MoneroUSD Protocol — Whitepaper V2

1Protocol Core

• FCMP++ PrivacyFull-chain membership proofs. Anonymity set equals the entire UTXO set — not 16 ring decoys. ring_size = 1 enforced at consensus.
• Growing OvercollateralizationStarts at a 150% floor and is designed to grow toward 400%+ as protocol fees, mint bonds, and sovereign-site publish fees accumulate into the reserve over time.
• Adaptive FeesFees scale from 1× to 100× with reserve utilization. Drain attacks become economically self-defeating before they reach the reserve.
• Adaptive Mining EmissionBlock reward proportional to chain activity. Idle chain accrues; busy chain rewards miners. No fixed-supply auctioning.
• RandomX Proof-of-WorkThe same CPU-friendly PoW Monero uses. ASIC-resistant. Mining stays in the hands of users with normal hardware.
• Local-First WalletPrivate keys never leave the user's machine. The desktop wallet is a peer of the network — no relay servers, no session tokens.

2Privacy Infrastructure

• Light Wallet ServerSub-second cross-device wallet restore via an encrypted scope-tag index. The server stores ciphertext only; the spend key never leaves the wallet.
• PIR-Protected QueriesRestore queries are routed through a SimplePIR layer over an FCMP++-anchored side-index. The operator cannot learn which addresses your wallet is reading.
• Bulletproofs++544-byte range proofs for confidential amounts. Every Pedersen-committed value the protocol emits is range-bounded by a real soundness proof.
• Sender-Side Scope TagsSenders embed encrypted hints in the transaction's tx_extra. The daemon indexes deposits at block time; no operator backfill required.
• Stealth SubaddressesEvery receive is a one-time address. No address reuse, no on-chain linkability between sends to the same payee.
• All-Asset RestoreUSDm and every wrapped or custom token visible in a single restore query. No second slow scan for non-USDm balances.

3Node & Validator Privacy

• Onion-Routed Daemon RPCUSDmd daemons can serve over Tor as a hidden service. Wallets connect through the bundled Tor supervisor; the daemon host never sees the wallet's IP.
• Loopback-Only Sensitive SurfacesWallet-RPC, dApp-auth proxy, sovereign-server, and bundled Tor all bind 127.0.0.1 only. OS-level socket bindings, not application-level checks.
• Mining Without IdentityStratum-over-Tor for miner submission; payouts to FCMP++ stealth subaddresses. No KYC, no IP-to-payout linkage at any layer.
• Pseudonymous ValidatorsBecoming a bridge validator requires only a USDm bond and a libp2p PeerID. No KYC, no jurisdiction binding, no real-identity disclosure.
• Noise-Encrypted FROST MeshFROST rounds and DKG ceremonies run over a libp2p Noise-XX mesh. Validators identify each other by 32-byte derived PeerIDs — no central registry to subpoena.
• Transport-Agnostic SignersValidator signer daemons can run over Tor, I2P, or any libp2p transport. A signer behind .onion is cryptographically indistinguishable from one on residential IP.

4Bridge Custody & Cross-Chain

• FROST Threshold SignaturesBIP-340 Schnorr signatures aggregated across t-of-n validators. No single host can move reserves; the threshold scales as floor(2n/3) + 1 — pure Byzantine fault tolerance.
• Multi-Host DistributionReserve keys are split across independent validator hosts and grow toward a community-operated set over time. Adding validators strengthens custody automatically.
• Per-Validator Sign PolicyEach validator daemon independently policy-checks every sign request. A compromised coordinator can ask but cannot bypass any validator's local check.
• HTLC-Locked DepositsBuy USDm deposits land in BIP-341 Taproot HTLCs. Protocol claims via the threshold quorum after confirmation; users refund via script-path after timeout.
• Atomic Swap BridgesPeer-to-peer trustless cross-chain swaps using Schnorr adaptor signatures. No central operator records user-to-mint mappings.
• LP Offer MeshSigned LP offers published on chain. The operator cannot alter offer parameters or learn user-LP linkages beyond what is already public on both chains.

