LitGhost

Lit Ghost solves the critical privacy problem facing stablecoin adoption: when you use PYUSD on-chain, every transaction, balance, and spending pattern is permanently public. This isn't how digital payments should work. When you pay with PayPal, privacy is just normal. The barista doesn't see your bank balance or transaction history. Lit Ghost brings that same privacy expectation to on-chain PYUSD. The Problem We're Solving: Blockchain transparency is great for verification but terrible for privacy. Current PYUSD users face:

• Public balance exposure - everyone can see how much you have
• Transaction graph analysis - your entire spending history is traceable
• Financial surveillance - merchants, competitors, and bad actors can monitor your activity
• Poor UX - MetaMask, seed phrases, gas fees, and crypto jargon create massive adoption barriers

Our Solution: Lit Ghost is a trustless privacy layer for PYUSD that combines:

• Encrypted On-Chain Balances: User balances are stored in encrypted "leaves" (groups of 6 users). Each balance is XOR-encrypted using ECDH shared secrets derived from user keypairs. Only you and the Lit Protocol TEE can decrypt your balance - it's completely hidden on-chain.
• Decoy Leaf Updates: Every transaction updates 4 leaves: 1 real transaction and 3 decoys. This creates a 1/24 anonymity set (better than Monero's 1/16), making it nearly impossible to determine which leaf contains the actual transaction.
• Seamless UX: No wallets, no seed phrases, no MetaMask. Users login via Telegram (900M+ users) where their user ID deterministically derives their encryption keys. The same keys work across web and mobile - scan a QR code to access your Telegram private balance on desktop or export your secret to use on other phones. Your secrets follow you everywhere.
• Gasless Everything: Using ERC-3009 (receiveWithAuthorization), all operations are gasless for users:
• Gasless deposits: Users sign an ERC-3009 authorization; the Lit Action submits it
• Gasless transfers: Internal transfers happen off-chain via encrypted leaf updates
• Gasless withdrawals: The PKP signs and pays for withdrawal transactions
• Trustless Operation: The system is controlled by a Programmable Key Pair (PKP) locked to immutable code on IPFS. No humans control the keys, no multisigs, no upgrade paths. The PKP can only execute the specific Lit Action code at a content-addressable IPFS hash. Anyone can verify the code, compute the hash, and confirm the PKP is restricted to exactly that code.

How It Works: When you deposit PYUSD:

• You sign an ERC-3009 authorization (no gas required)
• Your deposit destination is encrypted with an ephemeral key
• The Lit Action (running in a TEE) decrypts where to credit your balance
• Your encrypted balance is updated in a leaf alongside 5 other users 3 random decoy leaves are also updated for privacy

When you send funds to another user:

• You send to their Telegram username or encrypted user ID
• The Lit Action updates encrypted balances in the TEE
• 4 leaves get updated on-chain (1 real, 3 decoys)
• Nobody except sender and the TEE knows who it was from/to, receiver just see their balance increase

When you withdraw:

• The PKP signs and broadcasts your withdrawal transaction
• You pay zero gas - the PKP covers all costs
• Funds arrive at your specified Ethereum address

Why It Matters:

• Privacy by Default: Financial privacy shouldn't be optional or complex
• Telegram-Native: 900M users, zero app installs, instant onboarding
• Cross-Platform: QR code login for desktop, secret export for other devices
• Trustless: Verifiable, immutable, decentralized - no trusted parties
• Better Anonymity: 1/24 anonymity set beats privacy coins like Monero
• Real Adoption: Your grandmother could use this - that's the entire point

Lit Ghost makes private PYUSD payments accessible to everyone, with the UX people expect and the privacy they deserve.

Architecture: A Multi-Layer Privacy System Lit Ghost is built as a TypeScript monorepo with four main packages:

1. Smart Contract Layer (@monorepo/onchain)

• Stack: Solidity 0.8.27, Hardhat, ethers.js v6
• Contract: LitGhost.sol deployed on Ethereum Sepolia
• Core Innovation: Encrypted leaf storage structure

The contract stores user balances in a novel encrypted leaf structure, with encrypted balance, the leaf index and the leaf encryption nonce.

Each balance is encrypted as a 4-byte value (2 decimal precision) using XOR with HMAC-derived keys from ECDH shared secrets. The nonce increments on every update, forcing complete re-encryption. This makes it cryptographically infeasible to determine which user's balance changed or by how much. The contract implements ERC-3009 support (receiveWithAuthorization) for gasless deposits. Users sign an off-chain authorization that the Lit Action submits, paying gas on their behalf. This was critical for PYUSD compatibility since PayPal's stablecoin supports ERC-3009. Notable Hack: We encode deposits with ephemeral keys. Users create a temporary secp256k1 keypair, encrypt their user ID via ECDH with the TEE's public key, and include the ephemeral public key on-chain. Only the TEE can decrypt the recipient, but the deposit itself is public (required for auditability). This elegantly balances privacy with transparency.

