Interpreting Aztec: Bringing Privacy to DeFi's L2

Author: echo_z, Chain Teahouse

Recently, Chain Teahouse published a series of articles on L2, detailing specific projects from L2 Overview to StarkWare, ZKSync, and others. In addition to the previously introduced leading projects, there is a relatively unique project in L2 called Aztec, which implements privacy transactions. Privacy transactions are not new, but the new features that Aztec is about to launch can achieve privacy in DeFi, filling the gap in the privacy sector. This article will analyze Aztec.

Market Overview

In the real world, "privacy" is almost a default option; no one wants their information to be leaked. However, in the blockchain world, due to the transparency of on-chain information, users often cannot enjoy privacy protection for their transactions. For retail investors at this stage, this is not a big deal, but as the industry develops, privacy will inevitably become an important feature. Chain Teahouse believes that user demand may focus on two aspects:

Firstly, the demand for transaction privacy protection from large holders. If large holders publicly disclose their substantial balances and transaction behaviors, it is akin to parading their wealth, making them susceptible to hackers or identity exposure. From the existing privacy transaction projects, funds are also mostly concentrated in large holder transactions.

The following chart shows the monthly withdrawal data of Tornado Cash, where the numbers represent the number of withdrawals, and the ranges represent the withdrawal amounts (Tornado's mechanism allows deposits and withdrawals in denominations of 0.1ETH, 1ETH, 10ETH, and 100ETH). Calculations show that the total withdrawal amount of 100ETH is the largest, accounting for 87.6% of all withdrawals in June.

Source: https://dune.com/poma/tornado-cash_1

Secondly, as Web3 expands beyond investment to areas such as communication and social networking, the demand for privacy will also become prominent. No one wants their accounts to be constantly disturbed by spam, nor do they want their chat content with close friends to be made public.

In summary, due to the current use cases of Web3 being concentrated on trading and investment, only large holders have a strong demand for privacy; however, as the functional scenarios of Web3 expand, privacy needs will also extend to retail investors.

From the current supply perspective, most projects that have implemented privacy features can only meet simple transfer functions. Leading projects in the privacy sector include: Monero with an FDV of ~2.1 billion USD and Zcash with ~1.1 billion USD, both of which are independent L1 public chains that do not support smart contracts; Tornado Cash, with an FDV of ~230 million USD, is a smart contract built on Ethereum that only supports deposits and withdrawals in limited denominations. In addition, some projects like Secret Network can support smart contracts, with an FDV of ~170 million USD; however, its core privacy functionality relies on hardware devices, which have a low security level[1].

Therefore, the privacy sector lacks projects that are functionally complete and have a sufficiently high security level. As an emerging privacy project, Aztec has the potential to fill this gap: as a ZK Rollup project, it can share Ethereum's security, and the project's medium- to short-term goal is to achieve privacy in DeFi interactions, bringing a new experience to the privacy sector.

Product Mechanism

Aztec's product system is based on the underlying PLONK proof system, which enables anonymous transactions between accounts and achieves privacy interactions with DeFi projects through gateway contracts. Apart from the gateway part, Aztec's method of achieving privacy is actually quite similar to Zcash, resembling a Zcash that shares Ethereum's security through Rollup technology. The following sections will detail its privacy architecture and DeFi interaction methods.

Privacy Architecture: UTXO Model and Privacy Proofs

Zcash's accounting model follows Bitcoin's UTXO (Unspent Transaction Output) model, where each UTXO is referred to as a Note, recording the changes of each transaction. For example, if I have a 10-unit note in my account and I transfer 5 units to someone else, this 10-unit note will be split into two 5-unit notes, one owned by the recipient and the other retained by me. For an account address, the total balance is the sum of all UTXOs.

Source: https://medium.com/aztec-protocol/an-introduction-to-aztec-47c70e875dc7

In contrast, Ethereum's accounting model is based on accounts: each account corresponds to a balance, and transfers require arithmetic operations on the addresses of both parties. Since each account's balance is clearly recorded in the most recent transaction, unlike UTXO, which requires summing all UTXOs under an account, the account model is easier to compute for more complex smart contracts and is a more mainstream accounting model, while UTXO is more common in simple transfer networks like Bitcoin.

Source: https://medium.com/aztec-protocol/fully-confidential-ethereum-transactions-aztec-networks-privacy-architecture-274f968b13d4

The UTXO model and account balance model each have their advantages and disadvantages, and in terms of privacy, UTXO is more suitable for storing different addresses under the same account, making it easier to obfuscate the connections between transactions[2]. This is likely why both Zcash and Aztec chose the UTXO model.

