COTI_Official

The COTI MetaMask Snap just got a major upgrade. A new release that brings the latest in privacy and security to your wallet, including 256-bit confidential token support.

The latest Version 1.0.52 introduces 256-bit confidential token support, private NFT management, multi-network switching, and a comprehensive set of security and UX improvements, all independently audited by Sayfer Security.

This upgrade officially makes the COTI MetaMask Snap industry-leading when it comes to managing, transferring, and utilizing private assets.

If you’re already using the COTI Snap, the update is live now. If you haven’t tried it yet, there’s never been a better time to start.

What’s New in v1.0.52

256-Bit Confidential ERC-20 Support

The Snap now fully supports ctUint256 confidential tokens, the 256-bit encrypted token standard on COTI. This means the Snap can detect, sync, decrypt balances, and execute private transfers for tokens using COTI’s full-precision confidential arithmetic.

This is a direct extension of the capabilities unlocked by the Helium Mainnet Upgrade, which introduced native 256-bit arithmetic to COTI. Now, that same capability is accessible directly in your MetaMask wallet.

Multi-Network Support

The Snap now supports both COTI Testnet and Mainnet, with AES keys scoped per network and separate storage for each environment. Switching between networks is seamless, and onboarding flows have been unified across both.

For developers, this means easier testing and iteration. For users, it means a smoother experience regardless of which COTI network you’re connected to.

Private NFT Support

This release includes bug fixes and improvements to the COTI Snap supports private ERC-721 NFTs. Users can now sync, import, and view private NFT metadata and images directly in MetaMask, including support for IPFS and CID-based URIs.

This opens the door for privacy-preserving digital collectibles, identity credentials, access tokens, and more, all managed from within MetaMask.

Smarter Gas Handling and UX Improvements

Private transfers involve longer precompile chains than standard transactions, which can cause gas estimation issues. This release introduces upfront gas estimation with automatic buffering and fallback logic, so private transfers complete reliably without running into out-of-gas errors.

Additional UX improvements include:

Confidential ERC-20 transfers directly from the Snap interface

Improved send flow with better loading states, focus management, and self-transfer blocking

Clearer revert error decoding when transactions fail

Redesigned success screen after completed transfers

Security Hardened and Independently Audited

Ahead of this release, the COTI Snap underwent a full security audit by Sayfer Security, completed in March 2026. The audit covered the Snap’s RPC handlers, key management flows, token import logic, encrypted payload validation, and NFT metadata handling.

As Sayfer’s report concludes: “After a review by the Sayfer team, we certify that all the security issues mentioned in this report have been addressed by the COTI team.”

The full audit report is available here.

This release includes comprehensive security hardening across the Snap, with remediations mapped directly to findings from the Sayfer audit:

Origin checks and AES key validation added to all sensitive RPC handlers in onRpcRequest

Explicit user confirmation dialogs added for token import and hide actions, with updated copy that clearly informs users when the raw AES encryption key is being shared

Context validation added to onRpcRequest, alongside support for confidential ERC-20 transfers

ERC-20 address validation now uses ethers.isAddress for stricter input handling

Encrypted payload parsing now includes structure and data type validation, reducing risks from malformed inputs

URL validation hardened in image and NFT metadata utilities to block private and local hostnames, mitigating SSRF-style risks

Transitive and direct dependency updates across the workspace, including minimatch pinned to safe versions to address known vulnerabilities

Node 20 standardized across development, .nvmrc, package.json, and GitHub Actions CI for modern security and compatibility

Together, these changes represent the most thorough security pass the COTI Snap has received to date.

Build Transparency

In keeping with COTI’s commitment to open development, GitHub Actions workflows have been refreshed and aligned with current major versions, and the repository documentation has been updated alongside this release. The full release notes and the Sayfer audit report are both available in the public coti-snap repository, supporting verifiability and trust.

Why This Matters

The MetaMask Snap is how most users interact with COTI’s privacy features today. With this update, the Snap now supports the full range of COTI’s confidential token standards, from 64-bit to 256-bit ERC-20s and private NFTs, all within the wallet that millions of Web3 users already use.

This update also brings the Snap in line with COTI’s recent infrastructure upgrades. The 256-bit support mirrors the capabilities introduced in the Helium Mainnet Upgrade, and seamless testnet-to-mainnet switching makes it easier for developers to build and test confidential applications on COTI.

