A DAO treasury is the only corporate bank account in the world where your competitors can read every transaction in real time. The transparency that's a feature for governance is a liability for operations. Every vendor you pay, every contributor's salary, every grant, every market-making allocation, and your exact runway are all sitting on a public explorer, labeled by anyone who bothers to map your wallets. Competitors price against your runway. Counterparties see what you pay everyone else before they negotiate. Contributors see each other's compensation. None of that is a governance benefit — it's just leakage.
This post is about keeping treasury operations confidential while keeping the treasury itself self-custodied and auditable to the people who should see it.
What a public treasury actually leaks
Point a block explorer at a known treasury wallet and you can read:
- Runway. Balance plus burn rate equals a precise estimate of how long the organization survives. That's a negotiating weapon in anyone's hands.
- Every counterparty. Vendors, auditors, exchanges, market makers, law firms paid in crypto — all attributable by following outflows.
- Compensation. Contributor and core-team payments, often inferable down to individuals once one address is doxxed.
- Strategy. A sudden large transfer to a market maker, a new grant program, an acquisition payment — visible before any announcement.
This is the same exposure a public donation address creates, scaled up to an entire organization — see /blog/accepting-crypto-donations-privately. And it's why amount-encryption alone doesn't solve it: the relationships (who you pay, who pays you) are the sensitive part, and those stay public even with hidden figures. /blog/encrypted-amounts-are-not-private.
Confidential payments without giving up custody or auditability
The goal isn't to make the treasury a black box to its own members — it's to stop the outside from reading every operational detail off-chain. The pattern is to route payments through a shielded pool so the public link between "treasury" and "this specific vendor payment" is broken, while the organization keeps its own records.
A treasury deposits into the shielded pool, then pays each counterparty as a withdraw using a zero-knowledge proof. On-chain, an observer sees the treasury depositing into a pool and a set of unrelated withdraws landing at various addresses — but can't tie a given payment back to the treasury or to each other. /learn/what-is-a-shielded-pool is the base mechanism; the /glossary/relayer is why recipients don't need gas to be paid.
Crucially:
- Self-custody is intact. Funds are released only by a proof that the treasury's signers authorize; nobody else can move them. This isn't a custodial mixer, it's a self-custodied pool (/glossary/shielded-pool).
- Auditability is a choice, not a default. The organization retains its own off-chain records and can disclose to auditors, members, or regulators selectively — instead of disclosing everything to everyone by default.
- Pay in the right asset. Vendors invoicing in USDC can be paid in USDC even if the treasury holds SOL, with the conversion inside the withdraw rather than a public swap — /blog/swapping-sol-to-usdc-privately.
Common treasury flows
- Contributor payroll. Pay a roster without publishing each person's compensation or the full team graph. This is the dedicated walkthrough: /blog/private-payroll-on-solana.
- Vendor and service payments. Auditors, infra, legal, marketing — paid without exposing the relationship or the amount as a clean public edge.
- Grants and ecosystem funding. Fund recipients without broadcasting the program's size and cadence before you're ready to announce it.
- Market-making and OTC allocations. Move size to a counterparty without signaling it to the market — /blog/private-otc-trades-on-solana.
Discipline at the org level
The operational rules from /blog/solana-wallet-privacy-checklist apply, with a treasury twist:
- Don't pay everyone from one visible address in a tight batch. A cluster of withdraws timed together, in distinctive amounts, can be grouped by an observer. Space and round payments.
- Use a real privacy delay between funding the pool and paying out — /blog/the-privacy-delay-explained.
- Fresh recipient addresses for counterparties wherever feasible; a vendor wallet with attributable history re-links the payment (/learn/choosing-a-recipient-address).
- Match the crowd on amounts. An outlier payment from a thin pool re-identifies the source — /blog/anonymity-sets-on-solana.
The honest boundary
Confidential operations are not the same as escaping obligations. A DAO still owes its members governance transparency where it has promised it, and may owe disclosures to auditors or regulators — privacy from the public market and selective disclosure to the right parties are compatible, but the second is the organization's job, not the protocol's. And no public anonymity set defeats an adversary who already has your off-chain records. /learn/what-solmask-cannot-protect-you-from and /docs/threat-model.
Start by mapping which treasury flows are most exposed today, then move those through the pool first. Begin at /swap.
FAQ
Q. Doesn't a DAO need a transparent treasury for governance? A. It needs transparency to its members and auditors — which selective disclosure provides. It does not need to broadcast every vendor, salary, and runway figure to competitors and the open market. Those are different audiences.
Q. Is this custodial? Who controls the funds? A. The treasury does. Funds leave only via a proof its signers authorize. It's a self-custodied shielded pool, not a third party holding your money.
Q. Can we still produce records for an audit? A. Yes. The organization keeps its own off-chain records and discloses them to whoever it chooses. Public-graph privacy and internal record-keeping are independent.
Q. Can we pay vendors in USDC from a SOL treasury? A. Yes — convert inside the withdraw so there's no separate public swap of treasury funds. See /blog/swapping-sol-to-usdc-privately.
Q. What's the first flow to move private? A. Usually payroll and recurring vendor payments — the ones that, repeated on a public schedule, leak the most about team size, cadence, and runway. Start there: /blog/private-payroll-on-solana.