2. Cryptographic Core (@monorepo/core)

• Stack: TypeScript, Vite (dual-build), Vitest
• Dependencies: @noble/ed25519 v3, @ethersproject/* v5
• Dual Build System: Standard build (external deps) + Sandboxed build (for Lit Protocol TEE)

This package implements all cryptographic primitives that must match on-chain Solidity:

• User ID blinding/unblinding via secp256k1 ECDH
• Balance encryption/decryption with XOR and HMAC
• Transcript hashing for state update verification
• Leaf packing and unpacking

Technical Challenge: We needed the same code to run in three different environments:

• Browser (web app)
• Telegram Mini App
• Lit Protocol TEE (sandboxed, no npm imports)

Solution: Dual-mode Vite build system. The standard build keeps dependencies external for tree-shaking. The sandboxed build bundles everything and uses a custom ethers-compat.sandboxed.ts that replaces ethers imports with global ethers object available in the Lit TEE. We use Vite aliases to swap implementations at build time. All crypto operations use namespaced HMAC keys to prevent cross-contamination. For example, balance encryption uses namespace "balance" while deposit decryption uses "deposit". Each namespace produces completely different keys from the same ECDH shared secret. This was essential for security isolation.

3. Lit Protocol Action (@monorepo/lit-action)

• Stack: TypeScript, Vite, Lit Protocol SDK v7.3
• Build: Minified, content-addressed bundle uploaded to IPFS
• Core Function: TEE execution environment for trustless operations

The Lit Action is immutable code running in Lit Protocol's distributed TEE network. Key innovations:

Trustless Bootstrap: The Lit Action generates cryptographic entropy in the TEE, encrypts it with Lit's access control (restricted to the exact IPFS CID), signs it with the PKP, and calls setEntropy() on the smart contract. This proves that only this specific code can decrypt the entropy and control the system. The signature verification ensures nobody can impersonate the PKP.

Telegram Verification: The Lit Action verifies Telegram's initData signature using the Telegram Bot API secret (stored in encrypted entropy). This proves the user actually logged in via Telegram and prevents spoofing. Transaction Signing: The PKP signs withdrawal transactions and doUpdate() calls for leaf updates. Users pay zero gas because the PKP broadcasts transactions.

Hacky Detail: We compute the transcript hash of all state changes (deposits processed, leaf updates, payouts) and verify it matches on-chain. This creates a cryptographic audit trail. The hash chain must match between TypeScript (TEE) and Solidity (contract) or the update is rejected. This required extensive testing to ensure byte-perfect parity.

4. Frontend Application (@monorepo/app)

• Stack: Vue 3, Vite, TypeScript, Vitest
• Dual-Mode Architecture: One codebase, two entry points

Clever Hack: The app detects whether it's running in Telegram or a browser using detectTg() and dynamically loads either TelegramMiniApp.vue or WebApp.vue. Same Vue components, different authentication flows. Telegram users get automatic login via initData, web users get MetaMask connection plus QR code login or secret import/export to access their Telegram balances on desktop or other devices.

Build Optimization: We use a custom Vite plugin to inline all CSS directly into the HTML (Telegram mini apps require single-file deployment). We also use SRI hashing for security and bundle visualization for size optimization. The entire app compiles to a single HTML file under 500KB. Partner Technologies: Lit Protocol: The entire system is built on Lit's PKP and TEE infrastructure. We use:

• PKPs for trustless key management
• Lit Actions for TEE code execution
• Access control conditions for encrypted entropy
• Datil-DEV network for testing

Lit was absolutely essential - it's the only way to create a truly trustless system where code, not humans, controls the keys. Some Notable Technical Challenges:

• Crypto Parity: TypeScript crypto operations must produce byte-identical results to Solidity. We wrote extensive Hardhat tests importing @monorepo/core functions to validate compatibility.
• Decimal Precision: PYUSD uses 6 decimals, but we store balances as 2-decimal uint32 values for compact encryption. We carefully handle rounding and track "dust" (leftover fractional amounts) in the contract.
• ERC-3009 Nonces: The nonce for receiveWithAuthorization must be unique but deterministic. We hash keccak256(abi.encode(depositTo, callerIncentive)) to create collision-resistant nonces.
• IPFS Content Addressing: The Lit Action code is pinned to IPFS via Pinata. The IPFS CID is a cryptographic hash of the exact bytes. We compute it client-side to verify integrity before restricting the PKP to it.

What We're Proud Of:

• Zero-trust architecture: Truly no humans in the loop, all verifiable on-chain
• Possibly Better privacy than Monero: 1/24 anonymity set with decoy leaf updates
• Telegram integration: 900M addressable users with zero crypto knowledge required
• Cross-platform access: QR codes and secret export let you access Telegram balances anywhere
• Full test coverage: Hardhat tests validate Solidity ↔ TypeScript crypto compatibility
• Production-ready UX: Gasless everything, seamless authentication, works on any device

This project pushes the boundaries of what's possible with programmable cryptography, TEEs, and privacy-preserving smart contracts.