Z-Umbra: Privacy as a Commodity — An On-Chain Anonymity Market on Avalanche

We won the Avalanche track at Team 1 Hackathon, Hyderabad. This is not a writeup about what I built. It’s a writeup about what I realized.

The internet has an economy. You just don’t see your cut.

Every time you browse, your attention is mined. Your behaviour patterns are harvested. Your data is packaged and sold to advertisers, analysed by brokers, and handed to platforms who built empires on a simple insight: that you’d give it all away for free, as long as the product was good enough.

You are not the user. You are the resource.

Z-Umbra is built on the exact inversion of that idea.

Instead of corporations mining you, you sell privacy itself — your bandwidth, your IP, your momentary anonymity — on an open, trustless market. You set the price. You accept the exchange. You earn AVAX. And then the transaction vanishes like it never happened.

This is privacy as a commodity: something you own, something you can sell, something that has real economic value you’ve been giving away for nothing.

The Problem: You Are the Product

Every tool sold as “privacy” today still has a fundamental flaw.

Centralised VPNs are a more comfortable prison. You pay to trust them. They log everything, even when they say they don’t. They can be subpoenaed, hacked, or sold.

Tor is noble but its exit nodes are publicly mapped. State-level actors know exactly where to watch.

These aren’t solutions. They’re illusions of safety, built on the same broken model: they need something from you — your data, your payment, your identity — to function. They are still the ones extracting value.

The question I asked going into the hackathon was different. What if privacy was something you could sell instead of something someone sold you?

Not “how do I hide?” but: “how do I own what I already have, and trade it on my terms?”

The Core Idea: Proof of Risk

Here’s the thing nobody talks about. When you share your connection with a stranger, you are taking on real risk. Legal risk. Network risk. You are providing an exit point for someone else’s traffic, and if that traffic is illegal, your IP is the one that shows up.

That risk has value. Right now, you bear it for free — VPN companies are built on top of the risk that their servers take on your behalf, which is why you pay them.

Z-Umbra asks: what if you captured that value instead?

The UMBRA token is the currency for risk. Not a speculative toy. Not a governance vote. It is the unit of exchange for a single, precious commodity: the act of being an exit node. Every session is a microtransaction where:

A Host (bandwidth seller) takes on the risk of being an exit point
A Client (anonymity buyer) pays for the privilege of routing through the Host’s IP
The smart contract holds the AVAX in escrow so neither party can cheat
The transaction settles in under a second on Avalanche Fuji
The network vanishes

This is the inversion: instead of being mined, you mine back.

The Architecture

The blockchain is not the traffic handler. That’s a critical distinction. The blockchain is the bulletin board (host discovery) and the bank (payment escrow). The actual anonymization happens off-chain, directly peer-to-peer.

flowchart TD subgraph MARKET["Privacy Market — UmbraProtocol.sol (Avalanche Fuji C-Chain)"] SC["UmbraProtocol.sol\nNode registry + AVAX escrow"] end subgraph HOST["Bandwidth Seller (Host Phone)"] HA["Kotlin Android App"] HP["Ephemeral Hotspot\n(AP-isolated, sandboxed)"] PROXY["Local SOCKS5 Proxy\n(zero-log)"] HA --> HP HA --> PROXY end subgraph CLIENT["Anonymity Buyer (Client Phone)"] CA["Kotlin Android App"] GHOST["Traffic routes through\nHost's cellular IP\nClient's IP: invisible"] CA --> GHOST end HA -->|"registerNode()\nencrypted hotspot creds"| SC CA -->|"requestConnection()\n+ AVAX escrow locked"| SC SC -->|"creds decrypted\nfor authorized client"| CA CA -->|"connects directly\nto ephemeral hotspot"| HP HP --> PROXY PROXY -->|"exit traffic via\nHost's cellular"| GHOST HA -->|"fulfillConnection()\nAVAX released"| SC SC -->|"refund() if timeout"| CA

stateDiagram-v2 [*] --> PENDING : client pays into escrow\nrequestConnection() PENDING --> FULFILLED : host calls fulfillConnection()\nAVAX released to host PENDING --> REFUNDED : client calls refund()\nafter timeout — AVAX returned FULFILLED --> [*] : hotspot destroyed\nproxy logs never written\napp state wiped REFUNDED --> [*]

The vanishing act is the most elegant part. When the session ends:

The Kotlin app calls destroy_hotspot() — the UmbraNode_7A3F SSID ceases to broadcast
The zero-log proxy flushes its memory — it was never writing to disk
The app programmatically removes the saved network from the phone’s WiFi history
The blockchain retains only: Address_B received X AVAX from Address_C at timestamp T

It does not record why. It does not record IP addresses. It does not record what was transferred. A permanent, context-free financial record — which is exactly what makes it trustless — while the actual connection evidence was designed to be ephemeral.

The ghost of the connection is separated from the ghost of the payment. Proving the link between them is nearly impossible.

The On-Chain Core: UmbraProtocol

The UmbraProtocol smart contract was written in Solidity, built with Hardhat, and deployed on Avalanche Fuji (chainId: 43113).

Three operations power the entire market:

`requestConnection(hostAddress)` — Buyer pays

Client locks AVAX in escrow. Funds held by the contract — not by me, not by any server. The contract is the bank.

