First of all, why is Monero introducing optional privacy with FCMP? It’s not because of compliance, it’s because of the fact that in any system that relies on SNARKs and similar complex zero knowledge proofs (like FCMP) the risk for an inflation bug is extremely high. This risk cannot be mitigated at the deeper level beyond a certain point so it must be handled architecturally by splitting the network in a transparent pool and a shielded pool, and concentrating most of the liquidity in the transparent pool.

Since an exploit in proofs can happen only on the “dark” side of the network, this division makes possible detecting a potential exploit in the final exit stage, by monitoring flows from the dark pool to the transparent pool.

§How CARROT makes privacy optional in Monero like in Zcash

Original Cryptonote view keys showed only incoming transactions of a certain wallet. The CARROT upgrade introduces a new type of view key that shows both incoming and outgoing transactions. In other words, if you share your new CARROT view keys with an exchange, and that exchange reports those CARROT view keys to an entity like Chainalysis that pools all reported view keys in one place, then Monero for them becomes exactly like Zcash, a network consisting of a shielded pool and of an unshielded pool.

As shown above, while the set of addresses that report their CARROT view key starts as really small, it grows very quickly. In the graph above the transparent pool is marked in green.

CARROT view key collection is enforced by law at the CEX level. If you’re a Monero user who wants to sell or buy Monero at a fair price you will have to go through a node of deeper liquidity, ie a CEX like Binance. The CEX is mandated to request your CARROT view key for your withdrawal and/or depositing wallets, and report it to regulators as the source of funds and the entire transaction history of the source of funds to stay compliant as a business.

As Monero gets relisted in more CEXes, and liquidity improves, even more people will start reporting their CARROT view keys to access that deeper liquidity.

On one hand we will have a growing pool of transparent addresses (transparent pool), and on the other there will be a constantly retreating pool of dark addresses (dark pool).

The transparent pool will include CEX addresses and also (at least) user addresses that are 1-hop away from exchanges and other centralized parties where CARROT view keys are required by law to be reported. Once their CARROT view key is reported, the transparent pool grows bigger. And transparent here is the right word because for these addresses regulators and chain analysis firms will know literally everything: incoming transactions, outgoing transactions, and balances, just like in a transparent Zcash UTXO. There is also a whole UTXO transaction graph that is built here with time as more and more of these transparent addresses interact with each other.

NB: The set of transparent addresses can grow even bigger if there are wallets that leak the CARROT view keys like Feather Wallet used to do with the old view keys.

§Shielding and Unshielding, Just Like In Zcash

Like explained, most of the addresses in the green set are either addresses owned by centralized parties where most of the liquidity is concentrated or user addresses that are adjacent to these centralized parties (who have had to report their CARROT key for compliance reasons). But they can also include any address whose CARROT view key has been leaked by the wallet or in other ways.

Whenever money moves from an address whose CARROT key hasn’t been reported/leaked, to an address whose CARROT key has been reported and/or leaked, that’s the equivalent of an unshielding transaction in ZEC. When money moves from an address whose CARROT view key has been reported, to an address whose CARROT view key hasn’t been reported and/or leaked, that’s the equivalent of a shielding transaction. Now let me show you visually what that means:

Since most of the liquidity is in the “green” set, the network inertia will be to unshield in order to access that liquidity.

Remember all the attack vectors Chainalysis has been telling you about in ZEC, such as correlating amounts, timing etc in the shielding/unshielding process to deanonymize even shielded transactions? That exact attack vector becomes possible on Monero post FCMP and it’s even more powerful than on ZEC because in ZEC users know where the line between the shielded pool and the transparent pool is. In Monero they don’t, this information is exclusively accessed by Chainalysis. You have no idea if an address you’re sending money to has had its CARROT viewkey leaked or not.

§Why Optional Privacy is Required in FCMP Monero

SNARKs and FCMP are very complex mathematical proofs that compress multiple parameters into a single proof. Moreover, these proofs are also in an architectural position that allows bypassing all other constraints, allowing an exploiter to spend ghost outputs. I explained this in depth in my Telegram, in few words: if they find a flaw in SNARK or FCMP and they exploit it, an attacker can literally create money out of thin air, without even having to reference an existing output.

Zcash has been the pioneer in this field, and despite the presence of world class scientists and an entire company looking after it, even in Zcash 2 fatal bugs have been found in SNARKs so far. One in 2018 in Sprout (by Ariel Gabizon), and one as recently as in July 2025 in Halo 2 (Query Collision Bug by zkSecurity).

FCMP has the same risk profile as SNARKs, because even there output membership, range proofs, etc have to be compressed into a single circuit from which a FCMP is generated that should be able to verify their validity while making it impossible for invalid transactions to pass.

Since there is a high risk for such catastrophic bugs which cannot be mitigated beyond a certain point due to the very complex and abstract math involved, optional privacy is required in these systems. Concentrating liquidity in the transparent pool creates the backstop of last resort to a potential exploit.

The transparent pool acts as a backstop against a potential exploit because any attack can only happen in the “dark pool” of addresses. If a bug is exploited on a transparent address (one whose CARROT view key has been leaked) then the exploit will be detectable onchain (for the parties that have access to the CARROT pool) just like with Bitcoin. So to succeed an attacker will have to eventually exploit in a dark address, and then they will have to “unshield” the forged coins to access liquidity and cash out. Since unusually large unshielding transactions can be detected by centralized entities with access to the pool of CARROT viewkeys, flows are used to detect potential exploits and contain damage in a worst case scenario by intervening in the exit stage.

§Why In Monero FCMP Optional Privacy Is Even Worse Than In Zcash

In Zcash the set of unshielded notes and shielded notes is public, everyone knows the balance of coins sitting in the transparent pool versus the balance in the dark pool and anyone can monitor any unusual flows. In Monero, this information will be available only to regulators and firms like Chainalysis and TRM labs. In other words, in Monero you, the user, are much more likely to be the last one to find out if something goes wrong. Because there is no public transparent pool that everyone can monitor for signs of unusually high “deshielding” flows.