Two blockchain projects are rolling out systems for private transactions this week, while a vulnerability in Zcash's shielded protocol is reminding developers that privacy tech is still a fragile game. StarkWare and Sui each say their confidential transfer features are now live or nearing release, aiming to let users move assets without broadcasting balances or counterparties. Separately, Zama, a company building privacy-preserving cryptography, is stepping up compliance tools — a move that underscores how the industry is trying to square anonymity with regulation.
How the new systems work
StarkWare's system, built on its StarkNet layer-2 network, uses zero-knowledge proofs to hide transaction amounts and the identities of senders and recipients. Users will be able to generate a private transfer request on StarkNet, and the network's validators will confirm the transaction without seeing the underlying data. Sui's confidential transfers, meanwhile, rely on a different cryptographic approach — the company hasn't published full technical specs yet, but it's describing the feature as a way to send SUI tokens without leaving a public trail on the blockchain.
Both projects are competing for users who have been waiting for a practical private transaction layer that doesn't sacrifice speed or cost. But privacy in crypto has been a magnet for regulators and hackers alike, and the timing of these launches puts them in the middle of a broader debate about how much anonymity the ecosystem should allow.
The Zcash Orchard bug and what it means
Zcash's Orchard protocol, the newest shielded pool on the privacy-focused blockchain, was found to contain a bug that could let an attacker link transactions that were supposed to be untraceable. The Zcash development team patched the issue earlier this month, but the incident serves as a reminder that shielded privacy models are complex and can introduce new risks. Unlike transparent blockchains, where every transaction is visible, shielded systems rely on cryptographic proofs — and if those proofs have a flaw, the entire privacy guarantee collapses.
The Orchard bug didn't lead to any known exploits, but researchers who disclosed it said similar vulnerabilities could exist in other privacy protocols that use advanced zero-knowledge circuits. StarkWare's and Sui's systems both use variations of zero-knowledge proofs, and their teams say they've audited their code. Still, the Zcash incident has privacy engineers questioning whether the industry is moving too fast.
Zama's compliance push
Zama, a cryptography startup that builds tools for fully homomorphic encryption (FHE) and zero-knowledge proofs, is shifting its focus toward compliance. The company announced a new suite of features that allow businesses to run analytics on encrypted data without decrypting it — a capability that law enforcement and financial regulators have been asking for. Zama's approach tries to give users privacy from the platform operator but still let third parties verify that transactions comply with know-your-customer (KYC) and anti-money laundering (AML) rules.
The timing is notable. Regulators in the U.S. and Europe have been pressuring crypto platforms to enforce sanctions and prevent illicit finance, while privacy advocates argue that total surveillance defeats the purpose of blockchain. Zama's compliance tools aim to split the difference: encrypted data stays private, but regulators can still query it with cryptographic keys. Whether that satisfies both sides is an open question.
StarkWare and Sui haven't said whether they'll integrate similar compliance layers into their confidential transfers. They're both launching first, and sorting out the regulatory fit later.
