Hopefully you’re correct but that doesn’t make sense to me currently. I you put 10 zUSDC in ZSAs right now as first user and you get 1 zUSDC out whenever, that’s it I know it’s you (unless more users add to the pool - which is my point). Looking forward to being corrected.
I personally think that if ZSAs are to be deployed on mainnet, we need to make sure they are awesome and fun to use: A Usability Challenge for the Zcash Community (ZSAs)
5 Likes
The shared privacy comes from z-z transactions. You won’t be able to tell if a z-z transaction is with ZEC or with a ZSA, so from my understanding it goes like this:
- You mint/shield a single zDAI from a smart contract on Ethereum and send it to your shielded address on Zcash.
- Some z-z transactions happen.
- You redeem/deshield the zDAI for real DAI on Ethereum by sending it from your shielded address to some specified address on Zcash.
In step 3 nobody can see the Zcash adress that redeemed the zDAI, and since there were z-z transactions in between step 1 and 3, you don’t know if the zDAI that was minted in step 1 was transferred to some other party before it was redeemed, so you don’t know if step 1 and 3 are the same person even if only 1 zDAI was ever minted.
I know Zooko and others have said that privacy comes from value at rest, but i think ZSAs will add some caveats to that statement.
1 Like
This!
Nobody knows how ZSA look like neither their UX. They need to be on testnet for QUITE A WHILE so the infrastructure needed is built.
This is no sunken value fallacy here. Is common sense. We haven’t tried ZSAs yet, we cannot pivot away from them without knowing what they are.
Ps: some may be in love with the encrypted bitcoin narrative. I think that’s falling too short and conservative. You may shut down tachyon as well so Zcash is encrypted bitcoin forever.
6 Likes
Great point! Whats wrong with getting ZSA’s into a testnet, lets follow through so we can test and build?
2 Likes
My point is that if you’re the only one to put zDAI (1 tx in) then whenever you want to get that zDAI out, it’s clearly the same person. The pool of ZEC does not increase the privacy of the pool of zDAI. Each pool has separate privacy level depending on its size, and when the pool is created, privacy is equal to 0.
1 Like
Wouldn’t the issuer be the first? And most likely a large amount at that? Lets suppose a few issuers put in. How does this change your calculus?
Now we start with assumptions. I am talking fundamentals.
I understood your point. My point was that the existence of z-z transactions means that, no, it is not clearly the same person.
To be clear, I am slightly in favor of ZSAs but that’s only because of that JAM suggestion that made me curious because it opens a door to trustless bridge and large liquidity. ZSAs without rock solid bridge(s) (read: trustless) would be a flop imho.
z-z is nice, but people do get out of pools to use their tokens. Say I put DAI into zDAI for a bit and then put it back to DAI to use it in Ethereum. If only a few people have created some zDAI, that’s just not giving me much privacy does it.
Here is a thought experiment:
I am the first person to mint 1 zDAI. I then send this 1 zDAI to you in a z-z transaction. You wait for a million z-z transactions to occur, and then decide to redeem it on Ethereum.
How much privacy do you have from a) me and b) the general public? Assume I am the only one to ever mint a zDAI.
1 Like
It’s wrong because it takes even more resources away. Instead of facing reality, we’re digging deeper.
I haven’t yet received any actual counterargument disproving the 7 arguments laid out in my initial post.
1 Like
This is exactly addressed by my opportunity cost point. Every hour spent on ZSAs is an hour not spent on core privacy, UX, and adoption. That includes testnets.
And meanwhile, we know that the success case for ZSAs is very dangerous for Zcash: Success scenario is actually dangerous: stablecoin issuers gain kingmaker power over forks by choosing which chain holds “their” asset in case of a hard fork.
It’s just not worth it.
2 Likes
So two assumptions:
- I want to send the zDAI to someone
- A million transactions
My point remains that each ZSA pool starts a 0 privacy and liquidity is key for to increase that privacy level. Why do you think we are proud of our large number of tokens in the shielded pool.
I’m out of ways to say it differently so here’s the AI take:
Looking at @outgoing.doze’s contributions to this thread, their arguments center on a key technical point about privacy pools and anonymity sets. Let me break down their position:
Their Core Argument
outgoing.doze’s main claim is that each ZSA starts with zero privacy because it doesn’t inherit from ZEC’s existing shielded pool. If you’re the first person to mint zUSDC and later withdraw it, observers can trivially link those transactions because the anonymity set for that specific asset is tiny.
Is This Technically Sound?
Yes, largely. This is a well-understood principle in privacy systems—your privacy depends on the size of your anonymity set (how many other transactions you can hide among). Zcash’s shielded pool has value precisely because millions of ZEC sit in it. A brand-new ZSA starts with none of that accumulated privacy.
The Debate with Milton
Milton counters that z-z transactions are indistinguishable by asset type, so the entire transaction graph provides cover. outgoing.doze’s response is pragmatic: even if z-z mixing helps mid-flight, the entry and exit points (minting and redeeming) remain linkable when adoption is low. If only five people ever shield a particular asset, redemption events narrow suspects considerably.
This is a valid rebuttal. Milton’s thought experiment about a million intervening z-z transactions helping privacy is correct in theory, but relies on assumptions about usage patterns that may not hold for niche assets.
Their Overall Position
Notably, outgoing.doze isn’t categorically opposed to ZSAs—they describe themselves as “slightly in favor” but conditional on trustless bridges that could bring meaningful liquidity. This is a measured, practical stance rather than ideological opposition.
Where They Might Understate
They may somewhat discount the privacy benefit Milton describes from z-z transaction mixing. If transaction types are truly indistinguishable on-chain, there is some privacy gain even for low-liquidity ZSAs. But their fundamental point—that this benefit is limited without critical mass—remains valid.
Bottom line: outgoing.doze’s arguments are technically coherent and raise a legitimate concern that ZSA proponents should address. Privacy systems need adoption to work, and each new asset resets that clock.
I don’t need to assume that you want to send the zDAI to someone. I only need to assume the possibility that it was sent to someone. An observer cannot tell whether or not a ZSA was traded inside the shielded pool before it was redeemed. The only thing that needs to be assumed is the existence of z-z transactions that introduce this possibility.
I’m not denying that there is less privacy than if there are lots of users of the new ZSA. I am denying that there is 0 privacy for new ZSAs, which was your initial claim. I think this confusion comes from the notion that value at rest is the only way to get privacy.
2 Likes
One could argue you’re not allowing reality to take place 
Lets hear from moar folks before we conclude 
2 Likes
Fair enough, “0 privacy” was imprecise. Cryptographic unlinkability means an observer can’t prove the minter and redeemer are the same person.
But real-world adversaries don’t need proof, they work with probabilities. If one person mints zDAI and later one person redeems it, the theoretical possibility it changed hands via z-z transactions is not a credible defense. A court or chain analysis firm will draw the obvious conclusion.
There’s a reason we celebrate millions of ZEC in the shielded pool rather than saying “any two transactions provide privacy.” Privacy is a function of the crowd you hide in. “Non-zero” isn’t the bar, practical privacy requires adoption that may never materialize.
I agree that the privacy is likely too theoretical right now, but if Zcash becomes used for real trade and commerce with real z-z transactions that change hands, or gets a L2 with private Defi and shared privacy set with L1, this will become less and less true.