Privacy in Web3 should be easy to use. This release is another step toward making that a reality.

Get Started Using COTI MetaMask Snap

Ready to try it?

Setting up the COTI Snap takes about 5 minutes. Here’s how to get up and running.

Requirements: MetaMask desktop browser extension and a COTI Mainnet or testnet connection. Mobile browsers are not supported yet (due to Metamask Flask incompatibility).

Stage 1: Install the COTI Snap

Navigate to metamask.coti.io and click Connect Wallet.

Click Install COTI MetaMask Snap and approve the installation when MetaMask prompts you.

Approve the connection request to link the Snap to your wallet.

Select the account you want to use (your COTI Mainnet account is recommended) and click Connect.

Stage 2: Onboard and View Private Balances

Confirm the Snap is active under Profile → Settings → Snaps in MetaMask.

Click Onboard Account and confirm the signature request. This verifies ownership and uses a small amount of COTI for gas.

Grant AES key access when prompted. This is required to decrypt and view your private token balances.

Click Launch dApp to open the COTI Snap interface.

Stage 3: Send and Receive Private Tokens

In the Snap, click Import Tokens and paste the private token’s contract address.

Once imported, the token appears in your Assets list with its decrypted balance.

To send, click Send Token, enter the recipient’s address, and approve the transaction in MetaMask.

Your transaction is now live on-chain, encrypted and private.

Additional Resources

Install or update the COTI Snap at metamask.coti.io

Follow the step-by-step setup guide in COTI Docs

View the full release notes on GitHub

Stay COTI.

About COTI

COTI is the programmable privacy layer for Web3. Built for enterprises, builders, and agents. Powered by high-performance Garbled Circuits and enterprise-grade COTI Nightfall (ZK), COTI enables encrypted computation on any public blockchain. Fast, low-cost, and compliant privacy across DeFi, AI, and beyond.

For COTI updates and to join the conversation, be sure to check out our channels:

Website: https://coti.io/

X: https://twitter.com/COTInetwork

YouTube: https://www.youtube.com/channel/UCl-2YzhaPnouvBtotKuM4DA

Telegram: https://t.me/COTInetwork

Discord: https://discord.gg/9tq6CP6XrT

GitHub: https://github.com/coti-io

Vibe Coders Telegram: Join here

Introduction

Today, we’re introducing COTI’S Private ERC20. A privacy-enhanced token, fully ERC20-compatible, independently audited, and live on COTI.

ERC20 is the most important token standard in the history of Web3. Stablecoins and smart contracts run on it. The vast majority of on-chain value moves through contracts that are built upon it.

However, ERC20 was never built to do one critical thing: protect the privacy of the people and transactions using it. Every balance, every transfer, every approval, all broadcast on-chain This is how COTI solved it.

Meet Private ERC20s

Private ERC20 is exactly what it sounds like. An ERC20 token, with privacy built in at the protocol level. It behaves the way any builder or user expects. You can hold it, send it, receive it, approve it to a smart contract, and build DeFi around it.

The difference is what happens to the data: balances are encrypted, transfer amounts are encrypted, allowances are encrypted. When a Private ERC20 transaction is processed on COTI, the amounts involved are never exposed publicly or broadcast on-chain.

Each token holder has their own personal encryption key. Only the holder can decrypt their balance. Everyone else, including validators, sees ciphertext. All of that confidentiality is handled automatically by COTI’s Garbled Circuits technology, running underneath the standard.

How COTI Private ERC20 Works

The reason ERC20 became the backbone of Web3 is that everyone agreed on a common token interface, which could be used by builders to create an entire ecosystem.

Wallets supported every token by default. Exchanges could list them quickly. DeFi protocols could accept any ERC20 as collateral without custom integrations. A single standard unlocked billions of dollars of composability.

Privacy has been stuck in the opposite place. Bespoke implementations, specialized tools, one-off integrations. Private ERC20 closes that gap. It takes the coordination power of ERC20 and brings it to privacy. Any team that knows how to build with ERC20 already knows how to build with Private ERC20.

The DNA of COTI Private ERC20s

Private ERC20 is designed to bring true programmable privacy to the COTI Networks, as well as Ethereum, and other chains that have embraced ERC20s as standard. A simple, scalable, and fast approach to privacy that builders can trust with complete confidence.

