Zero-Knowledge Betting: How ZK Proofs Make Bets Private
How a proof can verify a bet without revealing it — notes, commitments, nullifiers, and shared anonymity sets, in plain terms.

On this page
What a zero-knowledge proof isThe privacy problem ZK solves for bettingThe building blocksThe lifecycle, as proofsWhy proofs run in your browserA little more depth (optional)Honest limits and trustFAQ"Zero-knowledge betting" sounds like a contradiction — how can a bet be verified if no one can see it? The answer is the same cryptography that powers private payments and ZK-rollups: a zero-knowledge proof lets you prove a statement is true without revealing the data behind it. Applied to prediction markets, it lets you prove "this is a valid bet, backed by my funds" without revealing which bet is yours.
Zero-knowledge betting means a cryptographic proof verifies your bet is valid and funded without revealing which bet is yours. Your funds live in a private "note"; you prove you own an unspent note somewhere in a shared tree — not which one — so the depositor↔bet link is unlinkable on-chain. The deposit itself stays public.
Here's how it actually works, in plain terms, building up to the pieces — notes, commitments, nullifiers — that make it real.
What a zero-knowledge proof is
A zero-knowledge proof is a way to convince a verifier that some statement holds — "I know a password," "I have enough balance," "this transition is valid" — while revealing nothing beyond the truth of the statement itself. The verifier learns that you're telling the truth, not why or what's underneath.
A classic intuition: imagine proving you can tell two paint colors apart to someone who's color-blind, without ever naming the colors. You can demonstrate the ability without revealing the information. ZK proofs do that mathematically, and modern systems (zk-SNARKs) make the proofs tiny and fast to check — which is what makes them practical to verify on a blockchain.
The privacy problem ZK solves for betting
On a normal prediction market, the chain enforces validity by making everything public: your wallet, your balance moves, your position. Validity and privacy are in tension — the system "trusts" you by watching you.
Zero-knowledge breaks that tension. You can prove your bet is valid — funded, correctly formed, not a double-spend — without publishing who you are. The chain still enforces every rule; it just does so against a proof instead of against your exposed data.
The building blocks
Privacy systems like PolyShield represent your money as a note, not an account balance. Four ideas do the work:
- Note
- Your private balance, represented as a secret bundle — (secret, balance, nonce, owner). It lives only in your browser.
- Commitment
- A public fingerprint of your note — a hash (Poseidon, chosen for ZK efficiency) that reveals nothing about its contents but lets you later prove you own it. Commitments get added to an on-chain Merkle tree of all notes.
- Nullifier
- A one-time tag published when you spend a note, so the same note can't be spent twice. It's derived from your secret in a way that can't be linked back to your commitment — so spending reveals "some valid note was used," not "your note was used."
- Anonymity set
- Because your proof only shows your note is somewhere in the tree of all notes, you're hidden among every other depositor. The bigger that set, the stronger the privacy.
Put together: you prove "I own an unspent note in the tree, and here's a valid new note reflecting my bet" — without revealing which note, which makes the bet unlinkable to you.
The lifecycle, as proofs
Every action in a privacy vault is a different proof, each enforcing its own rules:
- Deposit. A proof binds your new note's balance to the exact USDC you transferred, so you can't commit more than you paid in. (The deposit itself is public — see the honesty beat below.)
- Bet authorization. A proof shows you own an unspent note, debits the stake, and creates a fresh note — and publishes a nullifier so the old note can't be reused.
- Settlement. When a market resolves, a proof credits your winnings into a new note. The vault injects the official payout it reads on-chain, so the credit can't be inflated.
- Withdrawal. A proof shows you own a note and binds the payout to your own depositing address — withdrawals can't go anywhere else.
The chain verifies each proof and updates the public tree. It never learns who you are.
Why proofs run in your browser
This is the part that makes the privacy real: every proof is generated client-side, in your browser, with WebAssembly. Your note secret never leaves your device. No PolyShield server ever receives the data that could link a bet to you — it can't de-anonymize you because it never has the secret in the first place. The trade-off is time: generating a proof takes roughly 30 seconds to 2 minutes depending on your device.
This is also why "the company could leak my data" isn't the threat model it is for a normal app: there's no server-side database of your bets to leak, because the linking information never arrives at a server.
A little more depth (optional)
- Groth16 is the succinct proving system PolyShield uses (over the BN254 curve). Proofs are small and cheap to verify on-chain via generated verifier contracts.
- Poseidon is a hash function designed for ZK circuits — far cheaper to prove over than Keccak — used for every commitment and nullifier.
- Merkle tree membership is what a spend proof demonstrates: "my commitment is one of the leaves," without revealing which leaf.
You don't need any of this to use the product, but it's why it's fast enough to be practical. For definitions of every term here, see the docs glossary.
Honest limits and trust
Zero-knowledge isn't magic, and a privacy brand that pretends otherwise isn't worth trusting:
- That your wallet deposited into the vault, and how much
- The vault's bets on Polymarket (placed from its shared account)
- Which depositor authorized which bet
- Your positions, sizes, and running strategy
- The deposit itself stays public — by design.
- PolyShield is open-source but not independently audited yet; don't read "ZK" as "proven immune." Soundness depends on the circuits being correct.
- It's mainnet beta with a $50k per-address cap. It is not a mixer, and it isn't a tool to evade KYC or regulations.
→ Go deeper: How to bet on Polymarket privately · or read the docs glossary for every term here.
Trade privately on Polymarket
Non-custodial, on Polygon. Your wallet never appears on a trade.
FAQ
What is zero-knowledge betting?
Placing bets where a zero-knowledge proof verifies the bet is valid and funded without revealing which bet is yours. The chain enforces every rule against a proof instead of your exposed data.
How do ZK proofs keep a bet private?
Your funds are a private "note." You prove you own an unspent note somewhere in a tree of all notes — not which one — and publish a one-time nullifier to prevent double-spends. That hides which bet a depositor authorized.
Does the company see my bets or my secret?
No. Proofs are generated in your browser and your note secret never leaves your device. The backend only ever handles public data, so it can't link a bet to you.
Is zero-knowledge the same as anonymous?
No. It makes the depositor↔bet link unlinkable on-chain, but your deposit into the vault is still public. It's privacy in a specific, honest sense — not anonymity.