Skip to main content

Documentation Index

Fetch the complete documentation index at: https://cove-cash.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

When you send a payment with Cove, your wallet address and the recipient’s wallet address are never connected on-chain. No observer — not a blockchain explorer, not a data aggregator, not anyone — can trace the withdrawal back to your deposit. This page explains how that works.

The shielded pool

Think of a Cove payment like dropping cash into a sealed envelope and sliding it through a mail slot. The person on the other side opens the envelope and takes the cash — but the transaction happens entirely inside the wall. Nobody outside sees who put the envelope in or who took it out. In Cove, that “wall” is the Cloak shielded pool. When you deposit SOL, USDC, or USDT, your funds go into the pool — not directly to the recipient’s wallet. Inside the pool, your deposit is recorded as a UTXO (an unspent output) with a cryptographic commitment posted on-chain. The commitment proves the funds exist without revealing anything about who deposited them or who will claim them.

ZK proofs: proving ownership without revealing the secret

The claim link you generate encodes a private spending key. When the recipient goes to claim, Cove generates a zero-knowledge proof that answers one question: “Does the person claiming this UTXO hold the correct spending key?” The answer is verified on-chain — but the spending key itself is never revealed. The Cloak relay then submits the withdrawal transaction on behalf of the recipient. This means the recipient can prove they are entitled to the funds without ever exposing the key that entitles them. The connection between your deposit transaction and the withdrawal transaction exists only inside the proof — and the proof reveals nothing about either party’s wallet address.

Nullifiers: preventing double-spending without linking transactions

Once a UTXO is spent, a nullifier is posted on-chain. The nullifier marks the UTXO as consumed so it cannot be claimed a second time. Crucially, the nullifier is derived from the spending key in a way that makes it impossible to work backwards — you cannot look at a nullifier and determine which deposit it corresponds to, or which wallet submitted it. This gives the protocol a guarantee against double-spending without creating any observable link between the deposit transaction and the withdrawal.

Why sender and recipient are unlinkable

Putting it together:
  • Your deposit goes into a shared pool, not to a named recipient.
  • The claim link is passed privately (for example, via DM) and contains no wallet addresses.
  • The withdrawal proof reveals ownership without revealing the key.
  • The nullifier prevents reuse without connecting deposit to withdrawal.
At no point does a wallet address appear on both sides of the transaction. Someone watching the blockchain sees a deposit into the Cloak pool and a separate withdrawal from the pool — with no cryptographic or data relationship between the two that they can exploit.
The privacy guarantees described here are provided by the Cloak protocol and its ZK proof system. Cove is built on top of Cloak for shielded pool management and proof generation. You can read more about the Cloak protocol at docs.cloak.ag.