TONado Cash
GitHub Launch app

v1.0 · live on TON mainnet

Privacy, recompiled
for The Open Network.

Tornado Cash, ported to TON.

A non-custodial, fixed-denomination privacy pool for native TON. Deposit. Disappear. Withdraw to anywhere with a zero-knowledge proof - no custodian, no bridge, no compromise.

Launch app See how it works
TVL locked
0 TON
Anonymity set
0 deposits
Withdrawals
0 to date
Active pools
- denominations
Groth16 / BLS12-381 Poseidon hash 20-level Merkle tree · 1,048,576 leaves Non-custodial Open source - MIT Pre-audit · ceremony pending Native TVM pairing Groth16 / BLS12-381 Poseidon hash 20-level Merkle tree · 1,048,576 leaves Non-custodial Open source - MIT
§ 01 · Mechanism

Three moves. Zero linkage.

The whole protocol fits on a napkin. Generate a note off-chain. Deposit a fixed amount into a public pool. Later, prove you know a secret that hashes to one of the deposits - without revealing which one. The chain enforces this with a 6-input Groth16 verifier over BLS12-381.

  1. 01

    Generate a note

    Your client samples a 31-byte nullifier and 31-byte secret. Both stay on your device. The public commitment = Poseidon(nullifier, secret) is the only thing the chain sees. 

    tonado-ton-10-mainnet-a13c…f80b
  2. 02

    Deposit a fixed amount

    Send the pool's denomination (loading…) plus a small gas allowance. The pool appends your commitment as a leaf in a 20-level Merkle tree, then emits log_deposit. Wait. Every subsequent depositor grows your anonymity set.

  3. 03

    Withdraw to anywhere

    Pick any recipient. Your client builds a Merkle inclusion path locally, generates a Groth16 proof that Poseidon(nullifier) hashes to a tree leaf somewhere, and submits via a relayer. The pool verifies the proof on-chain, marks the nullifier spent, and sends funds to the recipient.

§ 02 · Cryptography

Built on primitives TON speaks natively.

BN254 is fast on EVM and dead on TVM. We recompiled the entire Tornado circuit family over BLS12-381 - the curve TON already has hardware-class opcodes for - and swapped MiMC for Poseidon. What survives is the structure; what changes is everything that touches the field.

curve

BLS12-381

TVM ships native opcodes for the pairing, scalar mul, and group operations. The verifier reduces to a handful of opcodes - gas-bounded, predictable, no software pairing.

field bits
381
opcodes
BLS_*
scalar mod
0x73ed…0001
hash

Poseidon

A ZK-friendly sponge designed for arbitrary prime fields. Replaces MiMC because MiMC's round constants in circomlib are welded to BN254. Same Poseidon runs in the circuit, in the prover, and on-chain in Tolk - verified bit-exact by CI.

rate
2
full rounds
8
partial
57
proof

Groth16

Three group elements per proof. Six public inputs: root, nullifierHash, recipient, relayer, fee, refund. The smallest verifier that ships fits the Tolk gas envelope.

proof size
192 B
public
6 fields
verify
≈ 0.015 TON
tree

Incremental Merkle

20-level Poseidon Merkle tree, 1,048,576 leaves. Roots are cached on-chain for 30 generations so withdrawals can prove against a slightly stale view without coordination. Leaves accrete; the tree never resets.

depth
20
capacity
2²⁰
root cache
30
language

Tolk on TVM

The pool, verifier, and tree mirror live in Acton-built Tolk. Auto-formatted, statically analysed, no hand-tweaked verifier - every byte of verifier.tolk regenerates from the final zkey.

contract
pool_native.tolk
verifier
auto-gen
tests
109 passing
note

The note format

tonado-<asset>-<amount>-<net>-<62-hex>

31 bytes nullifier ‖ 31 bytes secret. The chain never sees either - only their Poseidon hash. Lose the note, lose the deposit. Treat it as cash.

§ 03 · Pools

Four denominations. One anonymity set per size.

Variable amounts trivially de-anonymise. Fixed sizes mean every deposit in a pool is bit-identical from the chain's perspective. More deposits per pool = stronger privacy.

Loading live pool data…

§ 04 · Lineage

Same shape. Different machine.

TONado Cash preserves the circuit semantics that made the original Tornado Cash a cryptographic landmark. Everything around the circuit is rebuilt for TVM.

EVM Tornado TONado Cash
CurveBN254BLS12-381
HashMiMC spongePoseidon
Proving systemGroth16Groth16 · recompiled
Contract languageSolidityTolk (Acton)
PairingEVM precompileTVM native opcode
Verifier sourceHand-edited exportAuto-generated from zkey
Eventseventop::log_* ext-out
Token modelERC-20Native TON + TEP-74 Jettons
§ 05 · Trust model

Pre-audit. Pre-ceremony. Open.

A privacy protocol is only as strong as its weakest cryptographic assumption. We don't ask you to trust us - we publish everything and let independent parties anchor it.

01

External audit

Dual-firm review planned: Tolk + ZK competence required. Every Critical/High to be remediated; mediums either resolved or documented as accepted risk. Re-audit on changed surface.

Incomplete
02

Trusted-setup ceremony

Multi-party powers-of-tau + per-circuit Phase 2. ≥3 geographically distributed contributors. Any one honest participant preserves soundness. Beacon will be anchored to a public Bitcoin block hash.

Pending
03

Cryptographer review

Independent sign-off on Poseidon-over-BLS12-381 round constants and Merkle path bit-ordering - the two places where field-swapping Tornado's original design could silently weaken security.

Pending
04

Bug bounty

Critical $50k–$250k. High $10k–$50k. Med $1k–$10k. Funded in a dedicated reserve wallet. Planned for Immunefi before mainnet.

