zk-leaks is a decentralized whistleblowing platform built for the Midnight Network ACE Freedom Hackathon. It leverages Zero-Knowledge technology to solve the whistleblower's dilemma, creating a sanctuary where sources can share critical information with cryptographic certainty of their anonymity, while also receiving private financial support.
Whistleblowers face an impossible choice: stay silent or risk their career, safety, and livelihood. Existing platforms rely on promises of anonymity, trusting a central intermediary that can be compromised, coerced, or shut down. This creates a chilling effect that prevents critical information from reaching the public.
We believe the solution isn't a better promise; it's a better protocol. We need a system where anonymity is not a policy, but a mathematical guarantee.
zk-leaks is built on a foundation of three core principles, enabled by the Midnight Network:
-
Verifiable Anonymity: Sources can cryptographically prove they are part of a specific group (e.g., an employee of a certain company) without revealing their specific identity. This gives their leak credibility without compromising their anonymity. For the hackathon, this is achieved via a trusted oracle model.
-
Permanent & Decentralized Storage: Leaks, including documents and media, are stored on IPFS. This makes the content itself censorship-resistant and permanent. The Midnight blockchain does not store the sensitive data, only an immutable pointer (the IPFS
CID) to it. -
Anonymous Support: Every leak published on the platform is automatically linked to a shielded donation address on Midnight. This allows the public to provide financial support directly and privately to the source. Thanks to Midnight's ZK technology, only the original anonymous source can access these funds.
The process is designed for maximum security and simplicity for the source.
-
Attestation (Off-Chain): A user first proves they have a credential (e.g., an institutional email) to an off-chain oracle. This is a one-time process. The oracle then calls the smart contract to add the user’s anonymous identifier to a private list of verified users.
-
Submission (Frontend): The user composes their leak (title, message, files) in the DApp's frontend. The frontend then uploads the content to IPFS, which returns a unique
CID. -
Proof & Publication (On-Chain): The user submits an anonymous transaction to the Midnight smart contract. This transaction includes:
- The public metadata (title, IPFS
CID). - A ZK proof of their verified credential.
- This on-chain action publishes the leak to the public registry and atomically creates the associated shielded donation address.
- The public metadata (title, IPFS
zk-leaks is specifically designed to meet the criteria of the ACE Freedom Track/Challenge.
-
ACE Freedoms Fulfilled:
- Expression: The core function of the DApp is to enable anonymous content sharing, protected by ZK proofs, directly fulfilling the Freedom of Expression.
- Commerce: The platform integrates privacy-preserving transactions via shielded donations, a key feature that protects the financial privacy of both the source and their supporters, thus upholding the Freedom of Commerce.
- Association: The attestation system allows sources to prove they are part of a group (e.g., an organization) without revealing their identity, enabling a form of private group interaction and validation, which aligns with the Freedom of Association.
-
Key Component Integration:
- OpenZeppelin Integration: The smart contract is built using OpenZeppelin's Compact contracts library, leveraging
Ownablefor secure management of the attestation oracle, thereby ensuring a foundation of security and reusability. - Secure Data Sharing: The entire architecture is a form of secure, controlled data sharing. It employs a "selective disclosure" mechanism where the leak's data is made public, while the most critical data—the source's identity—remains completely private and protected.
- Zero-Knowledge Verification: The platform's core security model relies on ZK verification elements, specifically an anonymous credential checking system that validates a source's credibility without revealing their identity.
- OpenZeppelin Integration: The smart contract is built using OpenZeppelin's Compact contracts library, leveraging
The immediate goal for this hackathon is to deliver a functional MVP using a trusted oracle for email attestation. The post-hackathon roadmap is focused on achieving full decentralization and trustlessness by replacing the oracle with a client-side ZK-Email implementation. This will eliminate the final point of trust, creating a true public good where users do not need to trust anyone to protect their identity.
flowchart TD
A["Source<br/>(Anonymous)"] --> B["Frontend DApp<br/>(React/Next.js)"]
B --> C["Off-Chain Oracle<br/>(Email Attestation)"]
A -.->|"Signs Tx"| D["Midnight<br/>(ZK Proofs)"]
B -->|"Uploads to IPFS"| E["IPFS Network<br/>(Permanent Data)"]
C -->|"Calls Contract"| F["zk-leaks Smart Contract<br/>(Anonymous Registry)"]
E --> D
D --> G["The Public<br/>(Readers &<br/>Supporters)"]
# Install the latest Compact tools
curl --proto '=https' --tlsv1.2 -LsSf \
https://github.com/midnightntwrk/compact/releases/latest/download/compact-installer.sh | sh# Install the latest compiler
compact update# Check versions
node -v # v18+
npm -v # v9+
docker -v
git lfs version
compact check # Should show latest version├── cli/ # CLI tools
├── contract/ # Smart contracts
└── frontend/ # React front-end application
-
Set Network ID
- Open
frontend/src/App.tsx - Ensure
setNetworkId(NetworkId.TestNet)is set
- Open
-
Configure Contract Address
- In the same file, locate the
contractAddressconstant
- In the same file, locate the
-
Start Development
# In one terminal (from project root) npm i npm run build npm run start-app-testnet # In another terminal (from project root) cd cli npm run run-proof-server-testnet