FAQ & glossary
Common questions about Hestia, plus a glossary of the protocol's vocabulary.
Frequently asked
Is Hestia a mixer?
No. A mixer maximizes anonymity indiscriminately. Hestia uses the Privacy Pools model: every spend proves its funds descend from an approved deposit, so honest users aren't pooled with provably illicit ones — and no operator holds a key to deanonymize anyone. Privacy and compliance are the same act here.
Can Hestia (or its operators) see my balance or spend my funds?
No. Your balance is reconstructed on your device by decrypting notes with your viewing key;
no server can read them. Spending requires your secret spending key sk, which never leaves the
device and is never part of any disclosure.
What's public when I transact?
A deposit reveals its gross amount (it leaves a public account); a withdrawal reveals its amount and destination. A private send reveals neither — only new commitments and unreadable ciphertexts. None of these can be linked to the rest of your shielded activity. See security.
Which assets and chains are supported?
Native USDC and native ETH, on Base (8453) and Base Sepolia (84532). ETH is
represented inside the pool by the zero token address.
Do I need an account or to store a key?
No. Your identity is derived deterministically from one wallet signature over
hestia.io/keys/v1. The same wallet always reproduces the same identity — nothing to register,
nothing to back up. See keys & identity.
Why did my send fail with InsufficientPrivateBalance?
The high-level operations spend one note per transaction (the single-lineage rule). If your balance is split across notes that are each individually too small, no single note covers the amount even though the total is enough. Consolidate first — e.g. a larger shield, or receive into one note. See operations.
Why is the first proof slow?
The browser must fetch the circuit wasm and zkey artifacts (a few MB + tens of MB) before it
can prove. They cache after the first use. Proving is also CPU-bound — it's a real Groth16 proof
generated locally, not on a server.
Can I run Hestia without the hosted backend?
Yes. The indexer and relayer are the open-source @hestia/route package; you can
self-host them, or run the SDK directly against an RPC with no route
service at all.
Is it ready for mainnet?
Not yet. The proving keys come from a development trusted setup and the contracts are unaudited. Both must be addressed before real value — see circuits and security.
How is an auditor given access?
You export your viewing key and hand it to them. It reveals your full receiving history — and only yours — read-only. It cannot spend or reveal anyone else. See viewing keys.
Glossary
| Term | Meaning |
|---|---|
| Note | The private unit of value: { value, token, owner, label, randomness }. |
| Commitment | poseidon([...note]) — a hiding, binding hash stored as a tree leaf. |
| Nullifier | poseidon([commitment, leafIndex, sk]) — published to spend a note exactly once. |
| Label | A note's lineage tag, tying it to its origin deposit; preserved across spends. |
| Shield | Deposit a public balance into the pool. |
| Send | Transfer privately to another agent's meta-address. |
| Unshield | Withdraw from the pool to a public address. |
| Join-split | A spend that consumes input note(s) and creates output notes (e.g. 1×2, 2×2). |
| Commitment tree | The depth-32 incremental Poseidon Merkle tree of all commitments. |
| Root history | The last 64 tree roots the contract will accept a proof against. |
| Association set | A Merkle set of approved deposit labels (Privacy Pools). |
| Association root | The root of an association set, published on-chain by an ASP. |
| ASP | Association Set Provider — curates and publishes the approved set. |
Spending key (sk/SK) | Secret scalar / its public poseidon([sk]); authorizes and owns spends. |
Viewing key (vk/VK) | X25519 secret / public; decrypts incoming notes; the unit of disclosure. |
| Meta-address | The hestia1… Bech32m string encoding SK + VK + chain; share to receive. |
| Relayer | Submits a proof and pays gas so a withdrawal address has no funding history. |
| Indexer | Rebuilds tree, nullifiers, and ASP roots from chain events. |
| Groth16 | The zk-SNARK proving system Hestia uses over BN254. |
| Poseidon | The snark-friendly hash used for commitments, nullifiers, and the tree. |