DEV Community

Cover image for The Controversy of On-Chain Privacy: Monero, Tornado Cash, and Strk20
Okoli Evans
Okoli Evans

Posted on

The Controversy of On-Chain Privacy: Monero, Tornado Cash, and Strk20

#starknet #web3 #privacy #blockchain

Privacy onchain has never just been a technical problem, it's more a political one.

I've been in this space long enough to have watched the same cycle repeat itself: a team ships something that gives users genuine financial privacy, regulators decide it's a money laundering vehicle, exchanges delist it or the developer gets arrested, and the whole thing becomes a cautionary tale. Meanwhile the underlying need — the legitimate need for financial confidentiality — remains. It just waits for the next builder who is brave enough to try.

This article is about that cycle. About three different bets on how to solve on-chain privacy, what each one got right, what it got wrong, and why the most recent entry — STRK20, a privacy protocol published by StarkWare researchers in March 2026 — might be the first design that actually survives contact with the real world.

The Controversy in Plain Terms

Now the irony of the whole thing is that public blockchain is a globally readable ledger. Every amount, every sender, every receiver is permanently visible to anyone who looks. I can't attribute this to design flaw or failure, it's just the natural evolution process of most things; first make it work, refine later.

The case for financial privacy isn't radical: your salary is your business, your business treasury is your business, your savings are your business.

But the moment you build something that actually delivers that privacy on-chain, you inherit a problem. The same tool that protects a Nigerian entrepreneur from a predatory counterparty also protects a black hat trying to move stolen funds. Regulators don't distinguish easily between the two, and that ambiguity has defined the entire history of on-chain privacy.

Monero: Privacy as Ideology

Monero is the purest expression of the privacy-as-a-right philosophy. Every transaction is private by default, with no opt-out and no exceptions. The engineering behind it is really impressive:

  • Ring signatures blend your spend with several decoy inputs to obscure the sender.
  • Stealth addresses generate a fresh one-time address per recipient
  • RingCT hides amounts completely

Monero does have view keys — a mechanism that lets you voluntarily share your incoming transaction history with a third party like a tax authority or auditor. So it's not a total black box. But the compliance surface is narrow and critically flawed: outgoing transactions are much harder to prove, no auditing entity is baked into the protocol, and there's zero enforcement that users register or share anything.

Compliance is entirely optional, entirely user-initiated, and entirely unverifiable at scale.

The ideology is coherent. The problem is what it looks like from the outside.

When regulators see a system where compliance is possible in theory but structurally unenforceable in practice, they don't give it credit for the theory. They see a system they can't audit, can't subpoena, and can't work with under any meaningful circumstances.

The response was predictable: systematic delistings.

Major exchanges removed it. Some jurisdictions moved to ban it outright. Today, Monero survives with a loyal community — but largely at the margins.

The incomplete compliance path wasn't a strength, it was a ceiling.

Tornado Cash: When Code Became Criminal

Tornado Cash took a different approach. It wasn't a new chain — it was a smart contract on Ethereum.

Users deposited fixed denominations of ETH and ERC-20 tokens — DAI, USDC, WBTC — and later withdrew to a new address, breaking the on-chain link using zero-knowledge proofs.

Simple. Elegant. Effective.

Then in August 2022, the US Treasury sanctioned it.
Not a company.
Not a person.
A piece of code.

Interacting with it became legally risky. Its GitHub was taken down. Roman Storm, one of its core developers, was arrested and charged with money laundering conspiracy, sanctions violations, and operating an unlicensed money transmitting business.

The industry responded with "code is not a crime."

And philosophically, that argument matters — holding a developer criminally liable for how users choose to use open-source software sets a disturbing precedent that the whole industry should be paying attention to.

But from a product perspective, Tornado had the same structural problem as Monero:
No compliance path.
No mechanism — under any circumstance, for any authorized party — to trace funds through it.

That wasn't just a philosophical position. It was a design decision that handed regulators a clean narrative and prosecutors a clean case.

STRK20: A Different Bet Entirely

STRK20 starts from a different premise:

The real issue isn't privacy. It's accountability.

If you can build a system where:

  • Privacy is the default
  • But accountability is possible under legitimate legal processes

…then you remove the core argument regulators have used against every previous system.

That’s the bet.

How STRK20 Actually Works

The Note Model

Like Zcash and Aztec, STRK20 uses a UTXO-style “note” system:

  • Each note encodes owner, token, and amount
  • Transfers = spending notes + creating new ones

Standard foundation. The differentiation is everything built around it.

Nullifiers Without Commitments

When a note is spent:

  • A nullifier marks it as used
  • The actual note identity remains hidden

Unlike Zcash:

  • No Merkle tree of commitments
  • Notes live directly in Starknet contract storage (encrypted)

This:

  • Reduces proof complexity
  • Lowers storage overhead
  • Leans into Starknet’s architecture

Channel-Based Discovery (Key Innovation)

Traditional problem (Zcash):

  • You must scan and attempt to decrypt everything
  • Complexity: O(total transactions)

STRK20 flips this.