// UmbraProtocol.sol (simplified)
function requestConnection(address host) external payable {
    require(msg.value > 0, "Must escrow AVAX");
    sessions[sessionId] = Session({
        client: msg.sender,
        host: host,
        value: msg.value,
        status: Status.PENDING,
        createdAt: block.timestamp
    });
    emit ConnectionRequested(sessionId, msg.sender, host, msg.value);
}

`registerNode()` + `fulfillConnection(sessionId)` — Seller claims payment

Host registers their node on-chain with encrypted hotspot credentials. After session completes, calls fulfillConnection to release the escrowed AVAX. No delivery → no payment.

function fulfillConnection(uint256 sessionId) external {
    Session storage s = sessions[sessionId];
    require(msg.sender == s.host, "Not session host");
    require(s.status == Status.PENDING, "Already resolved");
    s.status = Status.FULFILLED;
    payable(s.host).transfer(s.value);
    emit ConnectionFulfilled(sessionId, s.value);
}

`refund(sessionId)` — Buyer’s escape hatch

If the host never delivers within the timeout window, the client reclaims their escrow. The economic penalty structure is what enforces honesty — cheat as a host and you get nothing.

Why Avalanche Fuji

The token isn’t speculative. It’s functional. This means transaction cost directly competes with session value.

Sub-second finality — a WiFi session that takes 12 seconds to confirm on Ethereum L1 is useless
Gas costs below $0.01 — you can escrow $0.10 for 5 minutes of connectivity and not lose the session value to gas
EVM-compatible — Hardhat, ethers.js, WalletConnect v2 all work without modification

// hardhat.config.js
networks: {
  fuji: {
    url: process.env.FUJI_RPC_URL,
    accounts: [process.env.DEPLOYER_PRIVATE_KEY],
    chainId: 43113,
    gasPrice: 25000000000
  }
}

Core wallet with WalletConnect v2 handled mobile signing. The demo flow at the hackathon: scan QR → approve request → transaction lands on-chain in ~1s → credentials decrypted → hotspot appears.

The Ephemeral Node: The Hard Part

A normal WiFi hotspot is a surveillance tool. It logs MAC addresses. It’s tied to a physical location. The provider sees your traffic. It’s not anonymity — it’s convenience.

The Umbra ephemeral node is the opposite. Using startLocalOnlyHotspot() on Android with AP isolation enabled:

The guest (client) cannot see the host’s local network
All guest traffic routes through a local SOCKS5 proxy on the host’s phone
The proxy shuttles packets between the hotspot interface and the cellular radio in real-time
It is explicitly zero-log — it never writes traffic to storage
The SSID is randomly generated (UmbraNode_7A3F), not identifying
It exists for the session duration, then the OS tears it down

The Kotlin Android app handles this natively. The app is 95.4% of the codebase — the smart contract is 1.3%. That ratio is correct. The hard problem isn’t the escrow logic. The hard problem is building the ephemeral node engine that makes the anonymization real.

What Makes This Different

Z-Umbra is not a WiFi sharing app. Karma WiFi, etc. exist. That market is not what this is.

The difference is the model:

	Old model (VPN/centralized)	Z-Umbra model
Who holds risk	The provider (on your behalf)	You (directly, for payment)
Who sets the price	Them	You
Trust requirement	Absolute (faith in their logs policy)	Zero (the code is the law)
What you receive	A service	A market
What the token is	A payment	Proof of risk taken

The crypto isn’t there for hype. A centralised payment system introduces exactly what the system is designed to eliminate: a list of users, a company that can be subpoenaed, a kill switch. The AVAX escrow is the only payment rail that is philosophically consistent with the goal.

The Hackathon

I went in with an idea I wasn’t sure I could prove. The central question wasn’t “can I build this?” — it was “does this concept actually hold up under technical interrogation?”

It held up.

The judges pushed hard on sandboxing, on the public ledger paradox (anonymous traffic, public payment record), on Sybil attack vectors. The answers were real: AP isolation is pragmatic mobile security, not theoretical. The permanent-but-context-free blockchain record is intentional design. Reputation systems with ZK proofs are the roadmap.

The thing I staked at this hackathon wasn’t just code. It was an original idea about what privacy could be worth — economically, not philosophically. And it won.

We won the Avalanche track.

What’s Next

The first version proves the economic model. The roadmap:

ZK-proof payment layer — the public ledger transparency is currently the tradeoff. The next step integrates privacy-preserving payment rails (ZK proofs or mixers) to make the payment record itself unlinkable
Reputation system on-chain — nodes build reputation through fulfilled sessions; high-reputation nodes get more connections; Sybil attacks become economically unviable
Multi-hop routing — chain two or more ephemeral nodes for layered anonymisation without Tor’s known-exit-node problem
Production Android app — the prototype demonstrated the contract and escrow; the full Kotlin app ships the complete ephemeral node engine

The idea is original. The market is real. The code proves the primitive works.

The ghost is already out there.

The whole flow from QR scan to confirmed escrow: under 10 seconds. Sub-second Avalanche finality does a lot of heavy lifting here.

Z-Umbra is a hackathon prototype, not a production system. But it proves the core thesis: trustless P2P connectivity markets are technically viable today, with existing tooling, on a live testnet.

The internet access market is worth hundreds of billions of dollars. Almost none of it is distributed. That seems like a gap worth exploring.

— Vasanth