# Cloaked

> Cloaked brings privacy back to onchain activity.

## Cloaked

### Overview

Using crypto privately requires time and expertise most users don't have. Cloaked makes standard privacy best practices accessible through a familiar, easy-to-use app, so everyday onchain activity doesn't expose more information than it needs to. This is achieved through stealth addresses by default and provably private balances via compliant Privacy Pools.

As a non-custodial stealth address orchestration service, Cloaked handles the technical complexity of address derivation, indexing, and transaction construction while you maintain full control of your funds.


## How It Works

Cloaked supports stealth addresses by separating **coordination** from **control**.

The system is designed so a server can handle the heavy operational work required for stealth addresses (such as address derivation, scanning, balance tracking, and transaction construction) without ever gaining the ability to move funds.

This is achieved using a capability-based key derivation model.

### Key Derivation Model

When you register, your wallet signs a Cloaked-specific message that is bound to your device and protected by your PIN. On the client, this signature is deterministically transformed into two **scoped cryptographic capabilities**:

* **Viewing capability**\
  Shared with the service. Allows detection of which stealth addresses belong to you, enables balance tracking, and allows the service to derive new stealth addresses.

* **Spending capability**\
  Retained entirely by the client. Required to authorize and sign transactions from stealth addresses.

These capabilities are not wallet private keys. They are derived, scoped, and re-derivable from your wallet, and only your wallet can authorize spending. The spending capability never leaves your device.

This separation allows the service to coordinate stealth addresses on your behalf without custody or signing authority.

### Receiving Funds

When someone sends you funds, they use your [ENS](https://ens.domains/) name.

Behind the scenes, the service:

* Derives a unique stealth address for each payment
* Monitors the blockchain for funds sent to that address
* Aggregates balances across all stealth addresses associated with you

Each payment lands at a distinct onchain address. Observers cannot easily link payments together or associate them with your identity or ENS name.

Senders never see your other stealth addresses, past or future.

<details>
  <summary><h3>Advanced</h3></summary>

  ##### Stealth Address Derivation

  Stealth addresses are derived using elliptic-curve Diffie–Hellman (ECDH), following the principles described in [ERC-5564](https://eips.ethereum.org/EIPS/eip-5564) and related implementations (e.g. Umbra).

  Address creation requires only public data derived from your spending and viewing keys. No private keys are shared with senders.

  In Cloaked’s architecture, address derivation and scanning are handled off-device for performance and UX, while spending authority remains entirely client-side.
</details>

### Sending Funds

Stealth addresses fragment your balance across many independent addresses. Sending funds requires safely recombining those balances.

At a high level, the service:

* Selects funds from one or more stealth addresses
* Constructs a transaction covering the send amount and fees
* Routes any change to a newly derived stealth address to avoid reuse

Your self-custody wallet authorizes and signs all transactions.

<details>
  <summary><h3>Advanced</h3></summary>

  Cloaked uses [EIP-7702](https://eips.ethereum.org/EIPS/eip-7702) to upgrade stealth EOAs into [Porto](https://porto.sh/) smart accounts, imbuing Cloaked stealth addresses with the flexibility of smart accounts such as in-kind gas sponsorship and support for operations like swaps and bridging. This makes it practical to combine funds from many stealth addresses into a single send while preserving privacy and avoiding address reuse. All execution is explicitly authorized by the user’s wallet, while the service handles transaction coordination without requiring the user to deploy or manage smart contracts.
</details>


## Frequently Asked Questions

### What is a stealth address?

An Ethereum address that only the recipient can recognize and control, generated using the recipient's public keys. Each payment uses a unique stealth address, making it difficult for onchain observers to link multiple payments to the same recipient. [Learn more](https://eips.ethereum.org/EIPS/eip-5564).

### What is ENS?

A decentralized naming system that maps human-readable names (like `username.eth`) to Ethereum addresses and other resources. Cloaked uses ENS as a public entry point for generating stealth addresses. [Learn more](https://ens.domains/).

### What is the PIN?

A 4-digit PIN you create during registration. It is used locally to derive your stealth address capabilities and to authorize sensitive actions like sending funds.

The PIN is combined with your wallet address to construct a Cloaked-specific message that your wallet signs. That signature is then used to derive your viewing and spending capabilities. You will be prompted for your PIN whenever an action requires authorization.

The PIN never leaves your device and is never stored by Cloaked.

