Private State Management on Miden: Inside Guardian

OpenZeppelin worked with Miden, a privacy blockchain, to build Guardian: a coordination layer for private accounts that supports synchronization, backup, recovery, and multi-party signing without custody and without requiring participants to trust each other.

Guardian is the first implementation of Miden’s Private State Manager (PSM), making private shared-account workflows practical for teams enforcing policy and approvals while keeping account activity confidential by default.

How Coordination Changes on a Privacy-First Blockchain

On some privacy-first blockchains, teams can keep the most sensitive parts of an account off the public ledger, enabling shared accounts where approvals, policies, and day-to-day operations do not become public onchain data.

Privacy changes the coordination model: when the full account state is not globally readable, participants cannot rely on the chain as a shared source of truth for synchronization, proposal circulation, or recovery. Shared accounts need an offchain mechanism to distribute updates, collect approvals, and ensure all participants converge on the same latest confirmed state.

On Miden, where the mainnet is expected to go live in 2026, full account state is private and managed offchain. Transactions are executed locally and proven with zero-knowledge proofs, and the network anchors progress using commitments (a cryptographic "receipt" of the latest state) rather than publishing the state itself. Coordination, as a result, needs an offchain layer that can synchronize devices and participants, collect threshold approvals privately, and confirm when an update becomes canonical (the latest confirmed state) by observing the onchain commitment. Guardian was built to provide that coordination on Miden.

Guardian: The Private State Manager on Miden

Under the hood, Guardian coordinates two kinds of data:

Together, they enable three core functions:

1. Distributing deltas for synchronization: Guardian relays deltas so devices and participants can catch up without relying on a public ledger.
2. Coordinating approvals offchain: Guardian circulates proposals and collects threshold signatures: participants sign independently, and execution proceeds once the configured threshold is reached.
3. Confirming updates using the network: Guardian watches for the onchain commitment that matches an acknowledged update, then treats it as confirmed so participants converge on the same latest state.

When a transaction is proposed, Guardian verifies that it is authorized under the account policy and records it by issuing a commitment; devices that fall behind can fetch missed updates and replay them locally.

Private Multisigs: Why They Matter

Guardian unlocks private multisignature accounts, letting multiple participants coordinate threshold signing offchain without exposing signer structure, approval thresholds, or the approval flow as public onchain data.

Teams can share control over an account, require collective sign-off before funds move, and enforce spending policies. Each participant signs independently, and Guardian coordinates proposals and signatures, only finalizing execution once the configured threshold is reached.

For institutions managing shared assets, the usual options come with tradeoffs. Onchain multisigs provide strong controls but expose operational details, while custodial platforms hide activity but concentrate key risk and custody. Guardian offers a third path: institutional-grade approval workflows and policy enforcement, with privacy by default and without handing control to a custodian.

What Operators Can Build with Guardian

Beyond private multisigs, Guardian enables a broader set of use cases:

• Policy-based shared accounts: Shared control with configurable rules: set approval thresholds per action (routine payments versus configuration changes), require collective sign-off before funds move, and avoid any single participant having unilateral control, while keeping account structure and activity private by default.
• Financial privacy as a product: Transactions are verified without being publicly disclosed, so transaction intent and activity are not broadcast to competitors or observers, while teams can still support audits and selective disclosure when required.
• OTC trading and settlement: Coordinate settlement while minimizing trade-intent leakage: counterparties can share control over settlement accounts, sequence approvals privately, and reduce exposure of size, timing, and counterparty information that invites front-running or market signaling.
• Fund and asset management: Built-in governance for institutional workflows, where investment actions can require the right approvals before execution, with policy or mandate enforcement at signing time and cryptographic evidence that controls were followed.
• Payroll and treasury operations: Approve payment batches with multiple sign-offs, enforce spending limits at the point of authorization, and keep salary figures, recipients, and amounts from becoming public onchain data.
• Account recovery and multi-device access: Operate safely across devices without custody: recover from lost devices, rotate keys, and keep multiple signers and devices synchronized.

Private State Management on Miden and Beyond

Private execution changes what coordination looks like: when account state isn't published to a public ledger, teams need a reliable way to stay synchronized, approve changes, and recover access without reintroducing custody or exposing sensitive activity.

Guardian was designed jointly with Miden and built by OpenZeppelin, applying the same security standards behind $35 trillion in onchain value transferred and 900+ audits since 2015.

Explore the proof of concept at multisig.miden.xyz. The implementation is open source and audited.

FAQs

What is Guardian and who built it?

Guardian is the Private State Manager (PSM) for Miden, a coordination layer for private accounts that handles synchronisation, backup, recovery, and multi-party signing without custody or trust assumptions. It was designed jointly with Miden and built by OpenZeppelin, applying the same security standards behind $35 trillion in onchain value transferred and 900+ audits since 2015.

What is Miden?

Miden is a privacy-first, zero-knowledge blockchain that spun out independently from Polygon Labs. Built around a model where account state lives on the user's device and only cryptographic commitments are shared with the network, Miden enables confidential transactions without sacrificing verifiability. Mainnet is expected in Q3 2026.

How is Guardian different from a custodial platform or an onchain multisig?

Onchain multisigs provide strong controls but expose every decision, signers, thresholds, and transactions to anyone watching the chain. Custodial platforms hide that activity but pool funds behind a third party, concentrating risk. Guardian offers a third path: institutional-grade approval workflows and policy enforcement, with privacy by default and without handing control to a custodian.

Who is Guardian for?

Guardian is designed for operators, fintechs, financial institutions, and infrastructure providers who want to offer private shared account capabilities to their customers without taking custody of funds.

Can Guardian be used beyond Miden?

The PSM is designed to address a coordination challenge that exists wherever account-state is managed privately rather than on a public ledger. Miden Guardian is the first implementation, built specifically for Miden's execution model. The underlying architecture is not Miden-specific.