Skip to content

Project Overview

RESEARCH CONTEXT

Tacit is a Bitcoin meta-protocol — the first Bitcoin-side project we have analyzed at DNZN. There is no Solidity to decompile, no Etherscan to cross-check. The "code" is a single ~57k-line JavaScript file plus a 3,350-line specification and a set of zero-knowledge circuits. Token rules are enforced by an indexer — anyone running the same code against the same chain reaches the same verdict — not by Bitcoin consensus.

Our research covers SPEC.md and the reference client at tacit.finance. In scope: the confidential-token core, permissionless issuance, atomic Over-The-Counter (OTC) settlement, public-claim drops, and the Groth16 shielded mixer. Out of scope: the confidential Automated Market Maker (AMM), the cBTC / cBTC-ZK wrapper conventions, the cUSD / Collateralized Debt Position (CDP) design, and the orderbook, Mesh, and governance amendments — each large enough for its own deep-dive. See Operations for the per-opcode scope status.

⊙ generated by robots | curated by humans

NOTE TO DEVELOPERS

Please do not hesitate to reach out to us if we have documented anything inaccurately, if anything is out-of-date, or in general if there is any way that we could better support the project.

Tacit describes itself as a "confidential token meta-protocol on Bitcoin": amounts hidden, supply enforced from chain data, indexer-validated in the browser. It is authored by z0r0z (the same developer behind the zFi Ethereum stack) and live on Bitcoin mainnet and signet. As of analysis date, the tacitscan.io explorer indexes 93 assets and 260,450 envelopes against block 949,729 (mempool).

Tacit hides amounts on Bitcoin itself and recovers full wallet balance from privkey + chain alone. The mechanism is roughly the same one Greg Maxwell proposed for Bitcoin in 2015 — Pedersen Commitments + Bulletproof aggregated Range Proofs + Mimblewimble-style Kernel Signatures — composed with a Tornado-style Groth16 mixer. Tacit's claim is composition rather than new cryptography: confidential transactions on Bitcoin proper, without a federation or off-chain proof exchange.

Research Timeline

DATE TYPE RESEARCH DESCRIPTION
2026-05-16 Entity Profile z0r0z Profile of the developer behind both zFi and Tacit
2026-05-16 Deep Dive Protocol Architecture The meta-protocol model: how envelopes ride in Taproot witness data, the commit-reveal pattern, the validator algorithm, asset identity, indexer trust model
2026-05-16 Deep Dive Cryptographic Mechanisms The cryptography: Pedersen commitments, aggregated Bulletproofs, kernel signatures, BIP-340 Schnorr, domain-separated HMAC derivations, privkey-only recovery
2026-05-16 Deep Dive The Shielded Mixer The Groth16 shielded pool: deposit/withdraw flow, the withdrawal circuit, Poseidon Merkle tree, trusted-setup ceremony (2,227 contributors), three deliberate divergences from Tornado Cash
2026-05-16 Deep Dive Operations The opcode catalog: CETCH, CXFER, T_MINT, T_BURN, T_AXFER, T_PETCH, T_PMINT, T_DEPOSIT, T_WITHDRAW, T_DROP, T_DCLAIM — what each does, who can call it, what it produces
2026-05-16 Deep Dive Risks Trust assumptions and what could go wrong: trusted-setup soundness, indexer trust model, issuer-supply trust, browser-storage wallet, anonymity-set considerations, audit status

Comparison

Bitcoin's token-protocol landscape sorts along three axes: where validity is enforced, whether amounts are exposed, and what is required to recover a balance.

SUBSTRATE VALIDITY AMOUNTS PRIVKEY-ONLY RECOVERY FEDERATION
Ordinals / BRC-20 Bitcoin Indexer Public Yes None
Runes Bitcoin Indexer Public Yes None
RGB Bitcoin (anchor) Off-chain client-side proofs Hidden No — needs proof chain from sender None
Taproot Assets Bitcoin (anchor) Off-chain client-side proofs Partial No None
Liquid Confidential Transactions Federated sidechain Sidechain consensus Hidden Yes (on Liquid) 15-of-N functionaries
Tacit Bitcoin Indexer Hidden Yes None

Of the systems compared above, Tacit is the only one at "Bitcoin substrate" + "indexer validation" + "amounts hidden" + "privkey-only recovery." The trade-off is witness size: roughly 10× a Runes runestone, because hiding amounts requires a Pedersen commitment plus an aggregated bulletproof in every transfer. See Protocol for the full cost breakdown.

