Darwin. Docs Miden testnet github ↗

Architecture

Confidential baskets, native to Miden.

Darwin lets a user hold a STARK-proven basket position as a private note in a self-custodial Miden wallet. The token balance lives in the user's private vault, with no per-user ledger on-chain. Value enters and leaves through the Epoch bridge; deposit and redeem notes are executed by the Miden network itself, never a custodian.

Overview

Two entry paths converge on one confidential position. An ETH user bridges Sepolia USDC via Epoch and lets the network execute the deposit; a native Miden-wallet user signs a deposit note directly. In both cases basket tokens are minted — bound 1:1 to the real collateral — into a private note only the depositor can open.

private position self-custodial keys network-executed

Domains

DomainRole
Sepolia (EVM)Users hold USDC and sign the bridge intent. Test USDC 0x2BB4FfD7… (18-dec); Epoch's Compact/Allocator contracts settle the bridge.
OperatorBuilds the confidential notes with the native miden-client (the browser Web SDK cannot yet build a note targeting a network account) and serves the frontend. Never custodies funds or keys.
Miden (testnet)Where positions live: the user's private wallet, the bridged dUSDC faucet, the basket faucets (network accounts), and the network transaction builder that executes deposit/redeem notes.

Accounts & components

Note scripts

Deposit note

confidential_deposit_note carries the user's dUSDC collateral and targets a basket faucet as a network-account target. On consumption it drains the collateral into the faucet vault and mints basket tokens into a private payback note addressed to the depositor.

Redeem note

confidential_redeem_note is symmetric: it carries basket tokens back to the faucet, which burns them and releases the underlying dUSDC into a private payback note, bridged back to Sepolia via Epoch.

The collateral-carrying deposit/redeem note is public — a network account only consumes public notes. The minted/released payback is private: its contents live off-chain, handed to the recipient's browser to import and consume.

Flows

Mint & redeem logic

The mint is bound to the real drained collateral, not to any emitter-supplied value. The note reads the single asset actually carried, asserts its faucet is the dUSDC faucet, and mints that exact amount 1:1. Fee/NAV storage felts are ignored by the mint — an emitter cannot inflate the ratio. Redeem is the inverse: the payout equals the real burned amount, and the released asset's faucet is asserted to be dUSDC. Both legs conserve value exactly, validated on-chain.

Oracle & NAV

The oracle adapter reads a Pragma testnet median through a foreign-account call, returning the median on the VM stack; feeds cover the basket constituents (BTC, ETH, WBTC, USDT, DAI). Weighted-sum NAV math consumes those prices with the target weights, and a fallback degrades gracefully when a feed is unavailable. NAV is used for display and valuation; the confidential mint itself is 1:1, independent of NAV.

Bridge & on-ramp

Value moves between Sepolia and Miden through Epoch, a hosted allocator/solver chosen on Miden-team guidance and validated end to end on testnet. It replaces the earlier AggLayer/Bali path and the custodial relay wallet, both retired.

Basket positions are confidential and native to Miden, so basket tokens are not exposed as ERC-20s on Ethereum; only the underlying collateral crosses the bridge.

Confidentiality model

private: payback contents · balance · backup plaintext
public: deposit/redeem notes · faucet AUM · bridge legs

The design keeps the resulting position confidential while the entry and exit legs are transparent — a deliberate trade of on-chain executability (network accounts) against full transaction privacy. Hardening the entry/exit legs is tracked separately.

Self-custody & keys

The Miden wallet is derived deterministically from one EVM signature (EIP-712, network-independent domain, low-s canonicalized, EOA-guarded). The Falcon key is held in the browser and never reaches the operator. An encrypted, browser-side backup lets a user restore the wallet on a new device by re-signing; only ciphertext is stored.