Live on Ethereum Sepolia — dApp interface in active development

Safe controls who can spend.
VeilGuard keeps the policy itself confidential.

A Safe Module for treasuries that enforces encrypted spending policies — per-request auto-limits, delegated budgets and a minimum reserve — evaluated inside a TEE by the iExec Nox confidential computing protocol. The chain only ever learns a coarse outcome.

Why treasuries need this

Companies and DAOs want to delegate day-to-day spending without publishing their internal finances. On a transparent chain, every allowance module leaks the numbers that matter: how big each team's budget is, how much is left, at what amount extra approval kicks in, and how close the treasury is to its cash floor. Competitors, counterparties and attackers all read along.

For finance leads

Delegate routine payouts without publishing budgets, limits or the treasury's reserve line — and without signing every small payment yourself.

For operators

Submit a payment and get an answer — executable, needs approval, or blocked. You never see the full policy, so the policy can't be probed out of you.

For auditors

Receive a scoped, immutable disclosure snapshot of exactly the policy version and requests you're mandated to review. Nothing more, ever.

Three outcomes. Zero numbers revealed.

A delegate submits an encrypted amount. The policy decision is computed on ciphertext and funds are atomically reserved in the same transaction — a blocked request reserves an encrypted zero, indistinguishable on-chain.

WITHIN MANDATE

The request satisfies every encrypted rule. A confidential ERC-7984 transfer executes immediately; the private budget shrinks. Nobody learns the amount.

APPROVAL REQUIRED

Above the auto-limit. Funds stay reserved while a real Safe multisig proposal is collected. Signers — and only signers — can decrypt the amount.

BLOCKED

Budget, balance or reserve rule violated. No funds move, the budget is untouched, and the coarse reason stays private to the delegate and the finance admin.

How it works

The whole decision pipeline is select-only ciphertext computation — no branching, no revert oracles — finalized by a gateway decryption proof that the contract verifies on-chain.

Finance Admin ──proposeMandate (encrypted limits)──▶ VeilGuardModule ◀──activate── Safe multisig Delegate ──requestSpend (encrypted amount)──▶ policy evaluated on ciphertext in the Nox TEE ├─ budget check ── safeSub │ against the Safe's real confidential balance ├─ reserve check ─ safeSub + ge │ (the Safe lends the module transient handle access) ├─ auto-limit ──── le │ └─ decision = nested select ──▶ funds atomically reserved (encrypted zero when blocked) anyone ──finalize(decryptionProof)──▶ proof verified on-chain ──▶ execute / escalate / block Auditor ◀── scoped immutable snapshot handles — never live state, never future versions

Live deployment — Ethereum Sepolia

The full confidential loop is live and exercised on-chain: an encrypted mandate is active, a delegate spend has been evaluated in the TEE, finalized with a gateway proof and paid out — end to end, no mock data.

ContractAddress
VeilGuardModule0xaf1ca44d1c83bb800f2e791ab299bb0ad1a568cb
Safe (v1.4.1, module enabled)0x22Ab88236b21D4A528251474b05f5045c6e71e99
cUSDC (confidential ERC-7984 wrapper)0x71ac9a2872048f78dc3d627c6fe7f3b2f35467b3
TestUSDC (public faucet ERC-20)0x94c426eb57f5bb3fa9dfdbbbe7ae1efb2cb958ab
Nox NoxCompute (protocol)0x24Ef36Ec5b626D7DCD09a98F3083c2758F0F77bF

Measured on the live testnet: the full encrypted policy graph (two safe-subtractions, two comparisons and seven selects plus an escrow transfer) resolves in the TEE in ≈5 seconds.

Get testnet funds

VeilGuard runs on Ethereum Sepolia. You need a little Sepolia ETH for gas; the demo asset (TestUSDC) is claimable by anyone — its contract exposes a public faucet(), and the dApp will bundle claim + wrap-to-cUSDC into one click.

Google Cloud Faucet EASIEST

Sign in with any Google account, paste your address, receive 0.05 Sepolia ETH daily. No mainnet balance required.

cloud.google.com → Sepolia faucet ↗

pk910 PoW Faucet

No account at all — your browser mines for a few minutes and you claim the reward. Works for any address.

sepolia-faucet.pk910.de ↗

Alchemy Faucet

Instant drop if your mainnet address holds ≥ 0.001 ETH (their anti-abuse rule).

alchemy.com → Sepolia faucet ↗

Why links instead of an in-page claim? Sepolia ETH faucets are login- or captcha-gated by design (anti-abuse), so no site can legitimately dispense on your behalf. TestUSDC is ours — that one is a real in-app button.

Status & roadmap

MilestoneStatusNotes
Core contracts (module, ERC-7984 cUSDC, policy pipeline)LIVESolidity 0.8.35, select-only evaluation, atomic escrow
End-to-end suite on the local Nox stack (real TEE)DONE10 tests × 3 consecutive runs — 30/30 green
Ethereum Sepolia deployment + on-chain smokeLIVEEncrypted mandate active; first confidential payout executed
dApp interface (admin / delegate / signer / auditor views)IN BUILDWill replace this page at the same URL
Escalation flow in the official Safe{Wallet} UINEXTReal multisig proposals via the Safe Transaction Service

Confidentiality, not anonymity: addresses, timing and the coarse three-state outcome are public by design; amounts, limits, budgets and reserve floors are encrypted. Testnet prototype — not audited.