Full 256-bit precision. Balances, transfers, allowances, mints, and burns all support the native uint256 range. No reduced-width mode. No scaling workarounds. The exact token math builders expect, with encryption underneath.

Encrypted and public modes. Admins can toggle operations between encrypted and public flows. Teams can start with a familiar integration and progressively tighten privacy as the product matures.

Governance by design. Role-based access control, a dedicated MINTER_ROLE, and cap-aware issuance make supply governance explicit and auditable.

Private by default, including supply. totalSupply() returns zero on-chain, while a ciphertext version tracks the real supply internally. No leaking total issuance to the outside world.

Built on proven foundations. Access control and reentrancy protection are inherited from OpenZeppelin. Encrypted arithmetic is delegated to COTI’s MPC precompile. New privacy primitives on top of trusted building blocks.

What Private ERC20 Unlocks

Private ERC20 is the building blocks for a whole new category of applications, dapps and use cases for the entire Web3 ecosystem.

Private tokens: Turning any public ERC20 token into a private token.

Private stablecoins and payments: Move value on public rails without broadcasting salaries, invoices, or settlement amounts.

Confidential DeFi: Trade, lend, and provide liquidity without exposing positions to front-runners or MEV bots.

Tokenized real-world assets: Represent regulated assets on-chain while keeping ownership and financial details protected, with selective disclosure for compliance.

Audited by Sayfer. Built to Ship.

Private ERC20 has been independently audited by Sayfer , a Web3-native cybersecurity consultancy that has secured billions in assets across 100+ clients including MetaMask, 1inch, Polkadot, and StarkWare, with a track record of zero client hacks. Every finding was addressed and resolved before launch.

Open, Live, and Ready to Build On

Private ERC20 is live on the COTI network today. Open source. Available as part of the release from the coti-contracts on GitHub. The full developer guide lives in the COTI docs.

If you can write an ERC20, you can write a Private ERC20.

Privacy is the Foundation. The Portal is the Gateway.

Private ERC20 is the foundation for private tokens. And standards only matter when people can actually use them.

That’s what comes next: the COTI Privacy Portal. A simple and easy to use app where users can easily convert a variety of public tokens into private tokens in just a few clicks, that they can hold, send and receive on-chain.

Giving uses the power to use the fastest and cheapest private tokens in the World, while being able to trust that their balances and transfers stay encrypted.

Stay COTI.

About COTI

COTI is the programmable privacy layer for Web3. Built for enterprises, builders, and agents. Powered by high-performance Garbled Circuits and enterprise-grade COTI Nightfall (ZK), COTI enables encrypted computation on any public blockchain. Fast, low-cost, and compliant privacy across DeFi, AI, and beyond.

For COTI updates and to join the conversation, be sure to check out our channels:

Website: https://coti.io/

X: https://twitter.com/COTInetwork

YouTube: https://www.youtube.com/channel/UCl-2YzhaPnouvBtotKuM4DA

Telegram: https://t.me/COTInetwork

Discord: https://discord.gg/9tq6CP6XrT

GitHub: https://github.com/coti-io

Vibe Coders Telegram: Join Here

TL;DR: Independent smart contract audits complete on COTI’s private ERC-20 tokens and the upcoming Privacy Portal. Sayfer joins COTI as a long-term security advisor for new privacy infrastructure.

Introduction

COTI is excited to announce a partnership with Sayfer, a leading Web3-native cybersecurity consultancy that has secured billions in assets across 100+ global clients, including MetaMask, 1inch, Polkadot, Tezos, Binance Smart Chain, StarkWare, and Tenderly.

Sayfer has completed a comprehensive smart contract security audit of the infrastructure powering COTI’s next wave of privacy products, and is joining the COTI ecosystem as a trusted, long-term security advisor as COTI continues rolling out new privacy-preserving infrastructure.

As COTI continues to build out its all-in-one privacy protocol, it’s essential that the underlying code is battle-tested. With Sayfer on board, COTI users, developers, and institutions can build and transact with the assurance of industry-leading security.

Meet Sayfer: Industry-Leading Web3 Security

Founded in 2019, Sayfer is a Web3-native cybersecurity consultancy specializing in offensive-defense methodology, closing the gaps that standard security products miss. Their services span smart contract audits, penetration testing, cloud infrastructure audits, private key protection, and broader security consulting.