In this accounting model, each transaction by the user essentially destroys one or N notes, generates another note or N notes that sum to the same total, and transfers part of the note's ownership.

In Aztec's data structure, the states of all notes are stored in two Merkle Trees, one being the note tree, which stores all generated notes, and the other being the nullifier tree, which stores all destroyed notes. To "own" a note means that the corresponding note exists in the note tree and does not exist in the nullifier tree[3].

Source: Same as above

So, at what step is the user's privacy achieved, and what information has been processed through Rollup? This involves the process of generating multi-layer proofs.

When a user wants to make a transaction, they need to destroy and generate the corresponding notes, then transfer the ownership of the notes. For this private transaction, the user needs to generate a "privacy proof" locally. Subsequently, 28 private transactions will be aggregated into an internal Rollup proof ("inner" rollup proof), and then 32 such internal Rollup proofs will be aggregated into an external Rollup proof ("outer" rollup proof), which will ultimately be submitted to L1 for node verification.

The following diagram shows 4 internal Rollup proofs aggregated into 1 external Rollup proof, totaling 112 transactions. In the SDK updated in March this year, this was increased to 32 internal Rollup proofs, meaning that a final submitted Rollup proof can include 28*32=896 transactions.

Source: https://medium.com/aztec-protocol/privacy-for-pennies-scaling-aztecs-zkrollup-9f2b36615cc6

It is important to note that only the privacy proofs generated locally by the user are true zero-knowledge proofs that do not leak information and are the only part responsible for privacy in the entire system[4]. The internal Rollup and external Rollup proofs above them, like those of StarkWare and ZKSync, are not necessarily zero-knowledge. By the way, the StarkWare team has proposed renaming ZK Rollups to Validity Proof to avoid confusion[5].

Aztec's Rollup method differs significantly from StarkWare, ZKSync, and other ZK-based L2s: typically, ZK Rollups package multiple transactions to generate aggregated proofs, while Aztec, in order to achieve privacy, needs to generate proofs for each transaction separately and then package the proofs to produce the final proof. This is likely why Aztec's gas fees are higher than all other Rollups.

Throughout the process, we can see multiple practices derived from Zcash, including the UTXO accounting model, the design of the two Merkle Trees, and the method of users generating privacy proofs locally, all of which are similar to Zcash. Additionally, Aztec also provides the functionality of internal transfers, meaning that one anonymous account can transfer to another anonymous account, which can obscure the transaction relationship between the two addresses, avoiding public connections due to insufficient balance in a wallet address or needing to input miner fees. This is likely to provide better privacy protection than Tornado Cash, which only allows deposits and withdrawals through denomination pools, and Zcash also offers this functionality.

Various transfer modes provided by Zcash, with the red box indicating anonymous to anonymous, which is the internal transfer function in Aztec. Source: https://z.cash/technology/

At this point, we can basically understand Aztec's privacy architecture: using the UTXO accounting model, transfers are realized through the splitting of "notes" and the transfer of ownership, with users generating privacy proofs locally to achieve private transactions, and then using dual-layer Rollup to achieve aggregated proofs for multiple transactions, which are submitted to L1 for verification. The underlying privacy architecture borrows many designs from Zcash, while the aggregated proof method through Rollup leverages Ethereum's security, resembling a Rollup version of Zcash.

Aztec Connect: Achieving DeFi Privacy Interactions through Gateways

The aforementioned privacy architecture enables users to conduct private transactions, but up to this point, it has merely migrated privacy transactions to L2, without significant improvement over previous solutions, still only allowing for simple transfers. Aztec's goal is not limited to this; it hopes to support privacy interactions for all smart contracts in the long term, with the short-term goal of achieving privacy interactions for DeFi on L1.

Aztec's approach to implementing privacy DeFi is quite clever. Due to the use of the UTXO model, which is not suitable for complex smart contract development, Aztec has not attempted to promote smart contracts on L2 but instead uses a "gateway" approach to aggregate transactions to L1.

The specific method is as follows: when a user wants to conduct a DeFi transaction, Aztec will package transactions of the same type and pass them to the Aztec Bridge Contract—a contract deployed on L1. This contract aggregates funds and calls the corresponding DeFi functions, finally returning the completed transaction funds proportionally to the accounts on L2[6].

