Penumbra protocol
The following report was originally published in the the second issue of Black Sky Nexus in May 2023.
Authors: Stellar Magnet, Saliveja
Project Summary
Penumbra is a Layer 1 shielded blockchain solution initially targeting the Cosmos ecosystem. It uses a delegated proof of stake system with Tendermint consensus, with modifications for delegator privacy. Penumbra Labs is the lead development team, founded and led by Henry de Valence, who previously worked on cryptography at the Zcash Foundation.[^1] The team closed an initial $4.75 million seed round in November 2021. [^2]
The long-term vision is for Penumbra to become a "universal interchain privacy layer" [^3] that would support general-purpose zero-knowledge programmability via asynchronous batch-oriented smart contracts, with direct bridges to Ethereum and other ecosystems. [^4] However, no concrete plans or timelines for this have been established. [^5]
Initially, Penumbra aims to provide a narrow scope of functionality, centering on the shielding of IBC assets. One of its core features is supporting private transactions, allowing for the private transfer of any IBC-compatible asset within its multi-asset shielded pool. Additionally, these shielded assets can be traded on Penumbra's DEX, built upon the ZSwap primitive, which ensures privacy in trading and market-making by keeping participant addresses confidential. [^6]
ZSwap uses concentrated liquidity pools and sophisticated routing logic to match trades across multiple pools. Penumbra's ledger processes transactions in batches, grouping multiple transactions together and executing them simultaneously in a single block. This design helps address Maximal Extractable Value (MEV) issues.[^7] [^8]
Penumbra's key hierarchy is based on the Zcash Sapling design, with a few modifications, including leveraging the BLS12-377 proving curve. This curve, first defined for use in Aleo's Zexe, allows for the possibility of transitioning to a future universal SNARK proving system, as opposed to Sapling's BLS12-381 curve. In its initial mainnet release, Penumbra relies on multiple Groth16 proofs for zero-knowledge functionality, requiring a trusted setup ceremony.[^9] [^10]
Penumbra Labs has devised a Flow Encryption scheme designed to overcome the limitations of traditional zero-knowledge proofs in multi-party situations by encrypting and aggregating data using cryptographic primitives, such as Distributed Key Generation (DKG) and Homomorphic Threshold Encryption.[^11] However, the current version of Tendermint lacks ABCI 2.0, which is necessary for implementing threshold cryptography, and as a result, privacy for trade amounts in ZSwap cannot be achieved in the initial mainnet release. Once ABCI 2.0 becomes available in Tendermint, Penumbra Labs plans to promptly prioritize a major chain upgrade to include Flow Encryption.[^12]
Penumbra's delegated proof of stake system allows delegators to maintain privacy in various aspects, initially shielding account addresses involved in staking, submitting proposals, and voting. Conversely, the validator set and their governance votes are public and attributable, ensuring accountability.[^6] [^13]
Although Penumbra utilizes Tendermint consensus and is IBC-compatible, it does not use the Cosmos SDK. This choice stems from the fact that the Cosmos SDK is based on an account model, while Penumbra is built around a UTXO model, similar to Bitcoin and Zcash. Achieving privacy with an account model is highly challenging, making the UTXO model a more suitable choice for Penumbra's goals.[^13]
Penumbra Labs has developed its Rust-based shielded blockchain as an open source project, which includes many components that are generally useful for other projects. The team builds publicly and follows an explicit policy of capturing all important technical design discussions in Discord or GitHub, promoting decentralized development and preventing the siloing of specialized knowledge.
Radiant Commons, announced in September 2022 as a non-profit contributor, is responsible for "extending the Penumbra ecosystem" [^14] and is led by Josh Cincinnati, the former Executive Director of the Zcash Foundation. Additional organizations contributing to Penumbra development include Strangelove, who are contributing to the IBC relayer and other technologies related to validators, and Zpoken, who are working on a Penumbra Chromium extension and web tooling.
Production Stage
Penumbra is currently in the testnet stage of product development, with no plans for incentivized testnets. Penumbra Labs originally aimed to launch Penumbra on mainnet by the end of 2022 [^15], but the new launch target appears to be the end of this year [^13]. New testnet versions are released biweekly, named after Jupiter's moons. The 51st testnet, Elara, was released on April 24, 2023 [^16].