Status

ATTRIBUTE VALUE
Substrate Bitcoin L1 (mainnet + signet)
Validity model Indexer-validated meta-protocol (no consensus rule change)
Repository github.com/z0r0z/tacit
License MIT
Reference dApp tacit.finance (alt: tacit.wei.is)
Block explorer tacitscan.io
Wire-format version 0x01
Opcode set (V1) 0x21, 0x23–0x32, 0x37, 0x38 (0x22 reserved)
Confidential-token core Production
Shielded mixer Production — Phase 2 ceremony finalized 2026-05-11, 2,227 community contributions + Bitcoin block 948,824 (mempool) beacon
Public-claim drops Production
Confidential AMM Phase 2 trusted setup pending
Audit None (experimental software, no warranty)
Wallet model In-browser privkey (auto-generated, imported, or locally bound to Xverse / UniSat / Leather)

On-chain footprint (as of analysis date)

Numbers below were captured against block 949,729 (mempool) via tacitscan.io. Mainnet operation is fresh: the z0r0z/tacit repository was created 2026-05-05, the TAC asset was etched ~33 hours later at block 948,242 (mempool), and the Phase 2 mixer ceremony beacon-finalized 2026-05-11 at block 948,824 (mempool). The figures below are from the first ~10 days of mainnet activity.

METRIC VALUE
Indexed block 949,729 (mempool) (mainnet)
Indexed Tacit assets 93
Indexed envelopes (all opcodes) 260,450
CETCH envelopes (confidential issuance) 77
T_PETCH envelopes (fair-launch deployments) 16
Mixer ceremony contributors 2,227 (Phase 2, finalized 2026-05-11)
Canonical ceremony bundle (IPFS CID) bafybeidq2ahzte4sfiqjsmhqta62ufenpppzpch5ppry55tzxzlvltxy2u

TAC is the project's canonical tacit-native asset — explicitly named in SPEC §4.2.7 (Ticker prefix convention) as the reference example of a non-wrapped tacit-native token, and used as the AMM's reference pricing pair (SPEC §4.2.6). The repo ships a dedicated mainnet CI canary (tests/canary-asset-tac-mainnet.test.mjs) that fails the build loudly on any drift to TAC's asset identity, worker registry, or market state schema. Pinned monotonic floors at canary-creation time: 933 transfers, 1,251 holders, 3 supply disclosures, 26 published openings — all of which only grow.

TICKER ASSET ID ROLE
TAC f0bbe868...94762b (tacitscan) Canonical tacit-native asset; etched at block 948,242 (mempool) by tx e2d10be1...ca481e (mempool); 8 decimals; used as AMM reference pair

Sample on-chain envelope (T_AXFER atomic OTC settlement) at block 949,716 (mempool):

  • Tx b76c90de...150f49 (tacitscan · mempool)
  • 5 inputs (1 asset Taproot input at vin[0] + 4 BTC P2WPKH aux inputs), 3 outputs (tacit recipient, BTC payment, change)
  • witness[0]: 64-byte Schnorr signature ☑
  • witness[1]: 881-byte envelope script (signing pubkey + OP_CHECKSIG + OP_FALSE OP_IF "TACIT" 0x01 payload OP_ENDIF) ☑
  • witness[2]: 33-byte control block, starts 0xc050929b… — confirms BIP-341 Nothing-Up-My-Sleeve (NUMS) internal pubkey ☑
  • Fee: 1,458 sat (~2.2 sat/vB at 662 vbytes after witness discount)

Every Tacit envelope follows this format; the Protocol page walks through the validator's decoding step-by-step.

Repository layout

tacit/
├── dapp/                  THE dApp — pin this directory to IPFS
│   ├── tacit.js           57,341 lines: all dApp code (Pedersen, bulletproofs,
│   │                      kernel sigs, BIP-340/341, envelope encode/decode,
│   │                      recursive validator, wallet, UI, marketplace flows)
│   ├── vendor/            bundled @noble/secp256k1 + @noble/hashes + @scure/base
│   └── circuits/          Circom circuits + Groth16 build pipeline
├── worker/                optional Cloudflare Worker (image pinning, faucet,
│                          asset registry — convenience cache, not trust-bearing)
├── fulfiller/             auto-fulfillment service for atomic intents
├── tests/                 ~140 test files covering envelope encoding, indexer
│                          determinism, mixer flows, AMM (108 mixer-specific)
├── spec/amendments/       16 amendments covering CBTC, CUSD/CDP, governance,
│                          orderbook channels, mesh, wrappers, etc.
├── SPEC.md                3,350 lines — authoritative protocol specification
├── MIXER.md               489 lines — mixer architecture
├── AMM.md                 4,590 lines — confidential AMM (out of scope here)
├── README.md              1,234 lines
└── LICENSE                MIT

The reference dApp is a single HTML file plus a single JavaScript file plus a vendored dependency bundle. Pinning dapp/ to IPFS produces one content-addressed CID covering every byte of the wallet, indexer, prover, and verifier. The meta Content Security Policy (CSP) in index.html locks script-src 'self' 'wasm-unsafe-eval' — no external origins, no inline scripts, no unsafe-eval — so nothing runs in the wallet's JS realm except code under the same CID.