This is somewhat similar to a vault strategy, packaging similar transaction behaviors to achieve privacy while also sharing gas fees.

For L1 DeFi projects, migration becomes very simple; there is no need to redeploy contracts, only to complete the interface with Aztec Connect. However, this also reduces the flexibility of project deployment; only if there are enough transactions of the same type can costs be diluted; otherwise, a single transaction may still be relatively expensive. Thus, this approach is likely only suitable for projects with single operations and capital-intensive activities in the short term.

Operational Status

Aztec's privacy design is based on the UTXO model, which is not suitable for complex smart contract development. Currently, its products are limited to zk.money, which is developed by the team itself, while integration with other projects is mainly achieved through the Aztec Connect gateway contract.

zk.money was first released in March last year and is currently in a fork phase between the new and old versions, with the new version yet to be launched.

The old version of zk.money can only achieve simple transfer payments, supporting three assets: ETH/DAI/renBTC. Users need to sign in through an ETH wallet each time they connect, after which they can deposit through "Shield" and then conduct internal transfers or withdraw to L1 accounts through "Send."

Source: https://old.zk.money/asset/ETH

Due to its simple functionality and relatively high fees, the usage rate of the old version of zk.money is low, with the current TVL only around ~5 million USD, peaking at only ~14 million USD.

Source: https://defillama.com/protocol/aztec

The new version of zk.money will launch Aztec Connect to achieve privacy DeFi, marking an important milestone for the Aztec project. It was originally scheduled to launch in early June, but is still addressing issues and does not have a clear launch date yet. According to the official blog in April this year, it should initially integrate Element.fi and Lido as the first privacy DeFi projects[7].

Overall, Aztec's design allows for easy integration with L1 DeFi, but does not provide options for project independent deployment, making it difficult to establish an independent public chain ecosystem, more like an integrated privacy option for L1 DeFi projects.

Team and Financing

Aztec's core team has strong technical capabilities, with two of the three collaborators of its underlying proof system PLONK being part of Aztec.

CEO Zac Williamson holds a PhD in particle physics from the University of Oxford and is one of the inventors of PLONK. He has previously worked as a physicist at CERN (European Organization for Nuclear Research) and T2K (a particle physics experiment in Japan).

CPO Joe Andrews holds a bachelor's degree in materials science engineering from Imperial College London and previously served as CTO at the Silicon Valley food startup Radish.

Chief Scientist Ariel Gabizon holds a PhD in computer science from the Weizmann Institute in Israel and has previously worked as a researcher and engineer at Zcash, also being one of the inventors of PLONK.

So far, Aztec has disclosed a total financing amount of 19.1 million USD. In November 2018, it announced a seed round financing of 2.1 million USD led by Consensys; in December 2021, it announced a financing of 17 million USD led by Paradigm, with other investors including IOSG Ventures, Variant Fund, Nascent, imToken, Scalar Capital, DeFi Alliance, ZK Validator, and angel investors Anthony Sassano, Stani Kulechov, Bankless, DeFi Dad, Mariano Conti, and Vitalik Buterin. The previous investors a_capital, Ethereal Ventures, and Libertus Capital also continued to invest. Additionally, a seed round of financing was announced in September 2019, but the amount was not disclosed.

Advantages and Challenges

Chain Teahouse believes that Aztec's core advantage lies in its product, which has achieved a high level of security and can interact with DeFi projects, while most products in the current privacy sector can only support simple transfer functions, effectively filling a gap in the sector. However, this functionality has yet to be launched, and its performance post-launch needs to be observed.

However, this duality also significantly limits the project.

On one hand, Aztec relies on integrated gateway contracts to operate on DeFi projects, reducing deployment difficulty while also lowering flexibility. In the short term, it is more suitable for projects with single operations and capital-intensive activities.

On the other hand, to achieve privacy, it requires generating privacy proofs for each transaction. Although the project has shared storage space through the dual-layer Rollup method, Aztec's fees remain the highest among all L2s, presenting a higher barrier for users, making it more suitable for large holders.

Overall, Aztec's product functionality is simple and direct. If its performance is satisfactory, it is expected to secure a place in L2; however, based on its current standardized integration with DeFi, it seems more like a functional supplement for L1 DeFi projects, with a potentially limited ceiling.

Aztec's long-term goal extends beyond this, ultimately hoping to achieve privacy interactions for all smart contracts, which will likely require a completely new solution.