Overview
Development Strategy
Penumbra Labs' development strategy prioritizes launching on mainnet with fixed functionality, which encompasses a private batch-oriented DEX, private transactions including staking, IBC interoperability, and on-chain governance. While this serves as their initial focus, the team envisions future support for general-purpose privacy programmability, aiming to achieve true zero-knowledge programmability through asynchronous batch-oriented smart contracts. However, no concrete plans or timelines for this have been established.[^9] [^5]
Agile Proof Development
To facilitate swift and flexible development, Penumbra Labs initially utilized "transparent proofs," where witness data, typically secret information in zero-knowledge proofs, was presented in cleartext. This approach allowed a verification algorithm to directly validate the proof's public inputs against the cleartext witness data. Although transparent proofs lack privacy, their interface is identical to a real zero-knowledge proof, which helped Penumbra Labs confirm the system's data compatibility with the eventual private implementation. This technique avoids the need to implement cryptographic aspects before finalizing mechanism design details, providing more room for experimentation.[^17] Starting from February 27, 2023, testnet 46 (Lysithea) began the migration from transparent proofs to zero-knowledge proofs [^18], and the process is now nearing completion. [^4]
Interoperability
Penumbra is integrated with IBC but the Cosmos SDK was not used to develop the blockchain. This is primarily because the Cosmos SDK is based on an account model, whereas Penumbra is built around a UTXO model, similar to Bitcoin and Zcash. An account model requires a map of all balances to validate transactions, and achieving privacy in such a system is highly challenging.[^13]
IBC allows independent blockchains to directly communicate and trade assets without building custom bridge solutions. With IBC, a dedicated channel is used to send data (usually tokens) through a trustless relayer. The relayer either has RPC access to, or is running full nodes of, both the source and destination chains. Once the data reaches the destination chain, it is authenticated.[^19]
IBC is primarily used in the Cosmos ecosystem, where any blockchain developed with the Cosmos SDK can easily integrate IBC. Significantly, even non-Cosmos SDK chains like Penumbra can incorporate IBC, as demonstrated by their independent IBC implementation. Furthermore, Penumbra holds the distinction of being the first non-Cosmos-SDK chain to establish a connection with the Cosmos Hub [^20]. By incorporating IBC, Penumbra enables all IBC-compatible assets to become shielded once they are transferred into Penumbra's "zone."
At present, Penumbra Labs has no concrete plans to build custom bridges for Ethereum or other Layer 1 blockchains in their initial mainnet release. Nevertheless, it is anticipated that Ethereum assets bridged over to IBC using solutions like Gravity Bridge, Axelar, or, in the future, Namada, should technically be transferable to Penumbra. Penumbra Labs envisions directly bridging with Ethereum in a future release.[^4]
In earlier protocol designs, when Penumbra's notes were 64-bits, there would have been a "total on-chain limit of 18.446 wrapped ETH" due to the decimal precision requirements for wrapped ETH [^21]. This constraint could have potentially hindered the accessibility of Ethereum assets bridged to IBC. Imposing limitations on inbound transfers, like permitting only low-precision amounts of Ethereum, might have posed a usability challenge for users. Nevertheless, Penumbra recently completed the process of upgrading its notes to 128-bits, which removes this limitation and enables greater accessibility of Ethereum assets within the Penumbra ecosystem.[^22]
Penumbra's DEX will not have any preference for which bridged assets they support, and hence all IBC-compatible assets should technically be able to be shielded and traded on Penumbra.[^23] In comparison, Osmosis, a transparent Cosmos chain featuring a native IBC DEX, has opted to support only Axelar in their primary frontend as a means to simplify the user experience.
Building in Public
Penumbra Labs, the founding development team, operates with a high degree of transparency, particularly in regard to their technical design processes. By conducting these discussions on public platforms like GitHub and Discord, they create a clear archive of thought processes accessible to the wider community.
They have developed a specialized shielded blockchain using the Rust programming language, incorporating many components that are generalizable and currently being leveraged or co-developed by many different teams.
Examples include:
- A library for interacting with Tendermint, tower-abci, which is also used by Namada.
- Their Jellyfish Merkle Tree (JMT) library, which is being co-developed with Sovereign Labs.
- Their penumbra-storage library for managing chain state, which is being used by at least one unannounced blockchain project.
By building in public and promoting the reuse of their technologies, Penumbra Labs is fostering a collaborative ecosystem that is helping to improve the state of the art in Rust-based blockchain development.
ZSwap
Penumbra's blockchain includes a native private DEX, ZSwap. ZSwap allows users to privately swap between any pair of IBC assets. The vision is that individual swaps do not reveal trade amounts. Instead, all swaps in each block are executed in a single batch, where only the total amount in each batch is revealed after the batch has been finalized. By doing batch execution and having privacy for the individual trade amounts, this prevents front-running while maintaining long-term privacy for individual trades. [^7]
Concentrated Private Liquidity
Inspired by Uniswap v3, ZSwap users have the option to supply liquidity by anonymously establishing concentrated liquidity positions with a simple linear equation, i.e., a constant slope. Liquidity Providers (LPs) can approximate any curve they like for each segment of the curve approximation by creating multiple smaller positions. By combining these smaller positions, LPs can effectively fine-tune their overall position to closely resemble their desired price curve, allowing for a more customized and precise strategy. Although positions display the liquidity amount and concentration range, they are not connected to any Penumbra account or address. This allows users to both discretely and discreetly approximate various trading functions without exposing their particular opinions on prices, assuming they have exercised caution when transferring their assets onto Penumbra from the transparent cryptocurrency world. In addition to these features, another distinction between Penumbra’s liquidity pools and Uniswap v3 is that Penumbra allows liquidity providers to set customized fee amounts for each pool, enabling market competition to establish ideal fee prices.[^7]
DEX Engine