5Programmable Privacy

• Dark Contracts (DSOL)Smart contracts with private state via Pedersen commitments. Per-call step and memory limits prevent any contract from monopolizing the chain.
• Commit–Reveal PrivacyAny private-slot write or batch entry requires a commit followed by reveal within 16 blocks. Mempool front-running becomes impossible.
• Deterministic DarkVM1M instructions and 256 KB memory per call. No I/O, no random clocks, no Math.random. Every operator computes byte-identical state.
• MoneroUSD IDEBrowser-based editor, compiler, local DarkVM preview, and on-chain deploy. No private keys in the IDE — chain-touching calls flow through the wallet's approval modal.
• Nullifier UniquenessEvery spend produces a unique nullifier. Double-spend becomes physically impossible at the indexer layer.
• Governed Bytecode UpgradeDark Contract code can be replaced in place — but only after a validator-quorum vote. The contract id stays stable; only the bytecode rotates.

6Sovereignty & Censorship Resistance

• Sovereign Web HostingEvery official frontend is mirrored on chain via SITE_PUBLISH. Every installed wallet serves byte-identical bundles locally if DNS is dark.
• Three-Tier Serving ModelBundled in the installer, chain-anchored on the protocol, or developer-mode. The wallet falls through tiers automatically; verified bytes always win.
• Hash-Verified BundlesServed bytes are streamed through SHA-256 verification against the on-chain anchor. Any mismatch returns 503 and falls back to a bundled copy.
• Publish Fees to Reserve100% of sovereign-site registration and update fees route into the protocol reserve. Every developer who publishes strengthens the peg.
• Trusted Node ArchitectureOne-click local USDmd daemon. The wallet operates over a local RPC; remote daemon is optional, not required for anything.
• Sovereign Binary UpdatesWallet upgrades are also served from a sovereign site, with SHA-256 chain-anchored manifests. DNS-blocking the update channel cannot ship a forged binary.

7Self-Upgrading Ecosystem

• On-Chain ConstitutionA small set of core invariants are protected by defense in depth across four independent layers. Everything else is governed by on-chain proposals with bonded participation.
• Bicameral GovernanceEvery enacting proposal requires both a validator quorum and a miner-hashpower quorum. Neither branch alone can pass a state mutation.
• Six Proposal NamespacesIdea, Mimir, Upgrade, DSOLUpgrade, Rollback, Constitutional, and EmergencyCancel — each with its own quorum, time-to-live, and bond appropriate to its risk profile.
• Sybil-Resistant BondsValidator bond scales quadratically with set size. A thousand fake validators cost roughly 333× a single bond — mass Sybil is economically unviable.
• EmergencyCancel VetoA 1-day, low-quorum cancellation namespace that lets the community kill a pending malicious proposal before it enacts. Status-quo-preserving by design.
• DaemonFork Activation WindowConsensus binary upgrades require 4n/5 validator and 2n/3 miner consent, plus a 60-day activation window. Rented-hashpower attacks face sustained 60-day visibility.

8Ion Swap DEX & DeFi

• Commit–Reveal Batch AMMOrders are encrypted in the mempool and settled in batches. No mempool sniping, no MEV sandwiches, no priority-gas auctions.
• Confidential LP PositionsLP shares stored as Pedersen commitments. Amounts are private; nullifiers prevent double-withdraw of the same position.
• Sixteen Wrapped AssetswBTC, wXMR, wETH, wLTC, wDOGE, wBCH, wSOL, wADA, wZEC, wBNB, wUSDT-TRX, wRLUSD, and ETH-network stablecoins. Each chain ships under threshold custody as it matures.
• Dark Pool OrdersOff-chain encrypted limit-order book. Orders reveal only on fill; the resting book is invisible to chain analysts.
• Overcollateralized LendingLending against USDm and wrapped assets. Reserve-aware liquidation curves keep the system solvent under cascading drawdowns.
• Private NFT MarketplaceMint, transfer, and sale with confidential ownership. Royalties are enforced at settlement, not by social convention.