WORKER_BASE and IPFS_GATEWAY are top-of-file constants in dapp/tacit.js; setting WORKER_BASE = '' disables every worker call and the protocol still works for transfers, validation, and recovery. The worker is convenience, not trust.

Tokenomics

The protocol itself has no governance token, no treasury, no DAO, and no protocol-level fee on the confidential-token core or the mixer. Costs are entirely Bitcoin transaction fees.

The protocol has a tacit-native asset called TAC. This is a separate thing from the protocol itself, but it is integral to the platform's usage in practice:

  • TAC was etched on Bitcoin mainnet at block 948,242 (mempool) (tx e2d10be1...ca481e (mempool))
  • 8 decimals, asset_id f0bbe868...94762b (tacitscan)
  • SPEC §4.2.7 calls it out by name as the reference example of a non-wrapped tacit-native token (in contrast to cBTC, cUSD, cRUNE.* which are confidential wrappers of external assets)
  • The AMM uses TAC as the reference pricing pair for variants without a direct same-underlying counterpart: cBTC.* price falls back to TAC-pair price × external BTC-quote (SPEC §4.2.6)
  • The repo ships a CI canary (tests/canary-asset-tac-mainnet.test.mjs) protecting TAC's identity and market state. Pinned floors at canary creation: 933 confirmed transfers, 1,251 unique holders, 3 supply disclosures, 26 published openings — all of which monotonically grow

The right analogy: TAC is to Tacit what ETH is to Ethereum — the native/reference asset, distinct from any notion of a "protocol governance token." TAC has no special validator privileges, no fee accrual, no consensus role. It is an ordinary CETCH-etched asset; the protocol treats it the same as any other. Its role is project convention, not protocol mechanics: it is the first-class on-chain reference for AMM pricing, the asset the canary test guards, and the one the project itself uses to validate that mainnet indexing has not drifted.

Other notable on-chain assets follow the same pattern: anyone can etch an asset via CETCH, anyone can fair-launch one via T_PETCH, anyone can mix one via T_DEPOSIT/T_WITHDRAW. Wrapper conventions (cBTC, cBTC-ZK, etc.) extend this with externally-backed assets — out of scope for this V1 analysis. See Operations for the full opcode catalog and Risks for the per-asset issuer trust model.

The mixer has no per-pool token. Mixer pools are keyed by (asset_id, denomination) and do not mint LP-like positions. A user deposits a fixed-denomination UTXO of any tacit asset and later withdraws under a Groth16 proof; the only cost is the two Bitcoin transactions.

The confidential AMM (out of scope for this V1 analysis) introduces protocol fees that accrue to a per-pool protocol_fee_address configured at pool init, claimed via T_PROTOCOL_FEE_CLAIM. That is the only fee-bearing Tacit construct.

Observations

  • Singleton browser dApp. The entire validator, prover, verifier, and wallet live in one ECMAScript Module (ESM) file loaded by one HTML file. No build step at runtime and no server in the protocol-level trust path. Two browsers running the same pinned CID against the same chain reach the same verdict — that is the entire trust model. The same engineering posture as z0r0z's Ethereum work (zFi): minimal external dependencies, single-file architecture.

  • No federation or sidechain. Tacit shares no execution surface with any third party. Bitcoin orders the transactions; the dApp validates them locally. This differs from the other production confidential-asset systems we surveyed (Liquid is federated; RGB needs off-chain proof distribution; Cashu/Fedimint require mint operators; Lightning Labs' Taproot Assets is transparent).

  • Indexer-validated, not consensus-enforced. This is the same trust model as Runes, Ordinals, and BRC-20, well-understood and well-deployed — but it is not Bitcoin consensus. If every Tacit indexer disagrees with you, your tokens do not exist. The mitigation is that the reference indexer is a small, content-addressed, MIT-licensed JS file; re-implement it, audit it, pin it. The risk is that until the spec has been re-implemented by an independent party, the reference implementation is the spec in practice.

  • z0r0z — entity profile of Tacit's author
  • zFi — z0r0z's Ethereum-side stack; shares the same singleton-architecture engineering posture

Changelog

DATE AUTHOR NOTES
2026-05-16 Artificial. Generated by robots. Gas: 200+ tok.
2026-05-17 Denizen. Reviewed, edited, and curated by humans.