The SolMask banlist is an on-chain account holding hashes of addresses that have been flagged by an address-risk screening provider as belonging to OFAC SDN entries, known thefts, or other sanctioned categories. The deposit instruction takes the depositor's address, computes the same hash, and rejects the transaction if it appears in the set.
Checking at deposit rather than withdraw is a deliberate choice: it stops tainted funds from entering the anonymity set in the first place, rather than trying to untangle them after the fact. Once a deposit is in the pool, the protocol genuinely cannot tell which depositor any withdraw belongs to — that is the whole point — so any compliance gate has to sit at the boundary.
The banlist is updated by a designated admin key on a schedule (typically daily) from the screening provider's API; updates are logged on-chain and announced in the changelog. Banlist hits never reveal which wallet was rejected on-chain; the failing transaction just returns a generic error code so we don't accidentally publish a public sanctions ledger.