# Transaction ordering privacy Source: https://docs.settlemint.com/docs/compliance-security/privacy/transaction-ordering-privacy What can leak from pending transactions on public EVM networks and which routing controls reduce that exposure before finality. Public EVM privacy does not start at block inclusion. Transactions can become visible before they land through RPC providers, block builders, sequencers, validators, bundlers, or other infrastructure in the submission path. DALP manages the full transaction lifecycle from signing through reconciliation. Private mempools, encrypted submission, and builder-specific privacy routes are choices the selected network or provider supplies. You decide which of these apply to your asset programme. ## Review questions [#review-questions] | Question | Direct answer | DALP mechanism | Deployment responsibility | | ---------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------- | | Are critical tokenisation transactions private by default? | No. Mints, burns, redemptions, freezes, treasury changes, and role changes use the configured EVM transaction path unless the deployment selects a private route. | DALP coordinates signing, nonce use, contract calls, account abstraction routing, transaction submission, and tracking. | Evidence the RPC, bundler, builder, sequencer, validator, or private-routing path selected for the asset. | | What is the mint and redemption risk on public networks? | Pending public-chain writes can expose operation type, token, signer, source or recipient, amount, timing, gas policy, nonce, and replacement attempts before finality. | DALP keeps private evidence out of calldata and events, tracks submitted writes, and reconciles final chain state. | Decide whether public pre-confirmation visibility is acceptable for the asset and jurisdiction. | | What changes on a permissioned EVM network? | Public mempool exposure can be reduced, but validators, RPC operators, sequencers, and node operators can still observe ordering flow and pending operational intent. | DALP uses the same regulated asset controls on configured EVM networks. | The selected network owns validator governance, ordering policy, access logs, node access, confidentiality, and disputes. | ## Exposure points [#exposure-points] Treat every signed public-chain write as sensitive before you broadcast it. | Exposure point | Position | What can leak | Operator control | | ------------------------------ | --------------------------- | --------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- | | Transaction calldata | DALP transaction path | Function selector, addresses, amounts, claim references, and encoded parameters | Use DALP contracts, APIs, and review workflows so private evidence and confidential identifiers stay out of calldata. | | Pending transaction visibility | Network or provider choice | Intended operation before finality | Choose RPC, bundler, and submission paths that match the asset's confidentiality and fairness needs. | | Transaction ordering | Network or provider choice | Timing, sequencing, replacement attempts, and possible front-running context | Review fee policy, nonce management, signer approval windows, and market-abuse controls with the selected network path. | | Account abstraction bundling | DALP transaction path | UserOperation content submitted to a bundler prior to execution | Treat bundler submission as part of the public-chain transaction path unless the deployment proves a stronger control. | | Custody approval latency | Custody and operator choice | Delayed or rejected approvals can reveal operational patterns after submission attempts | Use custody policies and approval windows that fit the asset's execution risk. | | Replacement transactions | Transaction-recovery choice | Nonce use, fee changes, and recovery attempts | Keep transaction tracking and recovery records consistent with the selected network's replacement rules. | ## Critical tokenisation operations [#critical-tokenisation-operations] | Operation | Why ordering matters | Safer review question | | -------------------------- | ------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------- | | Mint | A pending mint can reveal supply expansion, issuer activity, recipient patterns, and timing before finality. | Can the market, investors, or counterparties observe supply intent before the issuer is ready to disclose it? | | Burn or redemption | A pending burn can reveal redemption pressure, treasury movement, or customer activity. | Does the programme accept public visibility of redemption timing and amounts? | | Freeze or forced transfer | A pending control operation can reveal enforcement intent before it settles. | Does the legal or compliance process allow the operation to be visible while pending? | | Treasury or reserve update | A pending treasury operation can reveal reserve management behaviour. | Which reserve facts can be public, and which assurance evidence stays off-chain? | | Role change | A pending role update can reveal administrative control changes. | Are role addresses, signer relationships, and custody approvals safe to disclose? | ## Safe claim boundaries [#safe-claim-boundaries] Each control is valid only when the selected network or provider actively supplies and operates it. Submission-path controls cover private RPC routing, private order flow, and encrypted mempool submission. Builder-specific privacy routing falls in this category. Execution-layer controls cover permissioned validator access, confidential transaction execution, and shielded token transfers. They do not guarantee protection from front running or MEV. Only claim a control when the provider has confirmed it applies to your deployment. For each control you use, record the provider and the chains it covers. Record the submission route, failure behaviour, and fallback path alongside the monitoring approach and audit trail. ## Where to go next [#where-to-go-next] * [Public chain privacy](/docs/compliance-security/privacy/overview) for the high-level decision frame. * [Private mempool routing](/docs/compliance-security/privacy/private-mempool-routing) for routing choices and limits. * [Signing flow](/docs/architects/flows/signing-flow) for the DALP transaction path. * [Transaction tracking](/docs/developers/operations/transaction-tracking) for following long-running chain operations.