tl;dr - one of the reasons I heard people hyping things like Citrea was that it would allow for improved privacy protocols on Bitcoin. Crest claims to be such a thing, but I am very disappointed. You must accept a custodial trade-off and as far as their scanty docs show, they are screening for "compliance."
Crest claims "Private Bitcoin at last"Crest claims "Private Bitcoin at last"
Back when Citrea launched on mainnet in January (#1420746), they teased a number of new protocols and apps that were going to be built using all the fancy new BitVM stuff from Citrea.
One of these was a "privacy pool" called Crest. I was curious about this tool because it claimed to be "Private Bitcoin" and "self-custodial." Unfortunately, the website does not contain many details:
Their github is also somewhat sparse, but is says that Crest is a fork of something called the Nocturne Protocol.
Crest launched a closed beta a few days ago. This is how they describe their wallet:
Crest is a privacy-first Bitcoin mobile wallet powered by a zero-knowledge privacy pool built on @citrea_xyz.
Privacy-first Bitcoin wallet sounds good. However, as seems to be the case with most new wallets these days, some questions should be asked. Here is my attempt to understand how/whether it might be useful to Bitcoiners.
Is it self custodial?Is it self custodial?
First, Crest is built on Citrea -- so in order to use it, you need to use Citrea and it inherits all the custody properties of Citrea. Here is a screenshot from the Crest app. As you can see you can only deposit cBTC into Crest:
So, if you want to use Crest, you must send it a token called cBTC. In order to get cBTC you have to send real BTC to a deposit address. This is a taproot address that will give control of your sats to a multisig controlled by a group of signers.
Signers - a committee of n signers that pre‑signs the allowed spend rules. These signers emulate covenant‑like restrictions: funds can only move along Clementine’s approved paths, or they are returned to the user if user deposit is not moved to vault by signers in time. Clementine website
This means you send your sats to a multisig you do not control.
You might ask, "Why would anyone do such a thing?"
I believe the Citrea answer is that their publicly released code that they say they are running allows you to "force" them to mint cBTC if the you can prove that you deposited BTC into their vault. Here is a diagram to explain how all that works (we'll get into some of it later):
Now, just what exactly is cBTC?
It's a token that could just as well be called "toothpaste coin" or "butthole coin." It exists on Citrea's EVM rollup chain. This means it is a blockchain that follows the Ethereum Virtual Machine rules and that Citrea regularly posts enough information about it to the Bitcoin mainchain (via inscriptions) that you should be able to reconstruct it and verify that they haven't been cheating...if you have a good enough computer.
Citrea has a batch explorer you can use to find the txids for these state diff transactions.
This is what one of those transactions looks like:
If you look at the transaction, you will notice that it has a pretty lengthy witness as well as a long taproot script. I believe this kind of transaction is some of what filter-proponents don't like. Also, I believe Citrea uses inscriptions to do this, so you can have a look at what that looks like if you want, too.
If you have cBTC, what are your guarantees that you can get your sats back?
Citrea says in many places that it relies on a 1-of-N trust assumption, which means that as long as there is one honest entity in this thing, you can get your sats back. This means someone else holds your sats. It is certainly not self-custody.
I tried to look up if Citrea has published a list of the signers or operators (one of whom must be honest for this to work) and I did not find it. So at the current moment, you are trusting Citrea that the N in 1-of-N is more than 1.
I also tried to find one of their vault utxos to see what it looked like, but during a brief search this afternoon, i was not able to get enough info to identify one.
So: this means that to use Crest you must give up custody of your sats.
Is it private?Is it private?
Phew, I'm tired. The private question will hopefully be a little more straightforward.
I'm not the best at EVM stuff, but the fact that Crest exists implies that the things you do inside the Citrea rollup chain are generally publicly viewable -- or at least viewable to Citrea. So, we'll start with the assumption that you aren't gaining any privacy by selling your BTC for cBTC tokens.
What about this privacy tool thing called Crest?
What the hell is Nocturne?What the hell is Nocturne?
