Gloam

Documentation

Whitepaper

Trade Everything on Robinhood Privately. Technical and product thesis for Gloam — application-layer privacy on Robinhood Chain.

This document is a living public draft. It describes design targets, shipped testnet capability, and intentional non-claims. It is not an offer of securities, a guarantee of mainnet timelines, a promise of absolute anonymity, or a solicitation to purchase tokens. Official $GLOAM status lives on the token page only.

1. Abstract

Public blockchains made settlement programmable and verifiable. They also made financial activity permanently legible. Wallet graphs, size, and timing form a continuous record of intent — legible to bots, competitors, counterparties, and anyone with an explorer.

Gloam is private money infrastructure for Robinhood Chain: an application-layer vault in which assets can be held and transferred with reduced public visibility, and a path toward private trading of stocks and memes on the same rails. The product thesis is a single sentence: Trade Everything on Robinhood Privately.

Privacy on a transparent L2 is not the absence of transactions from explorers. It is the separation of settlement visibility from strategy visibility. Shield and unshield remain deliberate public edges. While assets remain inside the shielded set, amounts and internal transfer relationships are designed not to appear as a simple public balance sheet for a single address.

2. Problem

2.1 Transparent finance as confession

Open ledgers encode desire. A large swap is a signal of urgency. A repeated pattern of buys is a dossier. Address clustering tools turn a portfolio into a public narrative. For funds, market makers, and sophisticated retail, this is not a feature — it is adverse selection priced into every interaction.

2.2 Tokenized equities inherit the same exposure

Robinhood Chain positions itself as infrastructure for financial services and real-world assets. Tokenized stocks and high-velocity meme markets already coexist there. Without application-layer privacy, both inherit the same open-book problem: modern assets on medieval privacy assumptions.

2.3 Venue gap

Retail and institutional venues will list stock tokens and chase cultural liquidity. Few will treat private balances and private flow as core product. Gloam targets that gap: one private venue for everything that settles on Robinhood Chain — equities for size and legitimacy, memes for volume and urgency, same cryptographic rails.

3. Thesis and principles

Gloam asserts that private hold, private move, and private trade are first-class product requirements for serious on-chain markets — not optional skins on a public DEX.

  • Honesty over theater. No mock private success. Claims expand only as contracts, circuits, and audits support them.
  • Battle-tested patterns. Commitments, nullifiers, Merkle membership, and zero-knowledge proofs — not novel cryptography invented for a launch tweet.
  • Edges are real. Entering and leaving the vault is visible. Privacy tools reduce public visibility; they do not erase the physical world, legal process, or operator error.
  • Testnet until ready. Production capital requires production ceremonies, reviews, and operational maturity.

4. What “privacy” means here

A common misconception is that private transactions leave no footprint on a block explorer. That is not how application-layer privacy on a public chain works.

  • Visible by design: that the vault contract was used; shield (deposit) and unshield (withdrawal) events; proof verification transactions.
  • Hidden by design (goal): amounts while shielded; the internal transfer graph between notes; trade intent during private execution (roadmap).
  • Degraded when the set is small: timing and size correlation; thin anonymity sets.

Private send does not mean “nothing on the explorer.” It means the public record does not present a simple Alice→Bob amount story for value that stays inside the vault.

Figure 1 — Wallet, vault, and exit

Your wallet

Open

Anyone can see the balance if they know the address.

Gloam pool

Shielded

Money is in the shared vault. You hold a private note that proves it's yours.

After unshield

Open again

Exit is public on purpose — money leaves the vault back to a wallet.

5. System architecture

5.1 Placement

Gloam is an application-layer privacy system on a transparent L2 (Robinhood Chain). Settlement finality remains with the chain. Privacy is constructed above it via a custodial shielded pool, a Merkle tree of note commitments, nullifiers to prevent double-spends, and on-chain verifiers for zero-knowledge proofs.

5.2 Core components

  • Client application — wallet connection, note material generation, Merkle path reconstruction from on-chain events, browser-side proof generation, and product UX.
  • ShieldPool (Poseidon) — holds assets, maintains the tree, accepts shield deposits, processes transfer and unshield with proof verification.
  • Hash and tree — Poseidon-based commitments and Merkle structure aligned with circuit constraints.
  • Circuits — unshield (exit) and transfer (private send / split) with public-input layouts bound to the pool.
  • Verifiers — Groth16 verifiers for each circuit, multiplexed so a single pool verifier can route by public-input arity.

Figure 2 — Component sketch

  1. 01

    Client

    Wallet UI, local note secrets, proof generation in the browser.

  2. 02

    Pool

    Custody, Merkle root history, nullifier set, payout path.

  3. 03

    Verifier

    On-chain check of proofs against fixed public inputs.

  4. 04

    Circuits

    Unshield and transfer constraints (Poseidon notes + membership).

5.3 Note scheme

A shielded note binds a secret, amount, and asset into a commitment. Nullifiers are derived so that spending a note can be recorded without reusing it. Exact field hashes and layouts are implemented in circuit source and client libraries and must stay aligned across releases.

