Confidential · Compliant · For regulated institutions only
Prove everything. Reveal nothing.
PROVA is a confidential, compliant treasury-vault for regulated institutions — built on a first-rank zero-knowledge stack: STARK-secured Starknet, settled to Ethereum, UltraHonk proofs verified on-chain. Your treasury stays sealed from the market and cryptographically provable clean to a regulator. Asset-agnostic by design — tokenized treasuries, yield-bearing wrappers, near any count-preserving token. Custody never leaves your keys.
Deposit → hold → withdraw, live
Two views of one vault. Only one of them can read it.
Below is a working model of the PROVA vault, computed right now in your browser. Deposit seals an amount into a note — only its commitment reaches the chain. Withdraw proves the note and releases funds without ever linking exit to entry. Switch to the chain observer to see exactly what a competitor sees.
computing…
The problem
A public chain shows your competitors everything. The usual fixes make it worse.
An institutional treasury on a public chain publishes its balances, counterparties, and flows to anyone with a block explorer — competitors, front-running bots, chain-analysis vendors. For a regulated desk that is not transparency; it is a standing disclosure of position and strategy.
Each classical fix answers a different question — or surrenders something. A custodian takes the asset. A mixer buys privacy by destroying compliance. And disclosure tools — viewing keys — answer the auditor's question, who may look at what happened, but not the question that comes first for a compliance officer: how to be certain that sanctioned value never enters or leaves at all. After-the-fact visibility cannot un-accept a dirty deposit.
PROVA puts prevention where it belongs — at the gate. Custody stays with the institution: the vendor holds no key over a deployed vault. Disclosure is per-transaction, when lawfully requested. And every value-bearing path carries a zero-knowledge compliance check — OFAC non-membership on entry and on exit, plus an affirmative source-of-funds proof — enforced by the contract before any token moves.
Confidential from the market. Provable to the regulator. Never handed to a custodian.
What is PROVA
Seven deliberate choices — each removes a problem instead of adding a feature.
A regulated institution holds its on-chain treasury inside its own isolated vault — confidential from the market, provable to a regulator, never handed to a custodian. The design is defined by what it refuses as much as by what it does.
Confidential, not private
PROVA protects what and how much — balances, counterparties, flows — from external observers. It does not chase a large anonymity set hiding who participates. The threat model is the competitor and the front-running bot, not the state. That is the confidentiality a treasury needs — and the axis on which anonymity-set size is simply not the game.
Compliant
Every value-bearing path carries a zero-knowledge compliance check — OFAC non-membership and source-of-funds provenance — verified on-chain, inside the transaction. This is not a mixer.
Treasury-vault
Hold custody, not a trading account. The product is a vault assets rest in, not a venue they are actively traded through.
Yield-bearing assets
Yield accrues inside the asset — accruing-in-price wrappers, tokenized treasuries whose value rises in the token's own rate — so capital is not idle while held. No external contract call, no DeFi integration, no composability required.
Held-only
Deposit → hold → withdraw. No internal transfer graph, no swaps. The smallest sufficient surface — which is also the smallest surface to leak, and to audit.
No composability — by design
Wiring the held asset into external DeFi costs the confidentiality of amounts: swap sizes hit public AMM state — precisely the property the institution is paying to protect. PROVA declines that trade, because its client holds rather than trades.
With zkSoF — an affirmative proof of source of funds
Provenance from an approved association set, bound to a specific note. Six choices subtract risk; this one adds a property no blacklist can give: the proof attests where funds came from, not merely that an address is absent from a list — the question AML actually asks.
The protocol
Deposit. Hold. Withdraw.
Deposit
Before any token moves, the contract enforces three checks: membership in your own
whitelist, an OFAC non-membership proof bound to the caller's address, and a proof
that the note's commitment opens to exactly the deposited amount.
A deposit claiming a different amount is structurally impossible.
Hold
The note rests in your own vault. Yield accrues inside the asset itself — no DeFi calls, no rebalancing, no oracle. Balances, counterparties and flows are invisible to observers; only commitments touch the chain.
Withdraw
A zero-knowledge proof — verified by the contract inside the transaction —
authorizes exit. The nullifier prevents replay; the recipient is sanctions-screened
in the same atomic transaction. Exit never waits on any third-party compliance service.
What defines the design
Three properties you can check in the contracts — not a brochure.
Affirmative source of funds
AML asks "prove the source of these funds." A blacklist answers only "not on this list." PROVA's zkSoF is a positive proof that a note derives from an approved association set — and it runs as a parallel attestation, never as a withdrawal gate. Your money path never waits on a compliance operator.
No standing audit key required
Prove a specific fact about a specific transaction when lawfully requested — liability assessed by knowledge at the time of the transaction, as in ordinary law. And where a client's supervisory relationship calls for viewing-key disclosure, it layers cleanly on top: disclosure is policy; prevention stays at the gate.
