v0.9.11 — V3 STARK Quantum-Safe Pools

v0.9.11 — V3 STARK Quantum-Safe Pools

First release with the V3 denominated pools running fully on STARK proofs over Goldilocks. Privacy-side BN254/Groth16 dependency is gone for the new pools — proofs and commitments are post-quantum end-to-end on the ZK side.

Headline

• V3 STARK pools live on devnet — 13 fresh pools (6 SOL + 7 USDC) using the universal LeafInserted event and the new denominated_pool_v3 seed.
• Full lifecycle validated on both wallet paths — shield → wipe → restore → recover → emergency unshield, on Privy AND classic (BIP39 seed) wallets.
• Bumps mobile to 0.9.11 (versionCode 26).

What changed

ZK / Pools

• New p01_quantum_pool instructions: shield_denominated_v3, unshield_denominated_stark_v3.
• Universal LeafInserted event on every commit (ends the 6-event-layout decoder mess).
• Goldilocks Poseidon TS port — bit-exact parity with the Rust AIR (locked by tests: hash2(0,0)=18051734659105196655, hash4(1,2,3,4)=3933389460072713373).
• C3 STARK proof for unshield, sub-1.4M CU (well under Solana cap).

Mobile app

• Shield V3 / Unshield V3 / Batch UI feature-flagged behind V3 pool routing.
• findSafeShieldCounter walks per-pool nullifier counter to avoid commitment collisions across pools.
• Recovery flow auto-iterates V3 pools alongside V2 (legacy).
• Subscription + classic P2P stream recovery now stamps P01_SUB_V1 memo on first payment so subs survive wipes; cancel publishes P01_SUB_UPD memo so deletions survive too.
• v2 stale-subtree pattern can now be replayed at recovery time (replayMerkleProofFromEvents), so old v2 notes recover correctly even after the rebuild divergent-root bug.

Bugs squashed during V3 bring-up

• Off-by-one on newSubtrees (was 16 entries, must be 15).
• Recovered notes lacked merkleRoot → now extracted from c3ProofResult.publicInputs[1].
• C3 public-inputs hash format corrected to 16 bytes (leaf || root_u64).
• Commitment formula rewritten as nested hash2(hash2(nul, sec), hash2(epoch, mint)) — matches AIR.
• Rescan dispatcher now V3-aware (separate path with Goldilocks decoder).
• Counter=0 collision on V3 shield resolved by per-pool counter walk.

Devnet program IDs (unchanged)

• zk_shielded: GbVM5yvetrSD194Hnn1BXnR56F8ZWNKnij7DoVP9j27c
• p01_stark_verifier: DGY37k3Jt7cbrfNa9rxyLZVcFB7S7A2NqtVpkh9fWQvs

Known limitations

• V3 is devnet-only for now. Mainnet ship pending audit closure.
• V3 transfer / split / escrow / cancel / prefund instructions not yet ported (V2 paths still in use for those flows).
• Stealth key exchange and wallet-level signing remain on Ed25519/X25519 — full PQ end-to-end requires a quantum wallet program (planned, separate roadmap item).

Honest crypto claim

V3 ZK proofs and pool commitments are quantum-resistant (STARK + Poseidon over Goldilocks; preimage resistance survives Shor/Grover). Solana L1 transaction signing is still Ed25519 — funds in your everyday wallet inherit Solana's quantum risk like every other Solana wallet. The privacy guarantees of Protocol-01 (unlinkability of past shielded transfers) are quantum-safe.

Install

The release APK below is signed with the production keystore. Installing over a debug build wipes AsyncStorage / SecureStore — uninstall first if you were on a debug build.