In Penumbra, swap intents are executed concurrently in a batch, occurring once per block [^24]. The "DEX engine" is the component responsible for handling batch execution in ZSwap. During this process, the DEX engine manages swap routing for asset pairs, even those lacking a dedicated liquidity pool, provided that the assets are available in other pools and a suitable route exists. For each trade or "swap intent," the DEX engine determines the optimal route across multiple liquidity pools, aiming for the best price and lowest fees. Unlike Uniswap, which hosts routing logic off-chain [^25], Penumbra's routing takes place on-chain. Additionally, Penumbra's routing can potentially split a swap intent into multiple streams when necessary. For example, if you have a certain amount of TokenA and you desire a specific amount of TokenB, the optimal settlement may involve two different streams. In this case, x% TokenA is sent across stream1 (A->A/C->C/D->D/B->B) to receive ~x% TokenB, and the remaining y% TokenA is sent across stream2 (A->A/C->C/E->E/B->B) to receive ~y% TokenB.[^8]
Penumbra v1 Limitations
It is essential to mention that Penumbra's vision for ZSwap will not initially provide privacy for individual trade amounts when it launches to mainnet this year. This limitation arises because the threshold cryptography, which enables the chain to work with encrypted trade amounts and decrypt batch totals, requires ABCI 2.0—an enhanced interface to Tendermint. Although Tendermint 0.35 included ABCI 2.0, the release was unstable and had to be rolled back. Due to this rollback, it may take at least another year before Penumbra can utilize ABCI 2.0. Consequently, Penumbra will launch their v1 on mainnet this year without threshold cryptography. Once ABCI 2.0 becomes available in Tendermint, Penumbra Labs plans to promptly prioritize a major chain upgrade to fulfill their initial vision.[^12]
According to Finch, a core engineer at Penumbra Labs, the MEV in their v1 system is still significantly reduced compared to traditional DEXs due to the limited actions available based on the batch execution system design. In Penumbra's design, the only decision that can be influenced by observing a swap intent in the mempool is whether to submit an additional transaction to the batch of swaps. Notably, the ordering of swaps within a block does not impact the batch execution of the DEX, which constrains the potential for MEV extraction.[^26]
Technical Design
Proving Architecture
Initially, Penumbra employs the Groth16 proving system in conjunction with the BLS12-377 proving curve. The BLS12-377 curve was first defined for use in Aleo's Zexe and allows for the possibility of transitioning to a future universal SNARK proving system, as opposed to the BLS12-381 curve.[^9] [^10] Although the industry appears to be gravitating towards universal PLONK-based systems, Penumbra has opted for Groth16 due to its compact proofs and high-performance characteristics. De Valence explains that the high performance is because, with Groth16, the proof statement is already encoded in the trusted setup. In contrast, he argues that universal PLONK-based systems would require complex circuit optimization work to achieve equivalent performance, as the proof statement must be encoded as part of the execution process.[^27]
Penumbra Labs aims to reduce the initial engineering focus on circuit optimization and have stronger assurances that all of their fixed-functionality performs exceptionally well. As Penumbra supports active market making as part of its fixed functionality, forming proofs for a transaction in around 1 second is their performance target [^4], so it is well within their 5-second block interval, allowing market makers to efficiently react to price information. Groth16 satisfies this use case well for them: recent Macbook Pro tests have shown to satisfy this target [^13]. De Valence notes that Penumbra Labs is interested in moving towards a PLONK-based system in the future, once a decision is made to officially support programmability and general functionality.[^27]
As Penumbra is leveraging Groth16, a trusted setup ceremony will be required before it goes to mainnet this year. However, once the protocol eventually transitions to a PLONK-based system, the need for trusted setups will be eliminated.
Addresses and Keys
Penumbra's key hierarchy is based on the Zcash Sapling design, with a few notable modifications: it is tailored for use with BLS12-377 instead of BLS12-381, employs Poseidon as a hash and PRF, utilizes decaf377 as the embedded group, and incorporates support for fuzzy message detection.[^28]
Similar to other blockchains, the seed phrase is the root key material. Multiple unlinkable accounts, each with a unique spending key, can be derived from this seed phrase [^29]. This is similar to Zcash but dissimilar to public blockchains like Ethereum, where accounts derived from the same seed phrase can be linked to each other.
The spending key represents the ability to make transactions for a given account group (it has spending authority). Each spending key controls an account group, with 2^32 accounts in this group. Each account within the account group has one default address and 2^96 - 1 ephemeral addresses, resulting in a total of 2^128 addresses per spending key. This allows Penumbra users to manage multiple distinct accounts, customized for different purposes, while all being controlled by a single spending key and scanned with the same viewing key.[^30] [^31]
For a given account, only the default address will be exposed or easily accessible in the wallet interface as the ordinary "indexed address", with the rest being "ephemeral addresses" reserved for more publicly facing scenarios where it is better to use an address once, such as incoming IBC transfers [^32]. In Penumbra, transactions maintain privacy by concealing address information due to their shielded nature. On the other hand, transparent counterparty chains reveal addresses in transactions. Ephemeral addresses serve as a solution to bridge this privacy gap since it's visible on the originating IBC chain that a transfer of a specific denomination and amount was made to a Penumbra address.[^33]
While the protocol does not directly prohibit the multiple uses of an ephemeral address, the design goal aims to abstract the usage of such addresses away from the user in the wallet interface. Additionally, the "default address" exposed in the wallet is never utilized during public, on-chain interactions like this.[^32]
Penumbra also has viewing and detection keys for each spending key [^34]:
- The full viewing key can create proofs and view all incoming and outgoing transactions. (This permission can be further divided into separate incoming and outgoing viewing keys.)
- The detection key can be shared with a relatively untrusted third-party Penumbra scanning service in the future, to outsource probabilistic transaction detection via fuzzy message detection. This feature can be beneficial for bandwidth or compute-constrained environments, such as mobile wallets. (It should be noted that while the cryptography to support this feature will exist in the initial mainnet release, the service itself will not be available, as it becomes more useful in the future once there are more total transactions to scan [^13].)
