threshold-controlled group of independent auditors. On a lawful request, they can use the spare key to reconstruct a user’s trail. They cannot open the entire pool. At the entrance and exit, wallets are screened for sanctions lists, so tainted funds are turned away at the door.

Entry to the pool is gated by a proof that the viewing key was escrowed correctly, and there is no way to skip it. This means that compliance is built into the act of using the system. You cannot use the pool without being compliant. Financial institutions do not have to worry about auditing compliance promises of every downstream on-chain product. They have one defensible answer they can give to a regulator, and a rule enforced by the protocol is far easier to evaluate than a stack of app-level discretion. It lowers the cost of diligence.

However, the design is a compromise between ethos and what works in the real world. A spare key held by anyone other than the user reintroduces a trusted middleman. This is one of the same centralisation vectors crypto set out to avoid, and a purist who calls it a backdoor is not entirely wrong. The system’s integrity does, to some extent, rely on how the authorised party handles the key. All the banks and financial institutions use some version of this compromise. It is narrower than trustless privacy. What STRK20 offers is market-independent privacy, with a lawful, scoped, and enforced oversight route. It is what an institution can use.

Market for Privacy

Every privacy system before this one has offered some of what an institution wants. None has offered it all at once. The wish list is short with stubborn trade-offs. It should –

1. Be private from the market,

2. Be able to trade against shared public liquidity,

3. Have a lawful path for oversight and

4. All of it should work with assets people already hold, rather than requiring people to mint new coins.

Zcash and Monero deliver privacy and little else. The asset is private, but it is also its own island, with its own thin liquidity and no oversight route an institution could lean on. Strong on one axis, absent on the rest.

Solana’s confidential transfers keep you on a public chain with real liquidity. But they hide the balance and leave the act of trading in the open. The amount is masked, while the behaviour around it remains legible, and there is no built-in audit trail. Good access, partial privacy.

Aztec is the most serious privacy engineering in the space. It runs fully private smart contracts on its own Ethereum L2 with client-side proving, and it has been live since late 2025. Privacy comes with a caveat. It lives inside the Aztec environment, which means the liquidity does too. A private Aztec user can only trade against the liquidity already existing in Aztec’s ecosystem, thereby prohibiting access to deep public liquidity outside it.

Canton has the institutional support. It is a permissioned network built for regulated players, with privacy and compliance standards similar to those that banks already maintain. Its strength also becomes its ceiling. It is a walled garden of approved participants, and private capital cannot enter or exit it at will.

Railgun is the closest cousin to what STRK20 is attempting. It lets existing assets on public chains move into a shielded pool, use DeFi privately, and even prove funds are clean through a tool it calls Private Proofs of Innocence. It works today. What it lacks is scale and speed. It runs on zk-SNARKs with the trusted setup baggage that implies, routes trades through relayers, and stays small enough that the anonymity on offer is thinner than the pitch.

Zcash put privacy on its own chain, so its liquidity got stranded. Solana added privacy on top of its transparent base layer, so it leaks the moment you trade. Aztec built a private world of its own, so its market is only what has moved there. Canton stayed permissioned, so it is closed by design. STRK20 puts privacy at the foundation. For the first time, you do not have to move elsewhere if you want privacy. We must wait and see whether these advantages help drive genuine adoption.

Can privacy bring new demand?

Most privacy projects carry a hidden tax. If the privacy lives in a new place, every application must be rebuilt there. STRK20 tries to avoid tax by making DeFi on Starknet privacy-capable. An asset can move into private mode and still reach the apps that exist today, so the existing market becomes more useful rather than being abandoned for a new one.

Developers do not want to add privacy for its own sake. It is no good if it does not bring additional users or more volume to their app. Can privacy drive net-new demand? The order flow that matters most is the kind that cannot come on-chain at all today. A fund that will not reveal its positions, a company that will not publish who it pays, a custodian that cannot let one client see another’s book, none of it can touch a transparent chain. A DEX or a lending market that turns privacy-capable can open the door to the capital that has been standing outside.

What Starknet is Trying to Solve

So far, this has been about the design. But who are the likely candidates to use this? Of course, crypto native users who have already used on-chain finance. But it expands to the market to the institutions that have circled on-chain finance for years and never stepped in, because the rails would have put their every position and payment on display. For most of them, the asset can already be on-chain. With baked-in privacy, just what they are used to in the traditional world, they can now start using on-chain assets.

Tokenised and exposed

The value of tokenised real-world assets on-chain, everything except stablecoins, grew from around $6 billion in early 2025 to more than $30 billion by mid-2026. BlackRock’s tokenised treasury fund, BUIDL, now serves as collateral in DeFi.

