Warden

Payroll on blockchain has a fundamental problem. Every transaction is public. If a company pays employees on chain, anyone can see exactly who received how much, trace wallet addresses, and reconstruct the entire salary structure. This makes blockchain payroll a non starter for any serious organization that values employee privacy and competitive confidentiality.

Warden solves this by introducing a zero knowledge privacy layer between the employer and employee. Organizations deposit USDC into a shielded privacy pool where funds become indistinguishable from one another. When payroll runs, transfers happen entirely inside this pool using zero knowledge proofs. No external observer, no blockchain explorer, no competitor can see who paid whom or how much. The deposit going in and the withdrawal coming out are cryptographically unlinkable.
Employees receive funds in their own private accounts within the pool. They can check their balance, view payment history, and download PDF payslips from their portal. When they want to access their money, they withdraw to any wallet address. That withdrawal appears on chain but cannot be connected back to the employer, the payroll batch, or the original deposit.

Warden also tackles the problem of idle treasury funds sitting unproductive in the privacy pool. Through disposable burner wallets, organizations and employees can move funds into DeFi yield vaults without exposing their identity. A temporary wallet is created, funded privately from the pool, used to interact with the vault contract, and then destroyed after funds return to the pool. The entire round trip maintains privacy because the burner wallet has no connection to the user's real identity.

The platform supports cliff based token vesting with linear schedules so organizations can set up standard four year vesting with one year cliffs. Department management lets admins organize teams and run payroll by group. A full audit trail logs every treasury operation internally while keeping everything private externally. Employees get their own portal with payment history, withdrawal management, vesting progress tracking, and the same earn functionality to put their own private funds to work.
The invite system lets admins onboard employees through email links. New team members sign up with email, Google, or an existing wallet. A private account is automatically generated for them during onboarding so they can start receiving payments immediately without any crypto knowledge required

The frontend is a Next.js 14 app using the App Router with server side API routes that double as the backend. The UI is built with Tailwind CSS and shadcn/ui components. Authentication is handled by Privy which gives us email, Google, and wallet login out of the box. Privy also creates embedded wallets for users who sign up with email or social login so they get a wallet without ever thinking about one.

The privacy layer is powered by the Unlink SDK. This was the trickiest part of the build. The SDK is a Node.js library that cannot be bundled by Next.js webpack because it depends on native crypto primitives and ZK circuit code. To work around this we run the SDK in a separate worker process spawned via child_process execFile. Every privacy pool operation like deposit, withdraw, transfer, and registration goes through this worker script.
For the earn feature we used Unlink's BurnerWallet API which was probably the most interesting technical piece. A burner is a disposable Ethereum account created on the fly. The flow is create burner, fund it privately from the pool, have it interact with our EarnVault smart contract, then store its encrypted private key securely. When the user wants to withdraw from the vault later we restore the burner from storage, call vault withdraw, approve Permit2, deposit USDC back into the privacy pool using the low level SDK deposit function with custom signTypedData, and mark the burner as disposed. The private key is encrypted with AES 256 GCM before storage using the same encryption we use for user mnemonics.
Every user gets a BIP39 mnemonic generated at onboarding which derives their Unlink privacy pool identity. The mnemonic is encrypted with AES 256 GCM and only decrypted server side when performing pool operations.

Payroll execution uses Unlink's batch transfer capability. The backend collects all employee amounts, builds the transfer array, and submits it as a single privacy pool transaction. Each employee gets credited inside the pool without any public trace of individual amounts.

Vesting uses a cliff plus linear model calculated with BigInt arithmetic to avoid floating point issues with token amounts. The release function transfers vested tokens privately through the pool to the employee's Unlink address.