Data Structure
Penumbra's transaction model builds upon the Zcash shielded transaction design, incorporating modifications to accommodate multiple assets and additional actions tailored to its DEX and staking architecture, among other enhancements. The Zcash model, derived from Bitcoin's UTXO model, records value in transaction outputs specifying spending conditions. Penumbra adapts this approach, using notes to specify value type, amount, spending key, and a unique nullifier, functioning similarly to UTXOs.[^35]
Penumbra's shielded chain transfers transaction execution to the client-side, where clients generate zero-knowledge proofs for spending a note, which full nodes can then verify. Notes, unlike UTXOs, are not part of the public chain state. The chain contains a state commitment tree, an incremental Merkle tree with public commitments to private notes. Creating a note involves generating a commitment and proving its validity. Spending a note requires proving its inclusion in the state commitment tree, using the spending key for authorization, and revealing the nullifier to prevent double-spending.[^35]
Penumbra adapts the Jellyfish Merkle Tree (JMT), a high-performance, scalable sparse Merkle tree developed for Libra/Diem, to record public state commitments and maintain private state. In Penumbra's adaptation, data is stored as protobufs for easy parsing and consensus among nodes.
To achieve scalability when managing private state, Penumbra also introduces an additional data structure called the Tiered Commitment Tree (TCT). This lightweight structure enables efficient delta updates through its tiered block-level and epoch-level subtrees [^36]. Penumbra Labs asserts that this structure accelerates traditional designs to a theoretical upper bound of 4,000,000x, as it enables clients to bypass processing blocks or epochs lacking relevant transactions, ensuring that client synchronization work remains proportional solely to their activity rather than the total on-chain activity [^37]. The TCT and the JMT are two separate structures, with the root of the TCT stored in the JMT to bind it to the JMT root hash.[^13]
Flow Encryption
Penumbra Labs has devised a Flow Encryption scheme designed to overcome the limitations of traditional zero-knowledge proofs in multi-party situations by encrypting and aggregating data using additional cryptographic primitives.[^11]
In the future, when Penumbra can utilize ABCI 2.0, the protocol's design will incorporate an integer-valued additively homomorphic encryption scheme with threshold decryption capabilities. This will enable the encryption of individual transaction amounts within a batch. With homomorphic encryption, validators can compute the encrypted batch total by summing the ciphertexts of all relevant transactions. Subsequently, through a threshold decryption process that relies on a Distributed Key Generation (DKG) scheme, validators decrypt this batch total and record the value on the ledger. Notably, Flow Encryption will be applied across many aspects of Penumbra, including Zswap, staking, and delegator voting.[^11] [^38]
Networking Privacy
For Penumbra validators and clients, the anonymity of networking data, such as IP addresses and other ephemeral data, is being addressed differently. Validators are expected to be sophisticated enough to incorporate Tor as part of their stack if they desire additional protection. Running a Penumbra validator over Tor should be possible, although it has not been tested yet[^39]. For client privacy, De Valence expresses hesitation about relying on paid service providers like Nym or dVPN, stating that "if Penumbra is supposed to be private, you shouldn't have to pay for some third party service to get that"[^40]. Instead, Penumbra Labs plans on initially incorporating direct Tor support in the client command line interface, leveraging Arti, the recent Rust Tor implementation.[^13]
Governance & Economics
Penumbra is a delegated proof of stake blockchain using Tendermint consensus. Upon mainnet launch, it will feature on-chain governance for coordinating signaling proposals, modifying chain parameters, and allocating DAO treasury funds.[^41] Mainnet for Penumbra therefore marks the transition to a decentralized model for decision-making, transferring the power from Penumbra Labs to the community. Penumbra's delegation system and governance is modeled after Cosmos Hub governance, with modifications such as removing the No With Veto voting option, adding emergency proposals, and providing privacy for delegators' votes.[^42]
Staking
Delegators can privately stake PEN, Penumbra's native token, to a validator and then receive dPEN(v), which represents the share of a specific validator's delegation pool. In this example, (v) would be replaced with the identifier of the validator. Penumbra describes this as working similarly to how liquidity pools represent shares. Instead of tracking staking rewards directly, the chain tracks an exchange rate between the staking token, PEN, and each validator's delegation token, dPEN(v).[^43] One can only realize staking rewards upon undelegation, by unbonding one's stake which converts delegation tokens dPEN(v) into PEN [^44], unlike in Cosmos Hub or similar chains where one can claim rewards at any time.
