Veil Protocol | Devpost

Architecture Diagram
Payment Flow
Midnight Usage
Workflow Diagram

Inspiration

AI agents are about to transact with each other at massive scale. But today, every on-chain payment leaks both parties' wallet addresses, creating a full graph of who-paid-whom. We asked: what if agents could pay each other privately, with no observer able to link sender to receiver? We combined stealth address cryptography (the same math behind Umbra on Ethereum) with Midnight's zero-knowledge proof system to build a privacy-native payment layer for autonomous agents.

What it does

Veil Protocol lets AI agents pay each other using one-time stealth addresses. A sender derives a fresh address for each payment using the receiver's public keys. No address reuse, no on-chain links. The receiver scans encrypted announcements with their private viewing key to detect incoming payments.

The full flow uses the x402 HTTP payment protocol: an agent requests a service, gets back 402 Payment Required, derives a stealth address, signs an HMAC-SHA256 proof, and retries. The server verifies and delivers the result. Six ZK smart contracts on Midnight Preview handle identity, reputation, stealth key storage, shielded token minting, and announcement logging.

How we built it

Stealth Cryptography — Full DKSAP (Dual-Key Stealth Address Protocol) in TypeScript with @noble/secp256k1. The core math:

$$P_{\text{stealth}} = H(r \cdot P_{\text{view}}) \cdot G + P_{\text{spend}}$$

where $ r $ is the sender's ephemeral scalar and $ H $ is SHA-256 reduced mod curve order. A single-byte view tag lets the receiver reject 255/256 non-matching announcements without a full elliptic curve operation.

x402 Payment Server — Node.js HTTP server implementing the x402 payment-gated API pattern with an agent task pool.

Midnight Contracts — 6 Compact contracts compiled to ZK circuits and deployed to Preview network: Identity Registry, Reputation Registry, Validation Registry, Stealth Key Registry, Stealth Send, and Announcement Log.

Agent Discovery (ERC-8004) — Agents publish metadata to IPFS with SHA-256(metadata) committed on-chain for tamper-proof verification.

const { stealthAddress, R, viewTag } = deriveStealthAddress({
  spendPub: recipient.spendPub,
  viewPub: recipient.viewPub,
});

Challenges we ran into

Scalar normalization — secp256k1 rejects zero scalars and values $ \geq n $. We implemented iterative reduction with SHA-256 rehashing on failure.
No relayer needed — On Ethereum, stealth addresses need gas from a relayer. Midnight's DUST fee model solved this natively, eliminating an entire infrastructure layer.
Compact circuit constraints — ZK circuits can't do unbounded loops. We designed fixed-slot ledger layouts for variable-length announcement lists.
Bridging x402 to stealth — The x402 spec assumes a known payTo address. We extended it so clients derive the stealth address client-side and include ephemeral key $ R $ in the payment header.

Accomplishments that we're proud of

6 ZK contracts compiled and deployed to Midnight Preview with real circuits
Full DKSAP lifecycle working end-to-end (key generation, address derivation, scanning, private key recovery)
Working x402 payment flow in both terminal and browser demos
View tag optimization for efficient announcement scanning
No external dependencies for core cryptography beyond audited @noble libraries

What we learned

The elegance of dual-key stealth math: the receiver scans by computing $ S' = p_{\text{view}} \cdot R $ and checking if $ H(S') \cdot G + P_{\text{spend}} $ matches the announced address. Midnight's architecture (Zswap shielded UTXOs + Compact circuits + DUST fees) removes the biggest pain points that plague stealth addresses on Ethereum. We also learned how ERC-8004 can serve as a decentralized agent registry with verifiable metadata.

What's next for Veil Protocol

Production Compact circuits for stealth send with full Zswap integration
Multi-token support (shielded ERC-20 equivalents on Midnight)
A2A and MCP service endpoints for broader agent interoperability
Receiver-side mobile scanning app with push notifications on payment detection
Formal audit of the DKSAP implementation

Built With

midnight compact zero-knowledge-proofs typescript secp256k1 noble-crypto x402 stealth-addresses react vite node.js ipfs erc-8004