When I reached out to one of the developers behind Crest to ask about the details, they directed me to the detail-limited Crest github repo. But that github repo says that it is a fork of this thing called Nocturne, so let's have a look at that:
At a high level, users can deposit assets into the protocol to one of their stealth addresses. Later, in the future, they can prove ownership of said assets in zero-knowledge for use in arbitrary anonymous contract interactions or confidential payments.
They have this easy to understand diagram:
Trying to figure out how it works, I pretty quickly came to this paragraph:
Deposits are how a users can move assets into Nocturne such that they can be transacted with privately in the future. Currently, in order to minimize the inflow of illicit funds, deposits into Nocturne initially go into the Deposit Manager contract. Assets will wait in the contract until an offchain actor called the screener signs off on and completes deposits below a certain compliance risk threshold. Please see our compliance section for the rationale behind the design decision and our long term plans for improving permissionlessness.
I have to admit that at this point, I have run out of motivation to continue. I'm not a developer and I don't work on privacy tech, so I don't face the legal consequences that such individuals do. However, I am not interested in using privacy tech that begins with a compliance check.
If you want to learn more about how Crest works, feel free to read the Nocturne docs (until Crest decides to publish their own) or follow back this X thread from one of their developers.
this complaint always comes from someone who doesn't know how or is too lazy to manage their UTXOs.
any improvement is welcome, actual improvement, not this kind of shitcoin 2.0.
As far as I know, they haven't marketed themselves as self-custodial. I asked one of the Citrea cofounders specifically about their "trust minimized" setup - https://x.com/Kruwed/status/2032221603568787501
Sure, but if they are going to call it Bitcoin, and use the kind of language they use to advertise, the implication to me is that its actual Bitcoin that one is "encrypting" (their words).
"Buy this other privacy coin" seems like a more honest way to market.
If anyone could challenge instead of 1 of n, would you change your mind?
meh. they need to downplay. I've lost friends over their downplaying.
https://twiiit.com/Kruwed/status/2032221603568787501
I just called some spooks and asked them how large my stack is and they both got it wrong so fuck these guys.
Yeah, if this is the promised land of privacy, I think we need to go back into the desert.
Among the top5 of best times in my life was definitely living in the wadis. So heck yeah let's go to the desert. And use wasabi.
Why didn't you title this post: How to annoy Darth 🤣🤣🤣
Ah yes, that probably would have been a better title. Although, I wonder if I shouldn't just make it a whole territory -- there are so many fake self custody projects in Bitcoin these days.
The question is, how many more ark spark liquid projects emerge in the coming years vs true lightning heralded by you guys
And how many newly orange pilled peeps fall in the trap vs walking the righteous path
Darth is unapologetic and refuses to accept anything less than the correct way
But there are some who will concede some ground to make the best of a bad situation
And that will lay down the grass roots of what's to come
Which side is more dominant is yet to be seen
https://twiiit.com/citrea_xyz/status/2032494959795081443
Cool concept, but if you don’t control your coins, it’s not really private. I’ll stick to tools I fully control.
ohh pancito
Lol
Interesting analysis. I think the tradeoffs between privacy and compliance will continue to evolve.
The Nocturne Protocol fork is the tell. Nocturne was built explicitly for compliance-aware ZK mixing on EVM — its "association set" design requires a trusted curator to decide which inputs are "clean." That's architecturally incompatible with meaningful privacy.
The fundamental problem with ZK privacy pools + compliance screening: the screener sees your deposit. You gain plausible deniability on the output side, but the input association is visible to whoever runs the compliance oracle. On a transparent ledger, that oracle knows your UTXO history. The ZK proof hides you from outside observers — not from the compliance party doing the screening.
Compare to real Bitcoin privacy tools: Silent Payments (BIP-352), PayJoin, CoinJoin implementations. None require a compliance oracle. No party gains information asymmetry over you in the process. There's no "we screened you and approved" step because there's no screener.
If Crest needs to decide whether your coins are "clean" before letting you join the pool, they know which UTXOs you're bringing. That's the privacy leak. Everything after that is theater.