Zero-Knowledge Privacy Rails on Solana.
Technical specification & protocol vision.
In simple terms: $NORTH lets you send and receive value on Solana
without anyone seeing the amounts.
In 2026, every transaction on Solana is a public data point. Payrolls, treasury movements, corporate strategies, personal transfers — all exposed, all traceable, all exploitable. Solana won the speed war, but absolute transparency has become a strategic liability.
$NORTH Protocol operates in what we call the Grey Space — the necessary middle ground between total transparency and total anonymity. We are not building a tool for hiding. We are building infrastructure for institutional-grade privacy that coexists with regulatory compliance.
The Grey Space is where the real world operates. Banks don't broadcast wire transfers. Hospitals don't publish patient payments. Yet today, any entity operating on Solana exposes every financial interaction to competitors, adversaries, and front-running bots. $NORTH closes this gap.
Our core thesis: Privacy is not the opposite of compliance — it is a prerequisite for it. Institutions cannot adopt blockchain at scale without the ability to protect sensitive financial data while still satisfying auditors and regulators.
Sentinel is the core Solana program deployed on devnet at address C2WJzwp5XysqRm5PQuM6ZTAeYxxhRyUWf3UJnZjVqMV5. It contains 16 on-chain instructions, 7 account types, and 19 custom error codes. Built with Anchor framework 0.31.1.
The architecture consists of three interlocking layers:
Layer 01 — Silent Rails (CORE): The compliance layer. Each Rail is a PDA owned by an authority who must hold $NORTH tokens. Rails can be paused for investigation, sealed with an immutable audit hash, or permanently deactivated with a reason code. This gives institutions the kill-switch and audit trail they require. 5 CORE instructions.
Layer 02 — ZK Handshakes & Vaults (CORE): The privacy layer. Handshakes establish a zero-knowledge link between two parties using a cryptographic commitment and nullifier. The nullifier registry prevents replay and double-use. Each rail has an ElGamal-encrypted vault with per-asset VaultAssetState isolation and strict PDA authority constraints. 4 CORE instructions.
Layer 03 — Confidential Transfers (ZK): The value layer. SOL and SPL tokens can be deposited into vaults, transferred between vaults confidentially, and withdrawn with zero-knowledge proofs. Amounts are encrypted and transfer flows are protected by nonce uniqueness controls, so integrity is preserved across multi-asset movement. 7 ZK instructions (deposit, deposit_token, withdraw, withdraw_token, confidential_transfer, confidential_transfer_token, get_balance).
| INSTRUCTION | LAYER | TYPE | DESCRIPTION |
|---|---|---|---|
| initialize_rail | Rails | CORE | Create a new privacy rail (requires $NORTH) |
| pause_rail | Rails | CORE | Pause all operations on a rail |
| unpause_rail | Rails | CORE | Resume operations |
| seal_rail | Rails | CORE | Immutable audit seal (32-byte hash) |
| deactivate_rail | Rails | CORE | Permanent shutdown with reason code |
| create_handshake | ZK Layer | CORE | Establish ZK link (commitment + nullifier) |
| revoke_handshake | ZK Layer | CORE | Revoke an active handshake |
| initialize_zk_vault | ZK Layer | CORE | Create ElGamal encrypted vault |
| prepare_receive_sol | ZK Layer | CORE | Prepare vault to receive confidential transfers |
| deposit | Transfers | ZK | Deposit SOL into vault pool |
| deposit_token | Transfers | ZK | Deposit SPL token into vault |
| withdraw | Transfers | ZK | Withdraw SOL with ZK proof |
| withdraw_token | Transfers | ZK | Withdraw SPL token with proof |
| confidential_transfer | Transfers | ZK | Private SOL transfer between vaults |
| confidential_transfer_token | Transfers | ZK | Private SPL transfer between vaults |
| get_balance | Transfers | ZK | Query encrypted vault balance |
Total: 16 instructions — 9 CORE instructions for infrastructure and compliance, 7 ZK instructions for privacy-preserving value transfers.
A complete privacy cycle in Sentinel follows five sequential phases. Each phase is a real Solana transaction, verifiable on-chain.
Privacy model: The current implementation uses encrypted amount fields (64-byte ElGamal ciphertexts) and 128-byte proof slots. The on-chain program validates proof length and structural integrity. Phase 3 of the roadmap will integrate Groth16 circuits for full zero-knowledge proof verification, making amounts mathematically invisible rather than just encrypted.
Nullifier model: Each handshake consumes a unique nullifier. The NullifierRegistry marks it as spent with a timestamp. Attempting to reuse a nullifier triggers NullifierAlreadyUsed — the same double-spend prevention model proven by Zcash and Tornado Cash.
$NORTH is not a utility afterthought — it is the access key to the entire privacy infrastructure. The Sentinel program enforces on-chain that only wallets holding $NORTH tokens can initialize privacy rails. No tokens, no authority.
Allocation: 15% architect allocation vested over 6-18 months. 80% of liquidity locked for 2 years. No pre-sale, no VC allocation. The token is designed for organic community growth with built-in deflationary pressure.
The full execution timeline with phase details and live status is available on the main site. Every milestone is backed by deployed code, not promises.
Sentinel is designed from the ground up with security and compliance as first-class concerns — not afterthoughts bolted on after deployment.
Authority verification: Every sensitive instruction verifies the caller is the rail authority via Anchor's has_one = authority constraint. Unauthorized calls return Unauthorized (Error 6001).
Token gating: Rail initialization requires the authority to hold $NORTH tokens, verified on-chain against the token account balance. This prevents spam and ensures only stakeholders operate rails.
State validation: 19 custom error codes enforce invariants — inactive rails reject operations, spent nullifiers cannot be reused, transfer nonces cannot be replayed, and withdrawn deposits cannot be double-claimed. Every edge case has an explicit error.
PDA determinism: All accounts use Program Derived Addresses with deterministic seeds and authority-linked constraints. No off-chain state is required. Account addresses can be independently derived and verified by any client.
Compliance architecture: Unlike other privacy protocols, Sentinel includes native compliance controls. Rails can be paused mid-investigation, sealed with an immutable audit hash for regulatory reporting, or permanently deactivated with a documented reason code. This makes Sentinel the first privacy protocol designed for institutional adoption.
Note: This litepaper reflects the current deployed architecture and its security direction. Groth16 expansion remains an active roadmap track; deployed controls already enforce deterministic authority, replay resistance, and auditable operational safeguards. $NORTH tokens are not securities and carry no guarantee of value. Always do your own research.
Every line of code is open source. Verify it yourself.
VIEW SOURCE CODE