Physical single-tenant isolation
Each client deploys and owns its own vault — a separate sovereign audit domain, not a
logical partition in a commingled pool. No neighbour-reputation risk. The vendor holds
no privileged key over a deployed instance: read owner on-chain and
confirm it is yours.
Positioning in the Starknet stack
Prevention at the gate. Disclosure on request. Two layers of one compliance stack.
Starknet's ecosystem is building a viewing-key standard for confidential assets — and it answers a real need. PROVA does not compete with it: the two answer different questions, and a regulated institution needs both answered.
An auditor or supervisor granted a key can read flows after the fact. This is the right tool for audit and supervisory relationships — accountability for what has already settled. PROVA composes with it: a client that adopts the ecosystem's viewing-key standard simply layers it on top of its vault, as policy.
Before value moves, the contract itself enforces an OFAC non-membership proof on the depositor at entry and on the recipient at exit, plus an affirmative zkSoF provenance proof per note. This is what makes an institution certain that sanctioned value neither enters nor exits — a guarantee no amount of after-the-fact viewing can provide, because visibility cannot un-accept a dirty deposit.
Disclosure is a policy an institution chooses. Prevention is a property the contract enforces. PROVA adds the layer the stack was missing — and composes with the one it has.
The trust boundary
What PROVA proves — and what it does not.
- Proven, on a public network
- That the vault verifies both money-path proofs on-chain — deposit amount-binding and withdrawal. That a borrowed-address proof, a fabricated sanctions root, and a replayed nullifier each revert. That the full deposit→withdraw cycle has settled 111 automated runs with deterministic, bit-identical gas. Every claim maps to a transaction you can open.
- Not claimed — yet
- Mainnet operation and live yield-bearing assets are go-to-market scope, not a current claim: today's vault runs on Sepolia against a mock ERC-20 standing in for the production asset. PROVA is a pre-market MVP, and this page will never say otherwise.
The difference between PROVA and a pitch deck is that PROVA's claims come with transaction hashes.
Trust transferred from a name to a proof.
The vault is non-custodial and trust-minimized: PROVA never holds the asset and holds no privileged key over a deployed instance. Confidentiality rests on a zero-knowledge proof verified on-chain — not on trust in a hardware enclave, and not on trust in the vendor. A reviewer does not have to trust the founder's reputation: they read the source-verified contracts and re-run the adversarial checks themselves.
The capital here is verifiability, not a custodian's brand — don't trust, verify, applied to the business model, not only to the code.
Pure infrastructure: no token, no protocol fees, no custody. Each licensed institution deploys and owns its own vault, verifier, and compliance policy — B2B annual licensing.
On-chain, today
Don't trust the vendor. Read the chain.
The canonical M5 stack on Starknet Sepolia. Every wiring claim — which verifier the vault calls, which binding the compliance module routes to, which roots are registered — is confirmed by reading the deployed contracts' getters, and the adversarial checks are reproducible by any reviewer. All contracts open-source (MIT).
Who holds what
Hold on-chain without publishing your book.
Positions, denominations and counterparties stay sealed from competitors and front-running bots while yield accrues inside the asset — no DeFi wiring, no oracle, no rebalancing. Custody never leaves your keys: the vendor cannot pause your vault, rotate your roots, or move your funds. Not "agrees not to" — is technically unable to.
Certain at the gate. Accountable on request.
Sanctions screening enforced on both entry and exit — so dirty value can neither come in nor go out — an affirmative source-of-funds attestation for every note, and disclosure measured in single transactions, proven in zero knowledge when lawfully requested. Your compliance policy, your whitelist, your audit domain — with the ecosystem's viewing-key standard available on top where your supervisor expects it.
Licensing
Annual licenses. You own the vault — we never can.
PROVA is infrastructure, not a custodian. Each licensee deploys and owns its own vault, verifiers and compliance policy — the owner key is yours, verifiable on-chain. We never hold your assets, your keys, or a privileged key over your deployment.
Pilot
- Single-tenant vault deployment on testnet
- Full circuit set: withdrawal, OFAC, zkSoF, amount-binding
- Compliance policy workshop — whitelist & association sets
- Direct engineering support
Standard
- Production deployment — owner key handed to you
- Sanctions-root update service behind your 24h timelock
- Association-set indexer & attestation tooling
- Adversarial acceptance run on your own instance
Enterprise
- Multi-vault estates, custom compliance predicates
- Legal-team integration & SLA
- Dedicated circuit review with your auditors
- Jurisdiction-specific disclosure support
Pilots run in weeks, not quarters
The treasury you seal today is the position nobody front-runs tomorrow.
Write to us with your asset, jurisdiction and compliance profile — we answer with a deployment plan and the contracts to verify before you sign anything.
pilot@zkprova.xyz