Intermediate Signals and Sub-Component Circom’s primary purpose is to compile down to a Rank 1 Constraint System (R1CS), but its secondary purpose is to populate the witness. For most circuits,…

Symbolic Variables in Circom A symbolic variable in Circom is a variable that has been assigned values from a signal. When a signal is assigned to a variable (thereby turning…

Quadratic Constraints Circom Constraints A Rank 1 Constraint System has at most one multiplication between signals per constraint. This is called a “quadratic” constraint. Any constraint containing an operation other…

Circom Template Parameters, Variables, Loops, If Statements, Assert This chapter covers essential syntax, which you’ll see in most Circom programs. With Circom, we’re able to define a Rank 1 Constraint…

Hello World Circom Introduction This chapter shows the relationship between Circom code and the Rank 1 Constraint System (R1CS) it compiles to. Understanding R1CSs is critical to understanding Circom, so…

Introduction to ZK Circuits with Circom Circom is a programming language for creating Rank 1 Constraint Systems (R1CS) and populating the witness vector of the R1CS. The R1CS format is…

Tick limits in Uniswap V3 The smallest tick in Uniswap v3 is -887,272 and the largest tick is 887,272. This chapter explains the rationale behind this range, which is based…

Square Root Price in Uniswap V3 In Uniswap V2, the protocol tracks token reserves and derives the spot price, $p_x=y/x$, and total liquidity, $L=xy$, where $x$ and $y$ are the…

ERC-6909 Minimal Multi-Token Standard The ERC-6909 token standard is a streamlined alternative to the ERC-1155 token standard. The ERC-1155 standard introduced a multiple-token interface that allows a single smart contract…

Coding a Solidity rebase token A “rebase token” (sometimes “rebasing token”) is an ERC-20 token where the total supply, and the balances of token holders, can change without transfers, minting,…

The Diamond Proxy Pattern Explained The Diamond Pattern (ERC-2535) is a proxy pattern where the proxy contract uses multiple implementation contracts simultaneously, unlike the Transparent Upgradeable Proxy and UUPS, which…

Q Number Format Q number format is a notation for describing binary fixed-point numbers. A fixed-point number is a popular design pattern in Solidity for storing fractional values, since the…

Introduction to Proxies Proxy contracts enable smart contracts to retain their state while allowing their logic to be upgraded. By default, smart contracts cannot be upgraded because deployed bytecode cannot…

Introducing ticks in Uniswap V3 This article explains what ticks are in Uniswap V3. Ticks enable gas-efficient accounting of concentrated liquidity, so let’s quickly review concentrated liquidity first. Concentrated liquidity…

How Concentrated Liquidity in Uniswap V3 Works This article explains how Uniswap V3 implements concentrated liquidity. We assume the reader already understands Uniswap V2. To understand concentrated liquidity, we first…

ERC-1155 Multi Token Standard The ERC-1155 standard describes how to create both fungible and non-fungible tokens then incorporate them into a single smart contract. This saves significant deployment costs when…

Range Proof A range proof in the context of inner product arguments is a proof that the scalar $v$ has been committed to $V$ and $v$ is less than $2^n$…

Reducing the number of equality checks (constraints) through random linear combinations Random linear combinations are a common trick in zero knowledge proof algorithms to enable $m$ equality checks to be…

Inner Product Algebra In this article, we give some useful algebraic tricks for inner products that will be useful in deriving range proofs (and encoding circuits as inner products) later.…

Bulletproofs ZKP: Zero Knowledge and Succinct Proofs for Inner Products Bulletproofs ZKPs allow a prover to prove knowledge of an inner product with a logarithmic-sized proof. Bulletproofs do not require…

Logarithmic sized proofs of commitment In a previous chapter, we showed that multiplying the sums of elements of the vectors $\mathbf{a}$ and $\mathbf{G}$ computes the sum of the outer product…

Succinct proofs of a vector commitment If we have a Pedersen vector commitment $A$ which contains a commitment to a vector $\mathbf{a}$ as $A = a_1G_1 + a_2G_2+\dots + a_nG_n$…

A Zero Knowledge Proof for the Inner Product An inner product argument is a proof that the prover carried out the inner product computation correctly. This chapter shows how to…

Zero Knowledge Multiplication Zero Knowledge Multiplication of Polynomials Using the polynomial commitment scheme from the previous chapter, a prover can show that they have three polynomials $l(x)$, $r(x)$, and $t(x)$…

Introduction to ZK Bulletproofs Bulletproofs are a zero knowledge inner product argument, which enable a prover to convince a verifier that they correctly computed an inner product. That is, the…

Storage Slots of Dynamic Types (Mappings, Arrays, Strings, Bytes) Dynamic-sized types in Solidity (sometimes referred to as complex types) are data types with variable size. They include mappings, nested mappings,…

Assembly revert Reverting transactions using inline assembly can be more gas-efficient than using the high-level Solidity revert or require statement. In this guide, we’ll explore how the different types of…