This design is important for Penumbra because it allows staking rewards to be distributed without breaking anonymity. Penumbra's shielded asset system is leveraged to provide delegators with privacy around who they are delegating to and how much they are earning. If delegators were paid out continuously, they would have to reveal a payment address, sacrificing their privacy in exchange for participating in economically securing the chain.[^45]
Proposals & Voting
In Penumbra, proposals are broadly categorized into two types: normal and emergency. Normal proposals encompass signaling proposals, on-chain parameter changes, and Penumbra DAO treasury spending proposals. In contrast, emergency proposals are solely reserved for signaling purposes and do not impact the chain state in any way. To submit a proposal, a minimum amount of the staking token, which is specified by a chain parameter set by governance, must be deposited.[^42]
Penumbra employs delegated voting. Validators' voting decisions are always public and serve as the default vote for their delegation pool, while delegators' votes remain private and can override their proportional share of the validators' vote.[^42]
For both proposal types, the voting period commences immediately in the subsequent block after the proposal is committed to the blockchain. All normal proposals have a fixed-length voting period, which can be modified through governance. Emergency signaling proposals are accepted once they receive 2/3 majority stake support, potentially allowing immediate acceptance without delegators' input, as validators' default votes represent their delegation pool. Emergency signaling proposals can be utilized to publicly coordinate a chain halt in case of a security issue. In the event that an emergency proposal is approved and includes the "halt" flag, the chain will cease operations automatically, without necessitating additional validator coordination. Naturally, resuming the chain's operation will demand off-chain coordination efforts.[^42]
Voting options include Yes, No, or Abstain. One distinction from Cosmos governance is that Penumbra does not have a No With Veto option. Instead, an on-chain parameter set by governance specifies a "sufficiently high threshold of 'no' votes", and if the threshold is exceeded, the proposal will be slashed and the deposit will be burned. This mechanism is designed to discourage spam proposals. Deposits will be returned for proposals that either succeed or fail but remain below the designated threshold.[^42]
Liquidity Compensation
Balancing staking and liquidity provision in systems that support both is vital for maintaining competitive equilibrium between the two uses of the staking token. Penumbra's staking design introduces further challenges due to the native delegation tokens for each validator. To stabilize this competition, ZSwap implements a liquidity compensation mechanism, which compensates LPs for the opportunity cost of not staking. Each epoch's total issuance is divided between delegators and liquidity providers, with the chain establishing a target ratio of bonded stake to liquidity provision stake. Liquidity compensation issuance is allocated to eligible active liquidity positions during that epoch, proportionate to the liquidity provided. However, the full mechanism design details for liquidity compensation have yet to be established. [^7]
This approach offers several advantages, such as incentivizing LPs to effectively deploy their capital, guaranteeing that fees in delegation token markets paired with PEN cover the opportunity cost of not staking the PEN, and providing credibly neutral compensation for any trading pair involving PEN without the need for governance proposals.[^7]
Fee Mechanism
Penumbra will implement a multidimensional fee market, drawing upon research from Diamandis, Evans, Chitra, and Angeris in their paper Dynamic Pricing for Non-fungible Resources: Designing Multidimensional Blockchain Fee Markets (August 2022).[^46]
Penumbra Labs has not yet finalized the design of the fee mechanism, but they have explored several design paths. Initially, in 2022, the plan was to burn fees. However, the protocol data structures were expanded to be forward-compatible with multi-asset fees. With the possibility for fees to be accepted in various assets, burning them no longer made sense to the team, and the concept of directing fees to a DAO treasury was then proposed.[^47] This idea evolved further, allowing each validator to specify different "funding streams" and allocate a percentage of fees toward entities such as the Penumbra DAO, instead of forcing all fees to go to the DAO.[^48]
Now, based on new conversations in 2023, it seems possible that Penumbra will have a mechanism similar to EIP-1559, where there is a base fee that is burned, with any excess fee going to the block-proposing validator's "funding streams"[^49].
In the current implementation of the protocol, the native asset is the only acceptable fee token. Penumbra Labs is well aware that allowing fees to be paid in assets other than their native asset will weaken privacy guarantees, as users will then exist within a smaller privacy set of users using that asset to pay for fees, since fees are always public. Should these designs be adopted, it's likely their software will have warnings that using alternate assets for fees is not recommended [^50]. Additionally, if fees are paid without the native asset, the protocol may swap the "base fee" amount into the native asset and burn it.[^51]
To reiterate, fee mechanisms in Penumbra are still in a design exploration phase, so the information presented above should be viewed as a glimpse into the team's thought process, rather than a final system design.
Note: this overview is not 100% comprehensive, review Penumbra's Spec and Blog for more details.
Analysis
Analysis performed by Stellar Magnet. Warning: there is a lot of subjectivity in this section.
Transaction Privacy
Ephemeral Addresses
Ephemeral addresses in Penumbra play a crucial role in enhancing user privacy by offering a vast number of unlinkable and diversified addresses for each spending key. While each spending key has a persistent default address, it also has access to 2^96 - 1 ephemeral addresses. These ephemeral addresses are designed to be used in publicly visible actions, such as incoming IBC transfers. It's important to note that for all other transaction types, addresses used are never visible: instead, zero-knowledge cryptography ensures privacy in these instances.
Utilizing ephemeral addresses for public-facing transactions provides enhanced assurances that these actions remain untraceable and unlinked to the user's default wallet address. Penumbra Labs' design of their ephemeral address system showcases their expertise in privacy-focused user experience design, aiming to minimize cognitive overload. This strategy ensures that users can enjoy the highest level of privacy on Penumbra without needing to manually manage multiple accounts or keep track of their usage, significantly reducing concerns about potential information leaks during transactions.
Trade Amounts Not Initially Private
Although Penumbra aims to provide privacy-focused features, its initial launch on mainnet will not include privacy for individual trade amounts in ZSwap. This is due to Penumbra's reliance on Tendermint and a rollback from the unstable Tendermint 0.35, which included the crucial ABCI 2.0 interface for enabling threshold cryptography. Consequently, Penumbra will launch v1 on mainnet without the threshold cryptography required for its initial vision, which adds limitations to the data that can be kept private during usage of its DEX [^12].