Not live
§ 06 · Token

$TONADO ties revenue, governance, and the anonymity set together.

Privacy pools have a free-rider problem: every depositor benefits from a larger anonymity set, but no one is paid to grow it. $TONADO is a TEP-74 jetton that captures protocol revenue, governs the protocol, bonds relayers, and pays out anonymity-mining rewards. 100,000,000 fixed supply, minting disabled after genesis. Full parameters in the tokenomics doc.

flywheel

Fee → buyback → burn + yield

Every deposit pays a 0.5% protocol fee (denomination-uniform, so the fee creates no per-user fingerprint) into the TreasuryRouter. Governance whitelists STON.fi v2 swap recipes; anyone can call TriggerSwap and Distribute. The bought TONADO splits 50/50: half is burned (TEP-74 burn op decrements totalSupply), half flows to veTONADO stakers as real yield.

fee
0.5% default
cap
MAX_FEE_BPS = 200
split
50/50
staking

veTONADO

Lock TONADO for 1 day to 4 years; voting power is amount × lockDuration / maxLockSeconds. Lockers accrue TONADO rewards from the buyback distribute leg via a MasterChef-style accumulator. Lock, IncreaseAmount, ExtendLock, ClaimRewards, Withdraw at lockEnd.

min lock
1 day
max lock
4 years
decay
constant vp
mining

Anonymity mining

A 30% supply allocation funds the AmDistributor contracts (one per denomination). Anyone with a commitment in a pool's Merkle tree can claim a TONADO reward via a separate Groth16 circuit. The AM nullifier is domain-separated (Poseidon(2)(nullifier, AM_DOMAIN_TAG)) from the withdraw nullifier (Poseidon(1)(nullifier)), so claiming does not consume the right to later withdraw the same deposit.

reserve
30M TONADO
circuit
amClaim.circom
rate cap
MAX_AM_RATE_BPS = 500
governance

On-chain Governance

Propose → Vote → Queue → Execute, behind a timelock. Voting is asynchronous: the Governance contract queries veTONADO for the voter's current voting power and credits the tally on reply. Governance owns the pool revenue config, TreasuryRouter swap recipes, RelayerRegistry bond params, and AM rate / root whitelist. Bootstrap multisig renounces to the contract once stable.

quorum
governance-set
timelock
governance-set
owner
multisig → self
relayers

Relayer bonding

The RelayerRegistry requires relayers to lock TONADO to be listed in the dApp's relayer dropdown. Creates baseline demand from anyone who wants to relay, independent of speculation, and gives governance a slashing target if a registered relayer misbehaves.

bond
governance-set
slashable
yes
discovery
dApp dropdown
distribution

100M supply at genesis

30% anonymity-mining reserve · 20% protocol treasury · 20% team (1-year cliff + 3-year linear) · 15% community airdrop · 10% LP-reserve for future STON.fi v3 CL migration · 5% LP bootstrap on STON.fi v2 (2-year lock). All vesting is on-chain in dedicated vault contracts; admin mint is disabled at genesis via the AdminDisableMint op.

Full parameter table · AM design · Governance · TreasuryRouter

§ 07 · Questions

Things people actually ask.

What is a deposit note and how do I keep it safe?

The note is a 62-hex-character string of the form tonado-ton-10-mainnet-… It encodes the only data required to withdraw your deposit: a nullifier and a secret. Treat it like a physical bearer instrument - store it offline (a password manager, an encrypted file, a printout in a safe). If you lose it, the deposit is unrecoverable. If someone else gets it, they withdraw your funds.

Can the relayer steal my funds or send them somewhere else?

No. The recipient address is bound into the zero-knowledge proof as a public input. The on-chain verifier rejects any proof whose public inputs don't match the message body. The relayer can only choose to broadcast - or not - your already-built withdrawal. It cannot rewrite the destination or alter the fee.

How is this different from a CEX or a custodial mixer?

No custodian holds your funds. They sit in an open-source smart contract whose only state transitions are "deposit (open to anyone)" and "withdraw against a valid zero-knowledge proof." There is no API key, no KYC, no admin who can freeze or seize. The protocol owner role was either burned at launch or rotated to a multi-sig - see threat-model.

How long should I wait between deposit and withdrawal?

As long as you can afford to. The protocol's anonymity set is the count of deposits that landed between yours and your withdrawal. The longer the window, the larger the set, the harder a chain-analysis observer's job. Same-block deposit-and-withdraw is essentially zero-privacy.

Can I self-relay?

Yes. If the recipient wallet has gas, you can submit the withdraw message directly. The relayer is a convenience for the common case where the recipient wallet has never received funds before - pre-funding it would de-anonymise the deposit.

What about Jettons?

Supported. pool_jetton.tolk handles TEP-74 transfer_notification messages with a per-pool jetton-wallet binding (set via a one-shot AdminBindJettonWallet op at deploy) so the pool rejects any sender that isn't its own canonical wallet - the standard defense against counterfeit-jetton attacks. Withdraws fan out as TEP-74 transfers through that same wallet, and the depositor's withdraw proof can request a small TON refund so the recipient's fresh jetton wallet has gas. Live per-jetton denominations are listed under Pools; if none appear, the operator hasn't deployed a jetton pool on this network yet.

What's the legal posture?

TONado Cash is open-source research software published under the MIT licence. Privacy-preserving mixers are regulated differently across jurisdictions; the original Tornado Cash contracts on Ethereum were sanctioned by OFAC in 2022. You are responsible for compliance in your own jurisdiction. Operators of front-ends and relayers carry additional regulatory exposure and should obtain qualified legal advice.

Ready when you are

Deposit in three clicks.
Withdraw on your own time.

Launch app View source