ERC‑8065: Zero Knowledge Token Wrapper

ZWToken - Make privacy a native feature of all tokens on Ethereum

NOTE: PoC is available at zk.walletaa.com

This ERC defines a standard for the Zero Knowledge Token Wrapper, a wrapper that adds privacy to tokens — including ERC-20, ERC-721, ERC-1155 and ERC-6909 — while preserving all of the tokens’ original properties, such as transferability, tradability, and composability. It specifies EIP-7503-style provable burn-and-remint flows, enabling users to break on-chain traceability and making privacy a native feature of all tokens on Ethereum.

Motivation

Most existing tokens lack native privacy due to regulatory, technical, and issuer-side neglect. Users seeking privacy must rely on dedicated privacy blockchains or privacy-focused dApps, which restrict token usability, reduce composability, limit supported token types, impose whitelists, and constrain privacy schemes.

This ERC takes a different approach by introducing a zero knowledge token wrapper that preserves the underlying token’s properties while adding privacy. Its primary goals are:

• Pluggable privacy: the wrapper preserves all properties of the underlying token while adding privacy.
• Permissionless privacy: any user can wrap any token into a Zero Knowledge Wrapper Token (ZWToken).
• Broad token support: compatible with both fungible tokens (e.g., ETH, ERC-20) and non-fungible tokens (e.g., ERC-721).
• EIP-7503-style privacy: supports provable burn-and-remint flows to achieve high-level privacy.
• Compatibility with multiple EIP-7503 schemes: supports different provable burn address generation methods and commitment schemes (e.g., Ethereum-native MPT state tree or contract-managed commitments).

Specification

The key words MUST, MUST NOT, SHOULD, SHOULD NOT, and MAY in this document are to be interpreted as described in RFC 2119 and RFC 8174.

Overview

A Zero Knowledge Wrapper Token (ZWToken) is a wrapper token that adds a commitment-based privacy layer to existing tokens, including ERC-20, ERC-721, and ERC-1155. This privacy layer allows private transfers without modifying the underlying token standard, while preserving full composability with existing Ethereum infrastructure.

The commitment mechanism underlying this privacy layer may be implemented using Merkle trees, cryptographic accumulators, or any other verifiable cryptographic structure.

A Zero Knowledge Wrapper Token (ZWToken) provides the following core functionalities:

The ZWToken recipient can be a provable burn address, from which the tokens can later be reminted.

• Deposit: Wraps an existing token and mints the corresponding amount of ZWToken to the specified recipient.
• Transfer: Transfers ZWToken to the specified recipient.
• Remint: Mints new ZWTokens to the specified recipient after verifying a zero-knowledge proof demonstrating ownership of previously burnt tokens, without revealing the link between them.
• Withdraw: Burns ZWTokens to redeem the equivalent amount of the underlying tokens to the specified recipient.

Privacy Features by Token Type

For fungible tokens (FTs), e.g., ERC-20:

• This ERC enables breaking the traceability of fund flows through the burn and remint processes.
• The use of provable burn addresses hides the true holder of fungible tokens until the holder performs a withdraw operation of ZWToken.

For non-fungible tokens (NFTs), e.g., ERC-721:

• This ERC cannot break the traceability of fund flows through burn and remint, since each NFT is unique and cannot participate in coin-mixing.
• However, the use of provable burn addresses can still conceal the true holder of the NFT until the holder performs a withdraw operation of ZWToken.

ZWToken-aware Workflow

In the ZWToken-aware workflow, both the user and the system explicitly recognize and interact with ZWToken. ZWToken inherits all functional properties of the underlying token.

flow11728×1736 145 KB

For example, if the underlying token is ERC-20, ZWToken can be traded on DEXs, used for swaps, liquidity provision, or standard transfers. Similar to how holding WETH provides additional benefits over holding ETH directly, users may prefer to hold ZWToken rather than the underlying token.

ZWToken-unaware Workflow

This ERC also supports a ZWToken-unaware workflow. In this mode, all transfers are internally handled through ZWToken, but users remain unaware of its existence.

flow21683×1308 112 KB

ZWToken functions transparently beneath the user interface, reducing the number of required contract interactions and improving overall user experience for those who prefer not to hold ZWToken directly.

