Skip to main content
Every time a client pays through a Hypertron payment link, the system creates a cryptographic record called a commitment. This commitment proves that a valid payment occurred and that your account should be credited — but it does not contain any information about the client’s wallet address. The commitment is stored on-chain in a Soroban smart contract called the PoolManager. It is the foundation of Hypertron’s ability to be simultaneously private and auditable.

What a commitment is

Think of a commitment as a sealed envelope. Inside the envelope is a proof that a specific payment happened. The PoolManager contract accepts the envelope, stamps it as received, and files it away — but it never opens it. Anyone can verify that the envelope exists and was submitted, but they cannot read its contents. In practice, a commitment is a number derived from the payment details using a cryptographic hash function called Poseidon. Poseidon is designed specifically for use in privacy-preserving systems. The result is a fixed-length value that is mathematically impossible to reverse — you cannot work backwards from a commitment to the payment amount or payer identity. The PoolManager stores this value and updates its internal record of all commitments, but it never stores raw amounts, wallet addresses, or any identifying information.
You do not need to interact with commitments directly. Hypertron creates and registers them automatically when a payment is detected. They appear in your dashboard as confirmed payment events.

What a nullifier is

A nullifier is a paired value generated alongside each commitment. Its only job is to prevent the same payment from being withdrawn more than once. When you request a withdrawal, Hypertron looks at which payments have been credited to your virtual balance and selects enough unspent commitments to cover the amount. For each commitment it uses, it marks the corresponding nullifier as “spent” in the PoolManager contract. Once a nullifier is marked spent, the contract rejects any future attempt to withdraw using that same commitment. This is the double-spend protection mechanism. Without nullifiers, it would theoretically be possible to request multiple withdrawals against the same incoming payment. The PoolManager enforces that every commitment can only be redeemed once.
Nullifiers are marked on-chain as part of the withdrawal process. If a withdrawal fails after nullifiers are already marked, contact support — the system includes safeguards to prevent funds from being permanently locked, but manual intervention may be required.

The PoolManager contract

The PoolManager is a Soroban smart contract deployed on the Stellar network. It has two primary jobs:
  • Store commitments — Every confirmed payment results in a commitment being registered in the PoolManager. The contract maintains a list of all valid commitments and the current state of its commitment tree.
  • Track nullifiers — When a withdrawal is processed, the PoolManager records which nullifiers have been spent. It rejects any attempt to spend a nullifier that has already been used.
The PoolManager does not know your identity, your wallet address, or your account balance. It operates only on commitments and nullifiers — cryptographic values that carry no personal information. This means the contract itself is privacy-preserving by design: even if its entire state were made public, it would reveal nothing about who sent or received funds.
The PoolManager contract is one-time initialized with an admin wallet. This happens automatically when you first set up your Hypertron account. You do not need to initialize it manually.

Why this approach matters for your business

The commitment and nullifier system gives you two guarantees that would otherwise be in tension: Auditability — Every payment that credits your virtual balance has a corresponding on-chain commitment. If you ever need to demonstrate that payments occurred — to an auditor or regulator — the commitment history provides cryptographic proof that funds were received and processed correctly, without exposing client identities. Double-spend prevention — You cannot accidentally or fraudulently withdraw the same payment twice. The PoolManager enforces this at the contract level, so it is guaranteed by the Stellar blockchain rather than by Hypertron’s software alone. Client privacy — Because commitments contain no identifying information, no on-chain record ever links a client’s wallet address to a payment to your business. This protects your clients from surveillance and protects your business from accumulating sensitive financial relationship data.

The commitment lifecycle

Here is how a commitment moves through its lifecycle from your perspective:
1

Payment received

Your client submits a payment to the pool. Hypertron detects it on Horizon and reads the memo to attribute it to your account.
2

Commitment created

Hypertron generates a Poseidon commitment from the payment details and registers it in the PoolManager contract. Your virtual balance increases.
3

Withdrawal requested

You request a withdrawal from the dashboard. Hypertron selects enough unspent commitments to cover your requested amount.
4

Nullifiers marked

The PoolManager marks the nullifiers for each selected commitment as spent. Those commitments can no longer be used for future withdrawals.
5

Payout sent

Funds are transferred to your wallet through the Privacy Relay Layer. The withdrawal is recorded as completed in your dashboard.

Virtual balance

See how commitments translate into the balance shown in your dashboard.

Private payments

Understand how the shared pool and commitments work together to protect payer privacy.