The primary purpose of the PIN is to interrupt mindless signing by requiring an explicit confirmation step for sensitive actions. Being prompted to enter your PIN is a signal that you are authorizing a sensitive Cloaked action. This makes accidental or blind signing much less likely and helps protect against phishing attempts that rely on tricking users into signing messages without understanding why.

**Important**: Cloaked does not store your PIN. Make sure to store your PIN securely.

### Does Cloaked custody my funds?

No. Cloaked never custodies your funds or private keys. Your funds remain fully under your control and are held onchain at addresses derived from your wallet. Only you can authorize and sign transactions. Cloaked provides coordination services (address derivation, balance tracking, and transaction construction) but cannot move funds independently.

### What happens if Cloaked goes offline?

Your funds remain safe and accessible onchain. Since Cloaked does not custody funds, your stealth addresses and their balances are unaffected by service downtime. However, while offline, you won't be able to:

* View your aggregated balance through Cloaked
* Generate new stealth addresses through Cloaked's service
* Construct and send transactions through Cloaked

Cloaked offers users a way to circumvent our service by using the open-source [Cloaked SDK](https://github.com/cloakedxyz/clkd-stealth). From this SDK, users can rederive spending capabilities and stealth addresses.

Cloaked is designed to pass the “walkaway test”: the system should continue to work even if the service becomes unavailable or the original developers disappear. This reflects a commitment to decentralization and user financial sovereignty.

> “We’re building decentralized applications. Applications that run without fraud, censorship or third-party interference. Applications that pass the walkaway test: they keep running even if the original developers disappear.” - [Vitalik](https://x.com/VitalikButerin/status/2006737662942871574)

Please note that transactions sent from stealth addresses outside of the Cloaked system may cause degraded behavior in Cloaked clients.


## Fees

Cloaked calculates transaction fees that include onchain gas costs. Fees are automatically calculated and displayed before you confirm any transaction, so you always know what you'll pay upfront.

### How Fees Work

Fees include the cost of executing intent transactions on the blockchain. Cloaked uses [Porto](https://porto.sh/) smart accounts, which require gas to execute actions.

Fees can be paid in-kind. For example, if you're sending an ERC20 token and your account doesn't have ETH, the token itself can be used to pay the transaction fee. This makes it easier to send tokens without needing to maintain a separate ETH balance for gas.

### Transaction Complexity

When you send funds, Cloaked may need to combine balances from multiple stealth addresses. Transactions that require combining funds from more addresses will have higher fees due to the additional onchain operations needed. Cloaked automatically optimizes the selection of addresses to minimize fees while ensuring you have sufficient funds to cover both the send amount and fees.

Any leftover funds after covering the send amount and fees are automatically routed to a new stealth address. This happens automatically to preserve your privacy by avoiding address reuse.

### Fee Estimation

Fees are estimated using [Porto's simulator contract](https://github.com/ithacaxyz/account/blob/main/src/Simulator.sol), which simulates the actual transaction execution to provide accurate gas estimates. These estimates are based on current network conditions and may vary slightly based on network congestion when your transaction is actually executed.

### What You See

Before confirming any transaction, Cloaked shows you a quote that includes:

* **Send amount** — The amount you're sending to the destination
* **Fee** — The estimated transaction fee
* **Total required** — Send amount + fee

This gives you full transparency into the costs before you commit to the transaction.


## How It Works

Cloaked supports stealth addresses by separating **coordination** from **control**.

The system is designed so a server can handle the heavy operational work required for stealth addresses (such as address derivation, scanning, balance tracking, and transaction construction) without ever gaining the ability to move funds.

This is achieved using a capability-based key derivation model.

### Key Derivation Model

When you register, your wallet signs a Cloaked-specific message that is bound to your device and protected by your PIN. On the client, this signature is deterministically transformed into two **scoped cryptographic capabilities**:

* **Viewing capability**\
  Shared with the service. Allows detection of which stealth addresses belong to you, enables balance tracking, and allows the service to derive new stealth addresses.

* **Spending capability**\
  Retained entirely by the client. Required to authorize and sign transactions from stealth addresses.

These capabilities are not wallet private keys. They are derived, scoped, and re-derivable from your wallet, and only your wallet can authorize spending. The spending capability never leaves your device.

This separation allows the service to coordinate stealth addresses on your behalf without custody or signing authority.

### Receiving Funds

When someone sends you funds, they use your [ENS](https://ens.domains/) name.