Alternative Workflows

The two workflows described above represent only a subset of the interaction patterns supported by this ERC. Additional workflows are also possible, including:

• Reminting by the recipient:
  Alice may transfer (in the ZWToken-aware workflow) or depositTo (in the ZWToken-unaware workflow) ZWToken to Bob’s provable burn address instead of her own. In this case, the remint operation is initiated and proven by Bob rather than Alice.

• Recursive reminting:
  A reminted ZWToken may also be sent to another provable burn address controlled by Bob instead of his public address, allowing the privacy state to persist across multiple remint cycles.

The interface:

interface IERC8065 {
    // Optional
    event CommitmentUpdated(uint256 indexed id, bytes32 indexed commitment, address indexed to, uint256 amount);

    event Deposited(address indexed from, address indexed to, uint256 indexed id, uint256 amount);

    event Withdrawn(address indexed from, address indexed to, uint256 indexed id, uint256 amount);

    event Reminted(address indexed from, address indexed to, uint256 indexed id, uint256 amount, bool withdrawUnderlying);

    function depositTo(address to, uint256 id, uint256 amount) external payable;

    function withdraw(address to, uint256 id, uint256 amount) external;

    function remint(
        bytes calldata proof,
        bytes32 commitment,
        bytes32 nullifier,
        address to,
        uint256 id,
        uint256 amount,
        bool withdrawUnderlying,
        uint256 relayerFee
    ) external;

    function getLatestCommitment(uint256 id) external view returns (bytes32);

    function hasCommitment(uint256 id, bytes32 commitment) external view returns (bool);

    // Optional
    function getCommitLeafCount(uint256 id) external view returns (uint256);

    // Optional
    function getCommitLeaves(uint256 id, uint256 startIndex, uint256 length)
    external view returns (bytes32[] memory commitHashes, address[] memory recipients, uint256[] memory amounts);

    function getFeeConfig() external view returns (uint256 depositFee, uint256 remintFee, uint256 withdrawFee, uint256 feeDenominator);

    function getUnderlying() external view returns (address);
}

This means that we can transform any token (USDT, USDC, anything you want) to a private pool.
WITHOUT anyone’s permission!

Yeah, ERC-8065 is designed to work with all asset types — fungible (ETH, ERC-20), semi-fungible (ERC-1155, ERC-6909), and non-fungible (ERC-721).

For NFTs, you obviously can’t have a “privacy pool” since each token is unique, but ERC-8065 can still hide the real owner by decoupling ownership from the on-chain address.

Yes. It is permission-less.
For example, we can transform USDC into ZKUSDC, DAI into ZKDAI.
Even if some tokens (USDT) block the pool address, then another pool can be created. If more and more wallets support the pool, it will be less possibility to be blocked.

It looks like each underlying token currently needs its own Zero Knowledge Token Wrapper contract, which feels a bit limited in terms of scalability — you’d have to deploy a new contract and possibly handle different proof generation logic every time.

Would it make sense to leverage something like ERC-6909 so that a single contract can manage all possible ZWToken combinations instead?

Absolutely. I am not sure if this is the most optimized way, but absolutely love this. It gives more freedom to old tokens to become private. Yes.

We hope the Zero Knowledge Wrapper Token maintains the same characteristics as its underlying token to make integration easier for applications. For example, since USDC is an ERC-20 token, we’d prefer ZWUSDC to also follow ERC-20 rather than ERC-6909.

Hi, I’ve been developing my own implementation inspired by zk-wormhole, called zERC20. Both the implementation and the proof of concept are now complete.

In zERC20, I’ve built upon the zk-wormhole mechanism and added the following features:

• Batch withdrawals supported by Nova IVC
• On-chain Merkle tree optimization by offloading the Merkle tree computation to off-chain using Nova IVC for improved gas efficiency
• Anonymous cross-chain transfers

HackMD: zERC20: A Private Token Based on zk-Wormholes - HackMD
GitHub: GitHub - kbizikav/zERC20
Demo: https://zerc20-demo.vercel.app/

Yeah, great work. You’re welcome to build together! I think issuing our own zkERC20 would struggle to gain liquidity and users. Besides, major token issuers are unlikely to issue zkERC20s themselves due to regulatory and other constraints. That’s why a permissionless wrapper could be a practical path toward making privacy a native feature of all tokens on Ethereum .

Also, does this kind of ERC support any type of token? Are there specific tokens that require special handling or extra attention?