Anonymity Set
As Penumbra has not yet launched, the size of its anonymity set remains undefined. The protocol's adoption may initially be limited to users who already hold assets on IBC-compatible chains since there are no immediate plans to construct a direct bridge to Ethereum or other Layer 1 networks. Due to the two-hop process, Ethereum users seeking general transaction privacy may not choose Penumbra as their first option, particularly as they explore alternatives to sanctioned solutions such as Tornado Cash or the now-defunct zk.money. Though early adopters of Penumbra might not be Ethereum natives, they could become interested once Penumbra achieves a significant TVL and proves itself as a top-tier trading protocol, or when Penumbra establishes a direct bridge to Ethereum.
Penumbra Labs acknowledges the significance of proceeding cautiously when considering the acceptance of multiple assets for fees, in order to minimize fragmentation of the anonymity set. Should this be incorporated into the protocol design, one possible approach is to restrict the touchpoints, such as accepting multiple assets for incoming IBC transfers alone. The protocol could then automatically convert a certain percentage of the incoming asset into the native asset, which would be used for paying future fees. By limiting the use cases and automating the conversion process, Penumbra can maintain a larger anonymity set while also reducing cognitive overload for users regarding which fee token to use and the size of its anonymity set.
Networking Privacy
The measures being implemented for network privacy in Penumbra seem acceptable. The assumption that validators ought to be sophisticated enough to incorporate Tor into their stack is justified. However, providing documentation for newcomers to validation would be beneficial.
Initially, Penumbra Labs is opting to integrate direct Tor support in the client command line interface, utilizing the recent Rust Tor implementation, Arti. While this offers a degree of privacy for clients, it will not cater to browser-based interactions. Mixnets like Nym, which provide browser support, could serve as viable alternatives. Nonetheless, it is understandable that Penumbra Labs might be reluctant to depend on Nym at present, given its relatively new technology status and concerns about users having to pay for a third-party service to guarantee privacy.
As chain analysis companies become more advanced with AI technology, addressing network privacy is increasingly important to offer stakeholders the best "state of the art" privacy. Although the surveillance attack surface is limited, since a user would have to submit a transaction directly to a “chain analyzing” node, it remains a risk. Therefore, as network privacy solutions become more sophisticated, the Penumbra community should continue to evaluate the options, ensuring both validators and clients have the best armor to thrive in the dark forest.
Decentralization
Open Source Collaboration
While some aspects of Penumbra Labs' operations may remain private, their commitment to transparency in technical design fosters a genuinely open source and decentralized culture. This approach promotes collaboration, knowledge sharing, and community-driven development. The effectiveness of this strategy can be seen in the growing number of open source contributors to their code repository, who are not part of Penumbra Labs but actively participate in the project's ongoing development. Furthermore, organizations such as Strangelove Ventures, Zpoken, and Radiant Commons are already contributing to the ecosystem's decentralized development in various ways.
Navigating Jurisdictional Risks
Penumbra Labs Inc., Radiant Commons, and Strangelove Ventures are all US-based companies, operating in a jurisdiction where regulatory agencies have increasingly targeted crypto, DeFi, DAOs, and privacy-focused projects. As privacy-centric protocols gain significant success, it is possible that some of their funds could be associated with activities deemed "illicit" by the state. For instance, Zcash has not attracted much attention from the US government due to limited "illicit" usage, while Tornado Cash became popular for shielding funds from major bridge and DeFi hacks, ultimately leading to US sanctions. While it is advantageous that Penumbra has adopted a decentralized development strategy early on, it will be even more beneficial to continue to grow a network of partners and contributors beyond the United States, allowing the project to more easily navigate the evolving regulatory landscape.
Penumbra DAO
The upcoming mainnet launch of Penumbra this year features native configurations for validators to automatically allocate a percentage of their fees to the Penumbra DAO, a treasury governed by the network's validators and stakers. This DAO can play a crucial role in fostering decentralized development of the Penumbra ecosystem by extending Penumbra's technical reach beyond the United States. Upon mainnet launch, it would be beneficial for validators to contribute a portion of their commissions to the Penumbra DAO. The DAO also can facilitate the sustainability and progress of the protocol's development without relying on a centralized team constantly seeking venture capital. By prioritizing a community-centered approach, the Penumbra DAO can become an essential force in ensuring the ecosystem's long-term sustainability and resilience.
Community Incentives
Penumbra's approach to distributing their protocol token to the community appears conservative, with no plans for incentivized testnets. As a result, when the mainnet launches, the initial validators are likely to consist of Penumbra Labs team members, investors, advisors, and other insiders. This cautious approach might be due to the team's concern for compliance with security or KYC (Know Your Customer) laws, rather than an attempt to centralize control or withhold tokens.
Pre-mainnet community incentive programs often require participants to undergo KYC procedures, and it is a positive aspect that there are no indications of KYC data collection taking place in the early stages of Penumbra's development. While the lack of incentive programs may indeed slow down decentralization, it has the advantage of protecting the privacy of early adopters, ensuring they cannot be doxxed in the event of a government subpoena. This choice aligns with Penumbra's commitment to privacy and creates a more appealing environment for those who prioritize anonymity.
