Transaction ordering privacy
How to review pending transaction, mempool, RPC, bundler, builder, and sequencing exposure for DALP public EVM deployments.
Public EVM privacy is not limited to finalised blocks. Transactions can become visible before inclusion through RPC providers, block builders, sequencers, validators, bundlers, or other infrastructure in the transaction path.
DALP signs, submits, tracks, and reconciles configured EVM transactions. Private mempools, private order flow, encrypted mempools, and builder-specific privacy routes are deployment choices supplied by the selected network or provider.
Review questions
| Question | Direct answer | DALP mechanism | Deployment responsibility |
|---|---|---|---|
| Are critical tokenisation transactions private by default? | No. Mints, burns, redemptions, freezes, treasury changes, and role changes use the configured EVM transaction path unless the deployment selects a private route. | DALP coordinates signing, nonce use, contract calls, account abstraction routing, transaction submission, and tracking. | Evidence the RPC, bundler, builder, sequencer, validator, or private-routing path selected for the asset. |
| What is the mint and redemption risk on public networks? | Pending public-chain writes can expose operation type, token, signer, source or recipient, amount, timing, gas policy, nonce, and replacement attempts before finality. | DALP keeps private evidence out of calldata and events, tracks submitted writes, and reconciles final chain state. | Decide whether public pre-confirmation visibility is acceptable for the asset and jurisdiction. |
| What changes on a permissioned EVM network? | Public mempool exposure can be reduced, but validators, RPC operators, sequencers, and node operators can still observe ordering flow and pending operational intent. | DALP uses the same regulated asset controls on configured EVM networks. | The selected network owns validator governance, ordering policy, access logs, node access, confidentiality, and disputes. |
Exposure points
Treat any signed public-chain transaction as sensitive before broadcast.
| Exposure point | Position | What can leak | Operator control |
|---|---|---|---|
| Transaction calldata | DALP transaction path | Function selector, addresses, amounts, claim references, and encoded parameters | Use DALP contracts, APIs, and review workflows so private evidence and confidential identifiers stay out of calldata. |
| Pending transaction visibility | Network or provider choice | Intended operation before finality | Choose RPC, bundler, and submission paths that match the asset's confidentiality and fairness needs. |
| Transaction ordering | Network or provider choice | Timing, sequencing, replacement attempts, and possible front-running context | Review fee policy, nonce management, signer approval windows, and market-abuse controls with the selected network path. |
| Account abstraction bundling | DALP transaction path | UserOperation content submitted to a bundler before execution | Treat bundler submission as part of the public-chain transaction path unless the deployment proves a stronger control. |
| Custody approval latency | Custody and operator choice | Delayed or rejected approvals can reveal operational patterns after submission attempts | Use custody policies and approval windows that fit the asset's execution risk. |
| Replacement transactions | Transaction-recovery choice | Nonce use, fee changes, and recovery attempts | Keep transaction tracking and recovery records aligned with the selected network's replacement rules. |
Critical tokenisation operations
| Operation | Why ordering matters | Safer review question |
|---|---|---|
| Mint | A pending mint can reveal supply expansion, issuer activity, recipient patterns, and timing before finality. | Can the market, investors, or counterparties observe supply intent before the issuer is ready to disclose it? |
| Burn or redemption | A pending burn can reveal redemption pressure, treasury movement, or customer activity. | Does the programme accept public visibility of redemption timing and amounts? |
| Freeze or forced transfer | A pending control action can reveal enforcement intent before the action settles. | Does the legal or compliance process allow the action to be visible while pending? |
| Treasury or reserve update | A pending treasury action can reveal reserve management behaviour. | Which reserve facts can be public, and which assurance evidence stays off-chain? |
| Role change | A pending role update can reveal administrative control changes. | Are role addresses, signer relationships, and custody approvals safe to disclose? |
Safe claim boundaries
Do not claim these controls unless the selected deployment actually supplies and operates them:
- private RPC routing
- private order flow
- encrypted mempool submission
- builder-specific privacy routing
- permissioned validator access
- confidential transaction execution
- shielded token transfers
- guaranteed protection from front running or MEV
When a deployment uses one of those controls, document the provider, supported chains, submission route, failure behaviour, monitoring, audit evidence, and fallback path.
Where to go next
- Public chain privacy for the high-level decision frame.
- Private mempool routing for routing choices and limits.
- Signing flow for the DALP transaction path.
- Transaction tracking for following long-running chain actions.
Public EVM visibility model
What public EVM networks can expose when DALP assets use on-chain eligibility, claims, token events, and transaction history.
Privacy architecture patterns
Compare public eligibility, private evidence, permissioned EVM networks, privacy layers, and metadata minimisation patterns for regulated DALP assets.