Introduction

Previously, in Native Zones Proof of Concept v0.1 (Atomic Transfer) we had implemented an atomic transfer between two account based zones. The problem with that design is that by the nature of account based ledgers, private balances are very difficult to make work.

In the second iteration, we tackled private atomic transfers (PACTs), leading to a sharded, private UTXO based ledger design.

At a high level each Zone owns two states:

  1. a shard of the common ledger
  2. the zone’s state (application dependent)

Each zone update posted to bedrock transitions both the common ledger and the zone state using two proofs.

  1. the common ledger shard transition is verified w.r.t. a global Ledger VK
  2. the zone state transition is verified against the Zone’s VK (set when the zone is first initialized)

The global Ledger VK becomes the “trusted third party” that allows us to coordinate private atomic asset transfers across zones. That is, since asset transfers are governed by the Ledger VK, a zone can trust that an asset it receives will not be double spent without having to audit the sending zones code.

To ensure integrity of the Common Ledger, Zone STF’s do not have the freedom to edit the ledger directly, but they can refuse a ledger transition entirely if the transition would invalidate the STF invariants.

Implementation

To test our design we implemented a PoC of a PACT scenario where we privately transfer some assets from one zone to another. The scenario is executed over a few stages:

  1. The scenario starts with the user creating a transaction that consumes their note in Zone A and produces the output note in Zone B.
  2. The users transaction is then wrapped in a Bundle and sent to both the executors of Zone A and Zone B. (bundling does not provide value in this example but is used in the following uniswap PoC Preliminary Research: Uniswap as Native Zone)
  3. Each zone partially executes the users transaction, only adding commitments or nullifiers that correspond to their shard of the ledger.
  4. After the ledger transition, we run the STF of each zone.
  5. Finally, we collect together zone updates from Zone A and B into a BatchUpdate which will execute atomically on bedrock.

All in all, the scenario proving stages (and their times) look like this:

Screenshot 2025-11-18 at 3.55.08 PM.png