Strategy & Narrative
Penumbra Labs demonstrates a practical and well-grounded development strategy that prioritizes delivering a well scoped fixed-functionality. The team exhibits expertise in balancing privacy concerns with user experience, aiming to create a DEX where privacy features enhance rather than hinder the trading experience. Although the team may be driven by philosophical motives or cypherpunk aspirations, their communication materials focus primarily on fostering a highly technical culture rooted in first principles thinking. This approach, which may seem unadorned to those drawn to grand visions and hype, highlights the practical and humble nature of the Penumbra community. With clear communication and easily understandable goals, Penumbra appears to cast a wide net in its quest to attract future liquidity. The community's focus on practicality and transparency is tactful and likely to resonate with those who prioritize substance over hype.
Disclaimer: The information contained in this document is provided solely for informational purposes and should not be interpreted as legal or investment advice. Although the lead analyst is neither an investor nor an employee of Penumbra Labs, the company has reviewed this report for technical accuracy prior to publication. Additionally it should be noted that Black Sky is presently collaborating with Anoma, the organization developing Namada, one of the projects referenced herein. This document is not designed to endorse or promote investments in Penumbra Labs, Namada, or any other mentioned projects. It is strongly advised that readers consult their legal and financial advisors before making any investment decisions.
Additional Resources
Testing Penumbra
During the current testnet stage, users can interact with the Penumbra protocol through various methods, including a command line interface and a web interface:
- pcli: This client allows users to generate a wallet, view balances, send transactions, stake, and swap assets without the need to run a full node.
- Installation instructions can be found at: https://guide.penumbra.zone/main/pcli/install.html
- pd: This daemon, or node software, enables users to join the testnet either as a full node or a validator.
- Installation instructions can be found at: https://guide.penumbra.zone/main/pd/build.html
- pclientd: This tool bundles the view and custody code from pcli into a server, allowing users to programmatically control funds and build transactions.
- Usage instructions can be found at: https://guide.penumbra.zone/main/pcli/pclientd.html
- An experimental web-based client (available at https://app.testnet.penumbra.zone/) which can be used in conjunction with the Chromium-based browser extension (found at https://chrome.google.com/webstore/detail/penumbra-wallet/lkpmkhpnhknhmibgnmmhdhgdilepfghe).
Links
- Penumbra Spec
- Penumbra Website
- Penumbra Blog
- Penumbra Discord
- Penumbra Twitter
- Penumbra GitHub
- Penumbra Testnet Guide
- Penumbra.zone. "Penumbra - Team." Accessed April 2023. https://penumbra.zone/team/
- Penumbra.zone "Penumbra Labs Raises Seed Round To Build Private, Decentralized Exchange." 4 Nov. 2021, https://penumbra.zone/blog/penumbra-labs-raises-seed-round-to-build-private-exchange/
- Discord. "Penumbra Discord Server". Accessed Apr. 2023. https://discord.com/channels/824484045370818580/824484046335246348/1046682441902989352
- de Valence, Henry. "Interview/Conversation." 8 Apr. 2023. Personal Communication.
- Discord. "Penumbra Discord Server". Accessed Apr. 2023. https://discord.com/channels/824484045370818580/824484046335246348/1091035484559519875
- Protocol.penumbra.zone. "The Penumbra Protocol." Accessed Apr. 2023. https://protocol.penumbra.zone/main/index.html
- Protocol.penumbra.zone. "ZSwap - The Penumbra Protocol." Accessed Apr. 2023. https://protocol.penumbra.zone/main/zswap.html
- Discord. "Penumbra Discord Server". Accessed Apr. 2023. https://discord.com/channels/824484045370818580/824484046335246348/1090691576914772069
- GitHub.com. "Decide on a proof system and primitives · Issue #2 · penumbra-zone/penumbra." Accessed Apr. 2023. https://github.com/penumbra-zone/penumbra/issues/2
- Protocol.penumbra.zone. "Proving Considerations - The Penumbra Protocol." Accessed Apr. 2023. https://protocol.penumbra.zone/main/crypto/proofs.html
- Protocol.penumbra.zone. "Threshold Cryptography for Flow Encryption - The Penumbra Protocol." Accessed Apr. 2023. https://protocol.penumbra.zone/main/crypto/threshold.html
- Penumbra.zone. "Penumbra - Penumbra Winter 2022 Update." 23 Dec. 2022, https://penumbra.zone/blog/2022-winter-update
- Finch. "Interview/Conversation." 8-17 Apr. 2023. Personal Communication.