5.4 Actions

  • Shield — public assets enter the pool; a commitment is inserted into the tree.
  • Transfer (private send) — spend one note, insert two new commitments (payment and change), conserve value for a single asset. The payment secret is conveyed out-of-band (import package) on testnet.
  • Unshield — prove ownership of a note and withdraw to a public address. Exit is a visible edge.

Figure 3 — User loop (testnet today)

Real contracts. No simulated private fills.

  1. 1

    Connect

    Wallet on Robinhood Chain testnet (46630).

  2. 2

    Shield

    Deposit ETH or faucet stock tokens into the Poseidon pool.

  3. 3

    Send or hold

    Private send splits a note; secrets for payment notes are shared carefully off-app.

  4. 4

    Unshield

    Prove and cash out to a normal wallet when ready.

6. Cryptography and verification

Circuits are implemented with Poseidon for circuit-friendly hashing and Merkle membership. Proofs are Groth16 in the current testnet stack. Verification keys and ceremonies used on testnet are development-grade and must not be treated as production toxic-waste-free setups.

Public-input layouts are versioned. Unshield binds root, nullifier, asset, amount, and recipient. Transfer binds root, nullifier, and two new commitments. The dual verifier routes by public-input length so a single pool configuration can support both actions.

An earlier keccak-based pool remains on testnet for historical deposits only. The product path is the Poseidon pool with unshield and transfer verifiers enabled.

7. Threat model

7.1 In scope (design goals)

  • Observer reading a single address balance while assets are shielded
  • Simple public reconstruction of internal note-to-note payment graphs (as anonymity set grows)
  • Double-spend of the same note (nullifiers)

7.2 Edges and residual leakage

  • Shield and unshield amounts and timing on the public chain
  • RPC and network metadata if clients are careless
  • Correlation attacks when few users participate or amounts are unique

7.3 Out of scope as “solved by crypto alone”

  • Device malware, phishing, and coerced key disclosure
  • Legal process and off-chain identity linkage
  • User deletion of local note material without backup
  • Absolute anonymity against nation-state adversaries

8. Product surface

The testnet application at gloam.trade/app provides:

  • Wallet connection restricted to Robinhood Chain testnet
  • Portfolio with wallet ETH, shielded balances, and faucet stocks
  • Public send and stock token transfer paths
  • Shield deposits into the Poseidon pool
  • Private send (transfer) and cash-out (unshield) with browser proofs
  • Note import for payment packages received off-app
  • Vault trade adapter (cash out → public swap → re-shield); sealed-size private trade remains future work

Documentation, this whitepaper, and the token page live on the same origin (/docs, /whitepaper, /token). Marketing site and product share branding: black, lime, white.

9. $GLOAM (protocol asset)

Gloam reserves the ticker $GLOAM as a future coordination asset for the private rails on Robinhood Chain. The public page at gloam.trade/token states status honestly: not launched. There is no tradable contract address until product, trust (audits / production keys), and utility design gates are closed.

Planned roles are design targets only: protocol alignment, fee or access economics once mainnet volume is real, parameter voice after audits, and ecosystem gravity for partners and builders. This whitepaper does not define supply, unlocks, or distribution. Those details will appear on the token page before any mint. The vault, private pay, and sealed trade paths are useful without a token.

This section is not an offer of securities or a solicitation to purchase tokens. Do not trust contract addresses from unsolicited messages.

10. Roadmap

  1. Complete (testnet): public path, shield, unshield, private send circuit and dual verifier, client proof path.
  2. Near term: UX clarity for non-specialists; safer note handoff (encryption to a viewing key); operational monitoring of the anonymity set.
  3. Mid term: sealed-size private trade (hide swap size on the open book); deeper liquidity routing for stocks and memes.
  4. Production gate: independent review, production trusted setup or equivalent, incident process, mainnet only after explicit readiness criteria.
  5. $GLOAM: publish utility and supply on /token, then deploy only after the above gates — not as a substitute for shipping privacy.

11. Positioning

Broad privacy protocols target multi-chain or multi-asset general privacy. Gloam is intentionally narrow: Robinhood Chain, stocks and memes, product-led vault UX. Differentiation is venue and distribution thesis — not a claim of novel cryptography relative to the broader privacy literature.

12. Risks and limitations

  • Smart contract and circuit bugs prior to audit
  • Development proving keys on testnet
  • Browser-local note storage and user operational error
  • Regulatory and compliance uncertainty around privacy tools
  • Thin anonymity sets in early usage
  • L2 and bridge operational risk of the underlying chain
  • Premature or unofficial “$GLOAM” contracts — only trust /token and official channels

13. Explicit non-claims

Gloam does not claim mainnet readiness, insurance of funds, legal immunity, or invisibility from investigation. Testnet assets have no real-world value. Nothing in this paper is investment advice. $GLOAM is not live; this paper is not a token sale.

14. Closing

Settlement will remain public. Strategy need not. Gloam builds the sealed chamber beside the open book on Robinhood Chain — so holders can shield, move, and eventually trade without printing every private calculation to the street.

gloam.trade · /token · testnet · @gloamtrade