Zk-RWA-Kit
Zk-RWA-Kit enables developers to build privacy-preserving, compliance-gated Real World Asset (RWA) workflows on Mantle.
ビデオ
テックスタック
説明
Overview
Zk-RWA-Kit enables developers to build privacy-preserving, compliance-gated Real World Asset (RWA) workflows on Mantle. Users prove eligibility using TLSNotary MPC-TLS proofs without exposing sensitive credentials.
How it works:
User generates a TLSNotary proof in-browser via 2-party MPC over TLS (selective disclosure)
Relayer verifies the cryptographic transcript and writes a time-bounded credential on-chain
Compliant tokens and protocols check the credential before transfers
Problem Statement
Users want privacy: Access compliant RWA yield without permanently linking their wallet to a centralized KYC flow that doxxes their on-chain history.
Developers want composability: Permissioned assets (ERC-3643-style allowlists) break standard DeFi building blocks because protocols and users aren’t recognized as eligible recipients.
Ecosystems need tooling: Developers lack a plug-and-play way to turn “private eligibility proofs” into “composable compliance” that DeFi apps can consume safely.
Solution
Zk-RWA-Kit creates a compliant perimeter where RWAs become DeFi-composable among eligible users and integrations, without a permanent public allowlist.
Technical Approach
We use TLSNotary MPC-TLS to generate verifiable proofs of HTTPS session data:
2-Party Computation (2PC): the user’s browser and a notary jointly establish the TLS session so authenticity can be attested without revealing plaintext to the notary.
Selective Disclosure: users commit to the session transcript and reveal only the minimal fields needed for a compliance claim (e.g.,
"eligible": true).MPC under the hood: TLSNotary uses standard MPC techniques so the notary can validate authenticity without learning private response data.
The verified claim becomes an expiring Session Credential (default: 24h TTL) written to the IdentityRegistry contract. DeFi integrations query this credential instead of permanent KYC flags, enabling composability without persistent identity linkage.
Core Architecture
A) Client-Side Prover SDK (TypeScript/WASM)
A browser library that uses TLSNotary-style MPC-TLS proofs to generate selective-disclosure eligibility proofs from an HTTPS session.
User logs into a trusted eligibility source (MVP: controlled mock provider; later: KYC portal or regulated provider).
The prover generates a cryptographic proof that a specific condition is true (e.g., “country is not sanctioned”, “KYC status is verified”, “balance above threshold”).
The proof reveals only the minimum required fields, not the user’s full identity, session cookies, or raw transcript.
B) Compliance Middleware on Mantle (Session Credentials)
Proof is verified (MVP: off-chain via relayer for speed and reliability).
If valid, relayer issues an expiring credential on-chain.
Benefits:
Privacy: no permanent public “KYC list”
UX: no repeated checks every interaction
Control: expiry + revocation patterns
C) “Compliant Perimeter” Token/Wrapper + Factory
Enforces compliance checks at transfer time, without forcing every app developer to reinvent compliance logic.
The wrapper’s key behavior is:
Transfers are allowed only if the sender and receiver have a valid Session Credential (and optionally if the receiving contract is also registered or approved as an eligible integration).
This makes the asset composable within a compliant perimeter, so you can build lending pools, vaults, or AMMs designed for compliant participants, without leaking identities.
Enforces compliance checks at transfer time so developers don’t reinvent allowlist logic.
Transfers/interactions succeed only if sender/receiver (and optionally the receiving contract) have a valid Session Credential.
Not “free-trading.” This makes restricted assets DeFi-compatible within a verified set of participants and integrations.