Earn the same yield as public lending venues,
and keep your position private.
A confidential lending layer on Circle's Arc
Not hacking. Just looking. A public vault publishes its depositor table — and it's free to read.
Supply into any public venue with your amount, your share and your entry sealed in the enclave. Deposits pool and net at the boundary — only the batch net ever touches the public side.
Where the depositors, curators, borrowers and yield already are. The router takes an adapter, so we're not bound to two names. From the venue's side, GhostRail is one ordinary address.
USDC is the native gas token — nobody holds ETH. APS seals state in a hardware enclave, so confidentiality is plain Solidity: no ciphertexts, no circuits. shield / unshield is the only boundary — atomic, same-block — which is exactly where we net.
Arc's Privacy Sector is a TEE-backed private EVM sitting beside Arc's public one. It's not why the idea works — it's why the code is small.
You trust hardware attestation, not cryptography alone. We say that plainly.
A confidential contract calls a public venue and settles in one transaction. No bridge — and a bridge would leak the very timing netting exists to hide.
Not a USDC special case. That's why 5 markets are the same two contracts with a different underlying.
View keys are the substrate's own model — we don't bolt compliance on, we inherit it.
Two contracts. Everything below falls out of them.
You deposit cUSDC — never USDC — and get confidential shares. Amount, share and cost basis stay sealed in the enclave, readable only by you.
Deposits and withdrawals cancel inside the confidential zone. Only the net of each batch crosses to the venue — one movement, one address.
Appoint an observer and they read your position exactly as you do. Invisible to the market, legible to your auditor. No global backdoor.
Across 5 asset markets — USDC · ETH · BTC · EURC · tokenized treasury — each the same architecture with a different underlying.
Withdrawals are funded from deposits already sitting in the router. Hundreds of traceable transfers collapse into one ordinary supply from one address.
It loops over nothing: snapshot the clearing price, adjust aggregates, cross once, advance. Users then pull their own share.
Anyone can call executeBatch(). There's no keeper to trust, no operator to bribe, no liveness dependency on us.
An earlier design looped over participants. Our own review found a griefer could queue 1-wei deposits until execution exceeded the gas limit — bricking the router permanently, with no admin to rescue it. Pull-based removed the loop, so the attack has nothing to grow.
Privacy that hides insolvency is a scam waiting to happen. Anyone can verify we're fully backed — without seeing a single position. Proven as a fuzz invariant over 128,000 calls.
Most of the work wasn't writing contracts — it was deciding what not to build.
Our own pool means bootstrapping liquidity from zero — the two-sided cold-start trap that kills lending launches. We inherit what took years to build.
A position in a public contract has a public amount. Hide the owner, or hide the breakdown — only the second gives amount privacy. Splitting one depositor across proxies is structuring.
Same address in, same address out. We hide sizes, not identity. Institutions aren't asking to disappear — they're asking not to be front-run while staying auditable.
Immutable. No owner, no pause, no upgrade, no privileged fund path. We can't touch the pool because there is no operator role. The auditor can only read.
The flagship market wraps real Arc testnet USDC (0x3600…0000). Every confidential dollar is backed 1:1 by it, provably.
On Arc it's also the gas token — users transact without ever holding ETH.
Cross-chain onboarding through Circle's own Bridge Kit: burn on Base / Ethereum / Arbitrum, Circle attestation, native mint on Arc.
This answers the hardest question the design has: how does liquidity get to Arc at all.
APS is not live. On Arc testnet the confidential values sit in ordinary storage and the gating isn't enforced against a spoofed eth_call. The privacy is architectural, not cryptographic.
Every divergence point is marked // APS-SWAP in the source. Venues are mocked — Morpho and Aave aren't on Arc yet; Aave V4 is in Arc governance.
Protocol live on Arc testnet, USDC-integrated, architected for APS — confidentiality activates when APS ships. An independent audit completes before mainnet real funds, not after.
Generic token + router. 5 asset markets, GhostGate netting, view keys, public solvency invariant. On Arc testnet with real USDC and CCTP.
Adapters — Morpho / Aave the day they're on Arc. Aave V4 is in Arc governance (USDC/EURC/cirBTC).
Same-asset leverage — no cross-asset gap; the clean, low-tail-risk way to add leverage.
Compliance tier — auditor tooling. The revenue layer.
Cross-asset borrow — pooled collateral carries irreducible tail risk: a fast gap liquidates the aggregate and safe users share the loss.
Yield aggregator — fights the privacy model. Fragmented liquidity means thinner anonymity sets.
Venue policy: Aave-style pools first (permissionless) · Morpho markets direct second (permissionless + immutable) · curated vaults only where gates are abdicated.