What sets Sayfer apart is their track record: zero client hacks to date. Their core offering is deep, line-by-line smart contract audits and high-end penetration testing for Web3 protocols, dApps, and supporting infrastructure. Sayfer’s security work is delivered by senior researchers who secure the full stack: smart contracts, blockchain infrastructure, wallets and key management, cloud environments, and web and mobile applications.

How Are COTI And Sayfer Working Together?

Sayfer conducted a multitude of independent smart contract security audits for two new additions to COTI’s privacy stack and major product releases.

1. Private Tokens on COTI Network (p.tokens)

Sayfer audited the smart contracts behind COTI’s upcoming release of private ERC-20 tokens. These are the contracts that encrypt token balances on-chain using Garbled Circuits, enabling users to hold, send, and receive private tokens with balances only they can see.

Audit scope covered encrypted balance logic, RPC handlers, key management flows, token import and validation, encrypted payload parsing, and more. Every finding from the audit was addressed and resolved by the COTI team before launch.

2. Privacy Portal Smart Contracts

Sayfer also audited the smart contracts powering the upcoming COTI Privacy Portal, the web application that lets users convert supported public tokens into a private token in one click, and back again. Giving users the ability to turn tokens private, and take advantage of the lowest cost and fastest private tokens in the world. Built on the same private ERC-20 infrastructure, the Portal contracts were stress-tested by Sayfer’s senior researchers before launch.

3. MetaMask Snap Upgrade

The latest version of the COTI MetaMask Snap will introduce full support for ctUint256, the 256-bit confidential ERC-20 standard unlocked by the Helium Mainnet upgrade.

With this upgrade will debut a series of privacy features, including private NFT support, multi-network switching between COTI Mainnet and Testnet, smarter gas handling, and a redesigned send flow, all geared toward the introduction of private tokens on COTI.

MetaMask Snap is the primary interface for interacting with private tokens created through the Privacy Portal, which was fully audited by Sayfer.

What’s On Sayfer’s Roadmap?

Beyond core audit and penetration testing services, Sayfer is preparing to launch an AI-powered security layer that brings continuous, real-time auditing to Web3, moving past the traditional point-in-time audit model.

The upcoming product pairs senior auditor expertise with AI to deliver continuous monitoring, automated vulnerability detection, and live security insights across smart contracts and protocol infrastructure. Teams can ship faster without waiting for the next audit cycle, and COTI will gain an always-on security monitoring system.

Hardened Security for an Expanding Privacy Ecosystem

COTI will continue to utilize Sayfer’s services, as they serve as a trusted security advisor for COTI’s new privacy-preserving infrastructure and features. As our suite of privacy products expands, Sayfer will be there to audit and ensure hardened security at every layer of the stack.

By pairing Sayfer’s security methodology with COTI’s Garbled Circuits-powered privacy layer, the partnership addresses a specific, critical problem: ensuring that confidential computation on a public blockchain is not just fast and flexible, but provably secure at the code level.

COTI users can trust that they are interacting, holding and transacting with private tokens on contracts that have been independently reviewed by Web3-native security experts. Similarly, developers and builders can rest assured that they are building on smart contracts that have been stress-tested at the code level.

By pairing Sayfer’s offensive-defense methodology with COTI’s privacy technology, this partnership raises the baseline for what secure, confidential Web3 infrastructure should look like.

A Word From Sayfer’s Leadership

We’ve known the COTI team for a long time. Consistently professional, deeply technical, and always pushing novel tech. It’s been a pleasure securing a project built by people who genuinely care about getting the fundamentals right.

— Or D, CTO & Co-Founder, Sayfer

About Sayfer

To explore Sayfer’s security services, visit sayfer.io. For teams interested in a smart contract audit, head directly to the smart contract audit service page, or schedule a call with the Sayfer team.

You can also follow Sayfer on X, Telegram, and LinkedIn, and browse their public audit reports and research at the Sayfer blog.

About COTI

COTI is the programmable privacy layer for Web3. Built for enterprises, builders, and agents. Powered by high-performance Garbled Circuits and enterprise-grade COTI Nightfall (ZK), COTI enables encrypted computation on any public blockchain. Fast, low-cost, and compliant privacy across DeFi, AI, and beyond.

For COTI updates and to join the conversation:

Website: coti.io

X: @COTInetwork

YouTube: COTI Network

Telegram: t.me/COTInetwork

Discord: discord.gg/COTI

GitHub: github.com/coti-io

Vibe Coders Telegram: join here