FAQ

A GPS treasure hunt with real cryptocurrency. Campaign creators hide coins at physical locations around the world. You walk there, scan the area with your phone, and claim the reward straight to your wallet.

Yes. Real coins on real blockchains. When you claim a drop, the cryptocurrency is sent directly to your wallet address. No points, no tokens, no IOUs.

A phone with GPS and a browser. No app download required. You'll also need a wallet address for the coin you're hunting.

Completely free to play. You're the hunter, not the customer. Campaign creators fund the drops — you just find them.

Open Coin World and look at the map. Mystery markers appear when there's a drop in your area. Tap one to start researching it — this reveals a search zone. Walk through the zone and your phone scans the ground tile by tile until you find the exact spot.

Difficulty controls how large the search zone is. Easy drops have a small zone (~40m) — you'll find them in minutes. Hidden drops have a huge zone (~5km) — those can take days of walking. The harder the hunt, the more satisfying the find.

Yes. Your progress is saved locally. Close the app, come back tomorrow, and your explored tiles are still there. If someone else claims the drop while you're away, you'll be notified.

The coin icon appears at the exact spot. Tap it, enter your wallet address, and hit Claim. Your phone generates a cryptographic proof that you're physically there, and the coins are sent to your wallet. The whole claim takes about 10 seconds.

You might be the first one there! Just by opening the app, your area gets indexed into the system. Campaign creators can now see there's a player nearby and start placing drops. Keep checking in.

Yes — it's first come, first served. If someone else finds and claims it before you, the drop is gone. That's part of the thrill.

No. Your GPS never leaves your device. Claims use a Groth16 zero-knowledge proof that verifies you're in range without revealing where you are. Your position is never transmitted.

We do log an anonymous activity heatmap: when you discover an area, the server records a ~25 km² zone (about 5,000 football fields). No identity attached. This helps campaign creators place drops where players are actually active. That's the most precise location data we store.

A zero-knowledge proof lets you prove a statement is true without revealing any information beyond the truth of that statement. In Coin World, the statement is: "I am within X meters of the drop." The proof convinces the server this is true, but the server learns nothing about where you actually are. We use Groth16 proofs over a BN254 elliptic curve — the same math used in production blockchain systems.

There are three independent cryptographic barriers. First, the drop's coordinates are encrypted with Argon2id (a memory-hard function using 16MB of RAM per attempt) — you have to try every 3-meter grid cell in the search zone to find it. Second, a server-held research nonce is baked into the encryption key, so you can't even start decrypting without the server's rate-limited permission. Third, the zero-knowledge proof must satisfy a Poseidon hash commitment that binds the exact coordinates. Spoofing one gate doesn't help — you need all three.

No sign-up, no email, no password. When you first open Coin World, a 6-word passphrase is generated locally in your browser. That derives a secp256k1 keypair via PBKDF2 — the same curve used by Bitcoin and PIVX. That's your identity. Write the words down if you want to use it on another device.

Open the Campaign Manager. Create a campaign, set your coin and difficulty, then click the map to place drops. Fund them through the built-in wallet, and they go live for players to find.

You choose how much each drop is worth. The platform takes a 15% fee on top of your drop values to cover infrastructure. Network transaction fees are minimal.

Never. Each drop gets its own P2SH address on the blockchain with an HTLC (Hash Time-Locked Contract) script. The script has two spending paths: the player can sweep it after proving physical presence (via an additive key split — the sweep key is the sum of a location-derived player share and a server-held share), or you can reclaim it after the timelock expires using your creator key. At no point does Coin World have a key that can move the funds.

Each drop's HTLC script includes a timelock (OP_CHECKLOCKTIMEVERIFY) set to the expiry you choose. After that time passes, the ELSE branch of the script activates, allowing you to sign a reclaim transaction with your creator key. The coins return to your wallet. The blockchain enforces this — no trust required.

Yes. The Campaign Manager shows a heatmap of player activity at ~25 km² resolution (about 5,000 football fields per cell). Detailed enough to find active areas, too coarse to locate anyone.

Every claim runs a Groth16 zk-SNARK (BN254 curve, 1,198 constraints) that proves three things simultaneously without revealing any coordinates:

1. "I found the real drop." The player knows (cx, cy, sweep_salt) that Poseidon-hash to the public commitment stored on the server. Poseidon is one-way — the server can check the hash matches but can't reverse it to get coordinates. The player can't fake this either — they had to decrypt the Argon2id payload by physically walking to the right grid cell.

2. "I'm close enough." The circuit evaluates (cx - ux)² + (cy - uy)² * cos²(lat) ≤ r², a latitude-corrected distance check. The player's position (ux, uy) is a private input — the verifier never sees it.

3. "This proof is fresh." Poseidon(commitment, nonce) == nonce_commitment, binding the proof to a one-time server-issued nonce. Prevents replay attacks.

Public inputs (what the server sees): commitment (a hash), r² (the allowed radius), nonce, nonce_commitment, cos_lat_scaled. Private inputs (hidden): cx, cy, sweep_salt, ux, uy. The server verifies the proof in ~1 second. If the math checks out, it releases the server_share — completing the additive key split that lets the player sweep the drop.

Every drop is protected by three independent locks. You need all three to claim.

Gate 1: research_nonce. A 32-byte server-held secret baked into the Argon2id encryption key. Without it, you can't even begin decrypting. The server releases it via a rate-limited endpoint — this turns rate-limiting from a policy into math.

Gate 2: Physical presence. The drop's coordinates are encrypted with Argon2id (16 MB memory-hard, 3 iterations). You brute-force every 3m grid cell in the search zone by walking there. Each cell costs 250-750ms of computation on a typical phone. No shortcut — you have to be on the ground.

Gate 3: ZK proof → server_share. After finding the drop, the sweep key is split additively: sweep_privkey = player_share + server_share (mod n, secp256k1). The server only releases its share after verifying your Groth16 proof. Without it, the player_share alone is useless.

Each drop funds a P2SH address wrapping an HTLC with two spending paths:

Claim branch (OP_IF): <sig> <sweep_pubkey> OP_CHECKSIG. The sweep key is derived from the additive split of player_share (location-derived via CW-KDF: 1M sequential SHA-256 rounds) and server_share (released after ZK verification). No hashlock, no platform keys.

Reclaim branch (OP_ELSE): <expiry> OP_CHECKLOCKTIMEVERIFY <creator_pubkey> OP_CHECKSIG. After the timelock, the campaign creator can reclaim unfound drops. The blockchain enforces this — no trust required.

Nothing secret ever appears on-chain. The server_share is transferred via HTTPS, making the system MEV-safe. No front-running possible.