Behind the scenes, the service:

* Derives a unique stealth address for each payment
* Monitors the blockchain for funds sent to that address
* Aggregates balances across all stealth addresses associated with you

Each payment lands at a distinct onchain address. Observers cannot easily link payments together or associate them with your identity or ENS name.

Senders never see your other stealth addresses, past or future.

<details>
  <summary><h3>Advanced</h3></summary>

  ##### Stealth Address Derivation

  Stealth addresses are derived using elliptic-curve Diffie–Hellman (ECDH), following the principles described in [ERC-5564](https://eips.ethereum.org/EIPS/eip-5564) and related implementations (e.g. Umbra).

  Address creation requires only public data derived from your spending and viewing keys. No private keys are shared with senders.

  In Cloaked’s architecture, address derivation and scanning are handled off-device for performance and UX, while spending authority remains entirely client-side.
</details>

### Sending Funds

Stealth addresses fragment your balance across many independent addresses. Sending funds requires safely recombining those balances.

At a high level, the service:

* Selects funds from one or more stealth addresses
* Constructs a transaction covering the send amount and fees
* Routes any change to a newly derived stealth address to avoid reuse

Your self-custody wallet authorizes and signs all transactions.

<details>
  <summary><h3>Advanced</h3></summary>

  Cloaked uses [EIP-7702](https://eips.ethereum.org/EIPS/eip-7702) to upgrade stealth EOAs into [Porto](https://porto.sh/) smart accounts, imbuing Cloaked stealth addresses with the flexibility of smart accounts such as in-kind gas sponsorship and support for operations like swaps and bridging. This makes it practical to combine funds from many stealth addresses into a single send while preserving privacy and avoiding address reuse. All execution is explicitly authorized by the user’s wallet, while the service handles transaction coordination without requiring the user to deploy or manage smart contracts.
</details>


## Using Cloaked

import { BucketAnimation } from '../../components/BucketAnimation';

The first Cloaked client takes the form of a Farcaster mini-app. Crypto social platforms associate usernames and social graphs with onchain addresses, making balances and transaction history easy to inspect. The mini-app provides a simple interface for receiving and spending via stealth addresses, allowing users to engage socially without exposing their financial history to hostile or merely curious observers.

### Registration

To get started with Cloaked, you'll need to complete registration:

1. **Sign in** — Authenticate with your Farcaster account
2. **Create a PIN** — Enter a 4-digit PIN that you'll use to access your account.
3. **Sign a message** — Your wallet will prompt you to sign a message. This signature is used to generate your stealth address keys.
4. **Choose your ENS subdomain** — Select a unique subdomain (like `username.clkd.eth`) that others will use to send you funds. You can generate a random one or choose your own.

### Receiving Funds

Best practice is to create a new stealth address for each deposit. This prevents onchain observers from linking multiple payments to you.

Upon registration, you receive your own ENS subdomain (e.g., `username.clkd.eth`). Each time someone sends funds to this ENS name, a fresh stealth address is automatically generated for that payment.

You can also share a direct payment page link at `<username>.clkd.id`. Each time this page is refreshed, it generates a new stealth address, making it easy to share a unique payment link for each transaction.

<figure style={{ textAlign: 'center', margin: '2rem auto', display: 'block' }}>
  <img
    src="/receive-funds-ui.png"
    alt="Receiving funds interface showing QR code and address"
    style={{
    maxWidth: '300px',
    display: 'block',
    margin: '0 auto',
    border: '1px solid var(--vocs-color_border)',
    borderRadius: '8px',
  }}
  />

  <figcaption style={{ marginTop: '0.5rem', fontSize: '0.875rem', color: 'var(--vocs-color_text2)' }}>
    Example of the shareable payment page link for `satoshi.clkd.id`
  </figcaption>
</figure>

The Cloaked mini-app automatically displays when funds are received, showing your aggregated balance across all your stealth addresses.

### Sending Funds

To send funds:

1. **Enter amount and destination** — In the Cloaked mini-app, select the asset and chain, enter the amount, and provide the destination address
2. **Review the quote** — Cloaked optimizes input selection across your stealth addresses to cover the amount, calculates the required fees, routes any change to a new stealth address, and surfaces the quote for your review
3. **Enter your PIN** — Confirm the transaction by entering your 4-digit PIN
4. **Sign with your wallet** — Your wallet will prompt you to sign the transaction
5. **Transaction submitted** — Once signed, the transaction is submitted onchain

<div style={{ marginTop: '2rem', display: 'flex', justifyContent: 'center' }}>
  <BucketAnimation autoLoop={true} hideToggle={true} />
</div>