Notes are stored at locations derived from a shared secret between sender and recipient.

So:

  • The recipient already knows where to look
  • No global scanning

Structure:

  • Channels → Subchannels → Notes
  • Sequential indexing enforced (no gaps allowed)

Discovery cost becomes:

O(your activity)

Not the network’s.

That’s a massive scalability unlock.

The Compliance Framework

This is the controversial core.

When registering:

  • A user encrypts their viewing key to an auditing entity
  • The encrypted key is stored on-chain

The auditing entity:

  • Uses a threshold system (multi-party control)
  • Can decrypt viewing keys only under valid legal request

Capabilities:

  • Trace incoming and outgoing transactions
  • Perform forward and backward tracing
  • Only expose data for the target user

Important constraint:

  • No leakage about unrelated users

Sequential indexing ensures:

  • No hidden transactions
  • No skipping records

If you have the viewing key, you see everything for that user.

Multi-Asset + DeFi Integration

Most previous privacy systems built a separate pool for each asset.

Tornado Cash had distinct contracts for ETH, DAI, USDC.

STRK20 runs everything through a single pool — multiple token types, one contract. Simpler architecture, better anonymity set, less fragmentation.

The DeFi integration is where it gets genuinely clever.

The fundamental problem with using a privacy protocol inside a DEX is timing: your ZK proof has to be generated before the transaction executes, but AMM swap outputs depend on pool state at execution time. The pool might shift between when you generate the proof and when it settles. You can't commit to a number you don't know yet.

STRK20 solves this with open notes — a special note type that starts empty and gets filled by an external contract after the swap executes.

The user's proof creates a placeholder note for the destination token with zero amount. The helper contract performs the swap, receives the output, and deposits it into that pre-registered note. The whole flow is atomic — it either all happens or none of it does.

The privacy tradeoff is honest and minimal: swap amounts and token types are visible on-chain, but the AMM's public state would have revealed that anyway. What stays hidden is the only thing that matters — who made the swap.

Unified Cairo Codebase

Most ZK systems split:

  • Circuit logic (Circom/Noir)
  • Smart contract logic (Solidity)

STRK20 uses:

  • Cairo for everything

Thanks to StarkWare’s prover:

  • The ZK proof = proof of Cairo execution

Benefits:

  • One language
  • One logic system
  • Easier auditing
  • Shared infrastructure with Starknet

Comparing the Three

Feature Monero Tornado Cash STRK20
Privacy Strong, default Moderate Strong
Compliance None None Built-in
Discovery N/A N/A O(user activity)
Multi-asset No No Yes
DeFi None None Native
Survival Marginalized Sanctioned Designed to coexist
Code Model N/A Split Unified

The Real Controversy STRK20 Surfaces

STRK20 doesn't eliminate the debate. It reframes it.
The criticism is legitimate: there is a trusted auditing entity, a master decryption capability exists, and that is a centralisation point with no equivalent in Monero or the original Tornado Cash. Privacy purists will call this a betrayal of the principle. I understand that position.

But I keep coming back to the alternative. Not the theoretical alternative — the actual, documented one. Delistings. Sanctions. A developer facing decades in prison for writing open-source code.

Pure privacy systems haven't survived regulatory pressure, and surviving isn't optional if you want anyone beyond a niche to actually use what you build.

Bringing the billions onchain goes beyond a small niche of users to the open society, including individuals, institutions, organizations and so on.

So the question STRK20 forces you to answer is honest and uncomfortable in equal measure:

Is privacy that works for millions better than privacy that works for a few?

That's a values question as much as a technical one.

Closing

This debate was never really about cryptography. It's about power — who gets to see your money, when, and under whose authority.

Monero said nobody. Tornado Cash said nobody. Both paid for it in ways that are still unfolding.

STRK20 says something more precise: nobody, unless the law specifically requires it, and even then only the person under investigation.

Not their neighbours in the pool.
Not their counterparties.
Just them.

That's not ideological purity. But ideology doesn't keep protocols alive — and dead protocols don't protect anyone's privacy.

And honestly? The compliance argument isn't just about regulatory survival. We've seen what unaccountable financial privacy looks like in practice — ransomware payouts, sanctions evasion, illicit financing moving through mixers at scale. Those aren't hypotheticals. They're documented history. Dismissing that to win a philosophical argument is its own kind of dishonesty.

The strongest case for STRK20 isn't that it compromises on privacy. It's that it takes both things seriously at once — the individual's right to financial confidentiality, and society's legitimate interest in accountability when the law demands it. Not one at the expense of the other.

That balance is harder to build. It's also harder to tear down.

But this is just my own view, I'm eager to hear what everyone thinks... leave a comment or tweet at me https://x.com/OkoliEvans

Cheerio...

Resouces:
https://www.starknet.io/blog/make-all-erc-20-tokens-private-with-strk20/
https://eprint.iacr.org/2026/474

Top comments (0)