In theory, any token with a transfer function can be supported, so ERC-8065 does not work with non-transferable tokens such as Soulbound Tokens (SBTs). However, there are certain types of tokens that require extra care when implementing the wrapper:

1. Fee-on-Transfer Tokens
2. Rebasing Tokens

BTW, you can avoid the complexity of handling rebasing logic by wrapping the wrapper of a rebasing token instead.

Great work on ERC-8065! This is exactly the kind of permissionless privacy infrastructure Ethereum needs. I’ve been developing a similar concept for several months now, and I’d love to share insights and compare approaches.

I built zkETH on Starknet L2 - a privacy-preserving ETH wrapper that shares your core vision but takes a different technical path optimized for L2 economics and STARK proofs.

Demo & Code

• Live Demo (Testnet): I can’t publish links since my account is new, created it just to post here.
• GitHub: Private by now, will publish if asked.
• Deployed Contract (Sepolia): 0x079a77a7d82ecb78092deeae6ce971f2499e1cd95cd1121672851f7eccc50108

Philosophy Alignment

zkETH shares ERC-8065’s fundamental principle: making privacy a native feature of existing tokens without requiring issuer cooperation. Like you said, major token issuers won’t create private versions due to regulatory constraints, so permissionless wrappers are the practical path forward.

L2 Economics: Practical Privacy

One significant advantage of building on Starknet L2 is the dramatically reduced transaction costs compared to Ethereum L1. While I won’t claim specific numbers (as they fluctuate with gas prices), the cost difference is substantial enough to make privacy viable for everyday transactions, not just large transfers.

On Ethereum L1, complex ZK proof verification can be prohibitively expensive for average users. On Starknet, the same operations are economically feasible for much smaller amounts, making privacy truly accessible.

Key Architectural Differences

Both projects prove that privacy doesn’t require permission from token issuers, regulators, or centralized entities. By building permissionless wrappers, we’re democratizing financial privacy and making it a user choice rather than an institutional decision.

The future of DeFi privacy is multi-chain: different privacy layers optimized for different use cases, all interoperable and user-controlled.

Would love to connect and explore synergies between ERC-8065 and zkETH. Feel free to reach out or ask whatever you need.

Regards, Zyra

PoC txs (see on starknet blockexplorer, testnet)

Deposit Eth: 0x6ab8fb0c7a5acb9447d21e92c379495ecfa6d93af44cc950939fc8279bb3cbb
Shield Tokens: 0x184c94da5717a14f92b66e51aba6364b0136382eab97d2cbd8a98b5513ca18e
Transfer Private note: 0xfe1aa3d4091cc2a30a74919b2e0e953379a45cf94000df121a150a40a27724
Burn Private note:
0x20080dc0408c547fb4825d74bfcfedda4d40455cab12f07a184ecd63fbcdc13
Unshield: 0x77f0893392947db9432b5f39d7d850f4c4631d3b19dd2cd303b01575d8f19ea

Great work! You’re very welcome to build together. We can discuss whether the ERC-8065 interface could be made compatible with your work.

Thanks for your feedback!!! It really means A LOT for me. It’s been a lot of months doing R&D on my own… glad to see its alive finally! :')))))))))

I’ve created a new Telegram group for anyone who wants to discuss things more frequently.

Moreover, I wonder that whether the DEXes or aggregators will support this wrapped token. and why.

That’s actually one of the key benefits of a token wrapper — it’s not a new token that requires new liquidity. It enables seamless two-way conversion between the ZWToken and its underlying token at any time.

For DEXes or aggregators:

a. If the input is a ZWToken, they can simply call withdraw on the input to get the underlying token (just like converting WETH → ETH).

b. If the output is a ZWToken, they just need to deposit the underlying token to mint the corresponding ZWToken (just like converting ETH → WETH).

There’s also a really interesting use case: if you want to buy a token without revealing your address, you can ask the DEX or aggregator to send the output ZWToken directly to your provable burn address.

ZWToken formalizes privacy at the token layer, solving a key missing component in Ethereum: unlinkability without losing composability. There is also an unexplored complementary axis: irreversible, non-remintable burn mechanics with deterministic supply constraints and economic tension, where privacy could operate on top without reintroducing remint of the same supply. Both directions are orthogonal and composable, and together point toward a new category of non-traceable but supply-bounded token primitives