$30 billion is a rounding error compared to the tens of trillions in the global fixed-income market. Of course, many factors, such as regulation, distribution, and the absence of an ecosystem, explain why the entire thing is not on-chain. However, an asset manager will not run its book on rails without privacy.

So, the tokens get issued on-chain. However, the things you would do with those tokens tend to stay off- chain. It is good only for those who did not have access to these assets at all. Off-chain rails are still better for those who already use these assets. This can only change when a tokenised asset holder can trade without publishing the strategy behind it.

Where stablecoins stall

There’s now no doubt that stablecoins already work. They move value across borders, settle in seconds and run outside banking hours. Of the ~$39 trillion in annual transfer volume, genuine payments are about 1%, or $390 billion. The B2B payments share has grown more than 700% in a year to around $226 billion.

The 700% is real, but the volume is insignificant compared to the $89 trillion in global B2B payments. Stablecoins have managed to partially capture lower-hanging fruit like cross-border transfers between crypto firms, settlement for exchanges, and payments small enough that no rival is watching. The valuable flows stay away because they come with a cost to be seen. Companies like Kellogg or Mars are not going to want the world to know who their suppliers are by using on-chain payments for convenience.

Speed and cost, the original USPs of stablecoins, cannot come at the cost of privacy. With confidentiality, they become rails for serious money.

The custodian problem

A custodian holding crypto for institutions faces a choice with no good answer, and it comes down to how the wallets are arranged. It can keep everyone’s assets in one commingled wallet, an omnibus account, which is cheap to run and hides any single client inside the pool. Or it can give each client its own segregated wallet, which is what a client needs when doing anything on-chain, because a lending market or a DEX must see a discrete account before it will lend to or trade with that account.

The trouble is that a segregated wallet is a public track record. Every position the client takes, every loan, every collateral move, is tied to that one address and open to anyone. Watch it for a while, and you have the strategy.

Custodians keep client assets pooled in the omnibus. They move a client’s share out to its own address only when it needs to transact. That keeps the assets private while they do nothing. But the instant the client borrows or trades from that address, the activity becomes publicly visible. You can keep a balance private while it does nothing. You cannot keep it private while it works.

STRK20 will protect privacy even when assets are productive. You can now trade from the shielded pool without making the asset public. You will soon be able to borrow and lend privately, too. So, the behaviour stays hidden not only while the asset is idle but also when you put it to work.

Satoshi saw it coming

Bitcoin’s culture venerates sovereignty, yet its ledger is the most transparent. Pseudonymity hides who you are, only until one address is tied to you.

In a 2010 Bitcointalk thread, when a user raised the idea of using cryptography to hide transactions, Satoshi took it seriously before deciding that the tools of the day could not do it. “It is hard to think of how to apply zero-knowledge proofs in this case,” he wrote, because Bitcoin must prove a coin was not already spent, which seemed to require seeing everything. Sixteen years later, zero-knowledge proofs do exactly that, just not on Bitcoin.

Privacy matters more when using BTC. You can post wrapped bitcoin on Aave and borrow stablecoins against it without selling. The DeFi built around Bitcoin has grown from almost nothing two years ago to around $6.5 billion, with $7 billion in wrapped BTC. However, this is well under 1% of all the bitcoin in the world.

The primary reason for bitcoin’s limited use is the lack of programmability at the base layer. If you must use BTC, you must do so with a solution that relies on additional trust assumptions. That trust is the wall.

Starknet is going after the root of the problem. StarkWare is one of the main backers of OP_CAT, a proposal to re-enable an opcode Satoshi disabled in 2010, which would let Bitcoin verify STARK proofs directly and allow Starknet to settle on Bitcoin itself. It has already run a STARK proof through a verifier on Bitcoin’s test network and funded the research behind the push. If it lands, Bitcoin gets real programmability, lending, leverage and yield secured by Bitcoin rather than by a custodian. The catch is that OP_CAT is a soft fork, and Bitcoin changes its rules slowly and reluctantly. It is a multi-year bet, and it may never clear.

strkBTC is what works until OP_CAT is live. Yes, it is a wrapper with additional trust assumptions. But it is the wrapper that delivers DeFi with privacy, instead of waiting for a Bitcoin soft fork. We know how hard those changes to Bitcoin are to come by. Starknet is playing both tracks at once. The long game is making Bitcoin programmable at the base layer. The near-term aim is a private, usable version of bitcoin on Starknet, while the long game is being fought.

