Rate Limiting Nullifiers (RLN) are zero-knowledge cryptographic protocols that enforce per-account transaction quotas without requiring users to pay traditional gas fees. By utilizing Sparse Merkle Trees, Shamir’s Secret Sharing, and ZK proofs, RLN verifies that an account has not exceeded its transaction limit, blocking spam before it reaches the sequencer while preserving full user privacy.
What Problem Does RLN Solve?
Traditional blockchains rely on gas fees to create an economic barrier against spam. While effective at high prices, this model penalizes legitimate users with low budgets and fails to stop "speculative probing" when fees trend toward zero.
Gasless networks like Status Network face an even greater challenge: without a cost barrier, spam becomes trivial. RLN solves this by replacing the fee-market mechanism with a cryptographic quota system. Instead of paying a toll, you provide a certificate proving you are within your allowed frequency of use.
How Rate Limiting Nullifiers Work (Technical Overview)
RLN operates through three core stages: identity registration, quota enforcement via secret sharing, and proof verification.
Layer 1: User Registration via Merkle Tree
Every user must register an identity commitment derived from a high-entropy private secret. This commitment is added to an on-chain RLN membership Merkle tree. Status Network utilizes trees with a fixed depth of 20, capable of supporting approximately one million registered accounts per tree. Only the holder of the private secret can generate valid proofs for the associated commitment.
Layer 2: Quota Tracking and Secret Sharing
Each transaction requires the user to generate an RLN proof bound to a specific time interval, or epoch. Status Network uses Shamir’s Secret Sharing to penalize over-limit activity.
For every transaction, the prover reveals a single "share" of their private secret. As long as a user stays within their allotted quota per epoch, their secret remains hidden. However, if they attempt to send a transaction that exceeds their limit within the same epoch, they must reuse a nullifier, revealing a second share of the same secret. This allows any observer (slasher node) to use polynomial interpolation to reconstruct and recover the user's private secret.
Layer 3: Zero-Knowledge Proof Verification
When submitting a transaction, the user includes a ZK proof that proves:
- Their identity commitment exists in the valid membership Merkle tree.
- The provided share was correctly computed from their private secret.
- The transaction complies with the global and tier-based rate limits for that epoch.
The sequencer verifies this proof instantly. If valid, the transaction is executed for free. If it reuses a nullifier, it is detected as spam.
Rate Limiting in Practice: Status Network's Implementation
Status Network integrates RLN as its primary spam defense, tying throughput to its Karma reputation system.
- Karma-Based Tiers: Every user receives a gas-free transaction quota based on their soulbound Karma score. Quotas range from 6 transactions per day for new users to over 432,000 for high-reputation accounts.
- Decentralized Slashing: The top 128 Karma holders act as "slasher nodes". If they detect a quota violation (secret recovery), they trigger an on-chain slash that burns up to 100% of the offender’s Karma balance.
- Premium Gas Bypass: Users who exhaust their free gasless quota can still transact by paying a sequencing tip - a premium gas fee that bypasses RLN validation.
- Anonymity: Unlike fee-based systems, compliant users remain unlinkable. RLN only exposes the identity of those who violate the rules.
Computational Cost and Scalability
- Client-Side: Generating a ZK proof is a local operation that generally takes only a few seconds, having a negligible impact on device performance.
- Network-Side: Sequencers verify proofs in milliseconds using high-performance bridges, ensuring the network remains fast even under heavy load.
- Scalability: While one tree supports ~1M accounts, the prover can initialize new trees as needed to support an unbounded number of users.
Conclusion
By replacing economic tolls with cryptographic quotas, RLN enables truly gasless transactions without sacrificing security. Status Network demonstrates this at scale, ensuring that network access is determined by genuine contribution and reputation rather than capital alone.
Frequently Asked Questions
Can someone forge an RLN proof without knowing my private secret?
No, RLN proofs are cryptographically derived from a high-entropy secret using the Poseidon hash function. An attacker would need to solve the underlying zero-knowledge problem or steal your secret to forge a proof, both of which are computationally infeasible under standard cryptographic assumptions.
Does RLN reveal which wallet address is transacting?
No, RLN provides unlinkable anonymity for compliant users. It allows you to prove you are a valid member of a reputation tier without revealing your specific identity or account balance. Your identity is only exposed via secret recovery if you intentionally violate the rate limits.
What happens technically if I exceed my gasless transaction quota?
If you attempt to exceed your allotted quota within a specific epoch, the system detects a "nullifier" collision. This allows decentralized slasher nodes to use polynomial interpolation to reconstruct your private secret. Once recovered, your secret is used to trigger an on-chain slash of your Karma balance.
How much Karma can I lose if I am caught spamming the network?
The system is designed with a decentralized slashing mechanism where up to 100% of an offender’s Karma balance can be burned. At a minimum, a successful slash will burn 50% of the total balance (actual and virtual) and remove the user from the RLN membership Merkle tree.
Can I still transact if my gasless quota is exhausted for the day?
Yes, the Status Network includes a "Premium Gas Bypass". Users who have reached their free limits can pay a sequencing tip - a premium gas fee - to continue transacting. This acts as a pressure valve for burst demand while keeping the base execution free.
Is the Merkle tree height a permanent limitation on user growth?
While the network uses Sparse Merkle Trees with a fixed depth of 20 (supporting ~1 million users per tree), this is not a hard cap on growth. The Prover module is designed to initialize new trees as needed, allowing the network to support an unbounded number of registered users.
How does my RLN quota update when my Karma score changes?
The Prover module continuously synchronizes with the on-chain Karma contract to monitor tier updates. As you earn Karma through staking SNT or providing liquidity, the system automatically resolves your new tier eligibility and applies the updated transaction limits to your next session.
What is an "epoch" in the context of RLN rate limiting?
An epoch is a predefined time interval (initially 300 seconds) used to reset transaction quotas. Your allowed throughput (e.g., 6 or 96 transactions) is measured per epoch; once a new epoch begins, your nullifier resets, allowing you to submit new gasless transactions.
