Reference

Security Model

Trust boundaries, what stays private, what is public, and the guarantees ShadowLine does — and does not — make.

ShadowLine is a non-custodial interface over audited, open-source contracts. Understanding exactly what is private, what is public, and who you trust is the point of this page.

What stays private

  • Balances — stored on-chain as euint64 ciphertext. Not readable by validators, indexers, or explorers.
  • Transfer amounts — encrypted before submission; the transaction carries a ciphertext, not a number.

What is public

  • Addresses and the interaction graph — that your address interacted with a given wrapper, and when. FHE hides values, not the fact that a transaction happened.
  • The underlying ERC-20 movements at shield/unshield boundaries: the moment you wrap or unwrap, the public leg (the ERC-20 lock or release) is a normal, visible transfer.

Trust boundaries

PartyCan it see your balance?Can it move your funds?
ShadowLine frontendOnly after you sign a permit, in your sessionNo — every transfer is signed by your wallet
Zama Gateway / RelayerDecrypts only ciphertext your session key authorizesNo custody of funds
Public RPC / validatorsNo — only ciphertext handles are on-chainNo

Design guarantees

  • Non-custodial: no ShadowLine server holds keys or funds. Tokens are locked inside the open-source ERC-7984 wrapper contracts.
  • 1:1 collateralization: every confidential unit is backed by an underlying ERC-20 held in the wrapper.
  • Explicit decryption: balances are only revealed via an EIP-712 permit you sign — the app never auto-decrypts.
  • Private keys never leave your wallet: the frontend requests signatures; it never sees your key.
What ShadowLine does not claim:it is an interface, not a new protocol. Confidentiality guarantees come from Zama's fhEVM and the ERC-7984 contracts. Always verify contract addresses (see Contract Addresses) and never enter seed phrases or private keys into any website.