Umbra Privacy LogoUmbra Privacy
Core Concepts

Compliance Framework

An overview of Umbra's three-tiered system for balancing on-chain privacy with protocol integrity and regulatory compliance.

Umbra is engineered on the principle of "programmable privacy," providing robust confidentiality for users while integrating powerful safeguards to prevent illicit use. This is achieved through a multi-layered compliance framework designed to protect the integrity of the protocol and its users.

This defense-in-depth strategy operates at three distinct levels: proactive screening at the protocol level, voluntary disclosure at the user level, and a decentralized failsafe at the network level.

Tier 1: Protocol-Level Screening 🔒

This tier acts as a mandatory, non-bypassable frontline defense, designed to prevent illicit funds from entering the Umbra privacy pool from the start.

  • Mechanism: Screening is enforced directly at the smart contract (program) level through an integration with a Switchboard oracle.
  • Screening Data: The oracle queries a comprehensive, real-time risk feed from our intelligence partner, Range. This feed includes the OFAC sanctions list as well as numerous other global blacklists and risk heuristics associated with illicit activities.
  • Enforcement: If the oracle returns a flag for an address initiating a deposit, the smart contract is hardcoded to revert the transaction. Because this check is part of the core on-chain program logic, it cannot be bypassed in any form, including by direct contract interaction or use of alternative interfaces.

Tier 2: User-Controlled Disclosure 🔑

This tier provides users with a powerful set of tools for voluntary, fine-grained disclosure of their transaction history, empowering them to meet compliance needs without compromising their overall privacy.

  • Key Hierarchy: The system features a dual key structure. A primary Master Viewing Key (MVK) is associated with the user's main Solana address, providing a comprehensive view of all their activity. Additionally, each derived Umbra address possesses its own distinct Master Viewing Key, allowing for disclosure of only the activity related to that specific address.
  • Granular Access: The protocol's cryptographic design allows users to derive more constrained viewing keys from any MVK. This makes it possible to generate time-scoped keys (e.g., for a specific fiscal year) for auditing purposes, or even single-transaction keys for maximum privacy preservation during disclosure.
  • Function: This architecture empowers users to meet personal or regulatory compliance obligations (such as tax reporting) by revealing only the necessary information to trusted third parties, without exposing their entire, unrelated transaction history.

Tier 3: Network-Level Override Failsafe 🛡️

This tier is a decentralized failsafe mechanism for exceptional circumstances, governed by the community and designed to provide a transparent path for accountability.

  • Prerequisite: Use of the protocol requires the mandatory on-chain registration of encrypted MVKs. The primary Solana MVK must be registered before depositing, and each individual Umbra MVK must be registered before that address can be used. This ensures all active parts of the system are accountable to the failsafe.
  • Mechanism Operator: A decentralized Multi-Party Computation (MPC) network serves as the operator of this failsafe. The MVKs are encrypted in a way that allows the MPC network to collectively perform a re-encryption of a target key. This requires a quorum of nodes, ensuring no single entity can act alone or unilaterally access a key.
  • Governance Triggers: The MPC network's power is strictly controlled by an on-chain governance process with two distinct modes:
    1. Targeted Inquiry: This path is designed for formal requests from a recognized authority (e.g., law enforcement). It requires all supporting legal documentation to be stored immutably on-chain for verification. Reflecting the legal necessity of such requests, the threshold for the corresponding DAO vote is significantly lower than a standard community action.
    2. Community-Backed Action: In the event the community decides to decrypt a user's transactions, a standard 51% majority DAO vote is required. This authorizes the MPC network to enable decryption of all transactions associated with the target address.

Next Steps

To understand the technologies that underpin this framework, explore the following documentation:

Umbra Addresses

Learn how the key hierarchy and unlinkable addresses are generated.

Deep Dive into Cryptography

Examine the primitives like MPC, ZK-SNARKs, and PRFs that make this system possible.

Encrypted Balances

A detailed technical guide to how Umbra securely stores, updates, and decrypts token balances on Solana using PDAs, MPC, and modern cryptography.

Master Seed Generation

Protocol description and security analysis for generating the master seed from Solana wallet signature

On this page

Tier 1: Protocol-Level Screening 🔒Tier 2: User-Controlled Disclosure 🔑Tier 3: Network-Level Override Failsafe 🛡️Next Steps