Compounding Privacy

Starknet’s design turns scale into a strength. Every new participant and every new asset in the pool makes it harder to single out those already inside it, so the system grows more private as it grows larger.

Safety in numbers

Chains used to compete on speed and fees. We have seen infrastructure rapidly commoditised. Transaction costs are racing toward zero everywhere. Liquidity is the only moat left. Hyperliquid is a live example of that.

A privacy pool is liquidity too. And it is harder to copy than regular liquidity. It gets more private as it gets bigger. A pool with only a handful of users gives them away through timing and matching amounts. A pool holding USDC, strkBTC, tokenised treasuries, and staking tokens, with thousands of people moving through it, makes it more difficult to recognise patterns. Every deposit is another plausible explanation for every other movement. Zcash is the proof in both directions. For eight years, barely a tenth of its supply was shielded, which is why researchers could trace so much of what passed through it. Then the crowd arrived, the shielded share climbed past 30%, and the pool grew harder to read. Privacy is a network effect, and unlike speed or fees, it compounds rather than commoditising.

The pool is most private to those who keep their activity within it. Because every time you cross the public-private boundary, some information can be used to construct your identity. So, the rational move is to stay in the pool. The move is rational for you and for other participants, too: for each user who stays, the next one becomes harder to single out. If Starknet gets this right, the privacy pool is the moat itself. Because a rival cannot match by simply shipping faster blocks or cheaper gas.

A lot must go right

Every privacy solution has had the cold-start problem. The pool is weakest on the day it opens, when the crowd is smallest, and the first user is the most exposed. Institutions will wait for more liquidity before they trust it. Privacy-natives may baulk at a compliance-heavy design. Builders wait for users, users wait for builders, and the pool stays thin. Zcash took the better part of a decade to fill, and it had a movement behind it. STRK20 must win the dull institutional flows instead, which move more slowly because they take longer to trust. It is entirely possible the pool never gets dense enough, and the whole thesis hangs on it.

The compliance design may not please anyone either. Privacy maximalists will read the viewing key as a backdoor and leave. Some regulators will decide it gives them too little, rendering it untouchable for institutions. Legal teams at banks may want precedent long before they want a novel design. The system risks being technically balanced and politically homeless at the same time.

The field is getting crowded. Aztec is building private execution from first principles. ZKsync has its Prividium model for enterprises. Canton already has the institutions in the room. Miden, spun out of Polygon, is taking privacy seriously. Starknet’s head start is its architecture, and crypto is full of better architectures that lost on distribution. It may also simply stay infrastructure. A private base layer produces nothing on its own. Someone must build a confidential settlement on it, ship private custody products, and wire it into lending markets and RWA platforms. While some pieces are already live, things like lending will be live soon.

A bug could do to STRK20 what one just did to Zcash’s Orchard. It is a shielded pool, so it carries the same risk. A zero-knowledge proof does not check that a transaction is honest, only that it follows the rules fixed in the circuit beforehand. When you omit a rule, a transaction that should have failed still satisfies all conditions, and the proof certifies it as valid. This is the most common way these systems fail, and it has nothing to do with the trusted setup.

Orchard didn’t have any trusted setup, and the bug happened anyway. Removing the ceremony, which is what STARKs do, closes one door and leaves this one open. Two things limit the damage. How hard the circuit is audited and how fast a flaw is caught, which is never truly finished. And whether the protocol caps what leaves a pool at what went in, so a note forged inside can never be withdrawn.

How Starknet finally brings institutions on-chain

Every privacy system before this made you choose. Keep your privacy and lose the market, or keep the market and lose your privacy the moment you touch the asset. Starknet does not force that choice onto you. An asset already on the chain goes private while continuing to trade with the same public liquidity and the same apps. There’s no other privacy design that offers a combination of no trusted setup, quantum-resistant proofs, settlement at protocol speed, and one shared liquidity pool.

We have been waiting for institutions, and they are here. But they still treat blockchains like back offices. Mainly as ledgers. Their assets are not yet fully programmable, as blockchains and smart contracts offer. Institutional assets come on-chain largely as representations of what happens off-chain and for settling those assets. Because it is cheaper. Settlement came on-chain. However, ‘putting assets to work’ stayed off-chain because using the asset in public discloses your position. A solution like Starknet closes the gap so that the asset can earn, lend, serve as collateral, and trade without its owners having to worry about surveillance.

Crypto spent years treating privacy as a way out of the financial system. It may turn out to be the thing that finally blurs the boundaries between the two.

Exploring how crypto expands traditional finance,
Saurabh Deshpande