- Twitter.com "@RadiantCommons" 27 Sep. 2022, https://twitter.com/RadiantCommons/status/1574806914084573184
- Discord. "Penumbra Discord Server". Accessed Apr. 2023. https://discord.com/channels/824484045370818580/824484046335246348/1003679005041508462
- Discord. "Penumbra Discord Server". Accessed Apr. 2023. https://discord.com/channels/824484045370818580/905859669921267764/1100145433214451762
- Penumbra.zone. "Penumbra - How We’re Building Penumbra." 30 Nov. 2021, https://penumbra.zone/blog/how-were-building-penumbra/
- Penumbra.zone. "Penumbra - Bringing Zero-Knowledge Proofs to Penumbra." 7 Mar. 2023, https://penumbra.zone/blog/zkproofs-intro
- Medium.com. "Relaying The Message: A Deep Dive Into IBC Relayer Operations" 22 Jun. 2022, https://medium.com/the-interchain-foundation/relaying-the-message-a-deep-dive-into-ibc-relayer-operations-6ff763a2a22f
- Twitter.com "@penumbrazone" 15 Jul. 2022, https://twitter.com/penumbrazone/status/1547975626245619713
- Discord. "Penumbra Discord Server". Accessed Apr. 2023. https://discord.com/channels/824484045370818580/883455571003576320/1012494078551797881
- Discord. "Penumbra Discord Server". Accessed Apr. 2023. https://discord.com/channels/824484045370818580/905859669921267764/1095051136899223623
- Discord. "Penumbra Discord Server". Accessed Apr. 2023. https://discord.com/channels/824484045370818580/824484046335246348/1090459059313983519
- Discord. "Penumbra Discord Server". Accessed Apr. 2023. https://discord.com/channels/824484045370818580/824484046335246348/1091022120781352990
- Uniswap.org. "Auto Router V2." 16 Dec. 2021, https://blog.uniswap.org/auto-router-v2
- Discord. "Penumbra Discord Server". Accessed Apr. 2023. https://discord.com/channels/824484045370818580/824484046335246348/1091023898134462594
- Discord. "Penumbra Discord Server". Accessed Apr. 2023. https://discord.com/channels/824484045370818580/824484046335246348/1012798236609761393
- Protocol.penumbra.zone. "Addresses and Keys - The Penumbra Protocol." Accessed Apr. 2023. https://protocol.penumbra.zone/main/protocol/addresses_keys.html
- Protocol.penumbra.zone. "Spending Keys - The Penumbra Protocol." Accessed Apr. 2023. https://protocol.penumbra.zone/main/protocol/addresses_keys/spend_key.html
- Protocol.penumbra.zone. "Addresses and Detection Keys - The Penumbra Protocol." Accessed Apr. 2023. https://protocol.penumbra.zone/main/protocol/addresses_keys/addresses.html
- Discord. "Penumbra Discord Server". Accessed Apr. 2023. https://discord.com/channels/824484045370818580/930545761995878480/1081348735805702195
- Discord. "Penumbra Discord Server". Accessed Apr. 2023. https://discord.com/channels/824484045370818580/824484046335246348/1017085267959623700
- Discord. "Penumbra Discord Server". Accessed Apr. 2023. https://discord.com/channels/824484045370818580/824484046335246348/996413126901780600
- Protocol.penumbra.zone. "Viewing Keys - The Penumbra Protocol." Accessed Apr. 2023. https://protocol.penumbra.zone/main/protocol/addresses_keys/viewing_keys.html
- Protocol.penumbra.zone. "Notes, Nullifiers, and Trees - The Penumbra Protocol." Accessed Apr. 2023. https://protocol.penumbra.zone/main/concepts/notes_nullifiers_trees.html
- Penumbra.zone. "Penumbra - Penumbra Summer 2022 Update." 9 Aug. 2022, https://penumbra.zone/blog/2022-summer-update/
- Penumbra.zone. "Penumbra - Accelerating Penumbra’s Merkle Tree by up to 4,000,000x." 15 Nov. 2022, https://penumbra.zone/blog/tiered-commitment-tree/
- Protocol.penumbra.zone. "Batching Flows - The Penumbra Protocol." Accessed Apr. 2023. https://protocol.penumbra.zone/main/concepts/batching_flows.html
- Discord. "Penumbra Discord Server". Accessed Apr. 2023. https://discord.com/channels/824484045370818580/824484046335246348/1002816843586744381
- Discord. "Penumbra Discord Server". Accessed Apr. 2023. https://discord.com/channels/824484045370818580/824484046335246348/943912355287400568
- Discord. "Penumbra Discord Server". Accessed Apr. 2023. https://discord.com/channels/824484045370818580/824484046335246348/1002225852282576976
- Protocol.penumbra.zone. "Governance - The Penumbra Protocol." Accessed Apr. 2023. https://protocol.penumbra.zone/main/concepts/governance.html
- Protocol.penumbra.zone. "Staking Tokens - The Penumbra Protocol." Accessed Apr. 2023. https://protocol.penumbra.zone/main/stake/tokens.html
- Protocol.penumbra.zone. "Undelegation - The Penumbra Protocol." Accessed Apr. 2023. https://protocol.penumbra.zone/main/stake/undelegation.html
- Penumbra.zone. "Penumbra - Testnet #4: Shielded Staking Is Here." 26 Jan. 2022, https://penumbra.zone/blog/shielded-staking-is-here/
- Discord. "Penumbra Discord Server". Accessed Apr. 2023. https://discord.com/channels/824484045370818580/824484046335246348/1091026389752352788
- GitHub.com. "Deposit fees in the DAO Treasury account instead of burning them · Issue #1224 · penumbra-zone/penumbra." Accessed Apr 2023. https://github.com/penumbra-zone/penumbra/issues/1224
- GitHub.com. "Pay out fees to validator funding streams · Issue #1067 · penumbra-zone/penumbra." Accessed Apr. 2023. https://github.com/penumbra-zone/penumbra/issues/1067
- Discord. "Penumbra Discord Server". Accessed Apr. 2023. https://discord.com/channels/824484045370818580/824484046335246348/1091024368877981696
- Discord. "Penumbra Discord Server". Accessed Apr. 2023. https://discord.com/channels/824484045370818580/824484046335246348/1091025724896444447
- Discord. "Penumbra Discord Server". Accessed Apr. 2023. https://discord.com/channels/824484045370818580/824484046335246348/1091025813866025030