Skip to main content
PolyShield
POLYGON MAINNET · BETA
ProductHow It WorksDocsBlogRoadmap
Launch App
Docs menu · Core concepts
Getting started
OverviewThe basicsQuickstartFAQ
Core concepts
The privacy modelZero-knowledge proofsSpending notesThe Merkle tree & nullifiers
Architecture
System overviewVault contractZK circuitsOff-chain services
Security
Threat modelTrust assumptionsBackup & recoveryFees
Reference
Glossary
CORE CONCEPTS

Spending notes

PolyShield doesn't track your money as a balance in an account. It holds it as notes — private records you keep, where only an unreadable fingerprint of each one ever touches the chain.

Why notes instead of a balance?

Almost everything you know — your bank, an exchange, even an everyday crypto wallet — uses an account: a single running balance, one number that ticks up and down. PolyShield works more like physical cash. Your money is a handful of discrete notes, each worth a fixed amount, and your balance is simply their sum. (If you've heard of Bitcoin's "UTXO" model, this is the same idea.)

ACCOUNT MODELa bank account · your MetaMaskBalance: $100spend $30Balance: $70one number, edited in placeNOTE MODELlike cash · "UTXO"$40$60= $100spend $30$40kept$30change= $70old note destroyed · change note minted
An account keeps one running balance and edits it in place — a single record that's easy to track over time. PolyShield holds your money as notes, like cash: spending destroys the note you used and mints a fresh change note, so there's no persistent trail to follow.

That difference is the whole point for privacy. A running balance is one long-lived record that's easy to watch over time. Notes are disposable: every time you spend, the note you used is destroyed for good and a brand-new note is minted for the change — with a fresh, unlinkable identity. There's no persistent account for an observer to follow.

You never juggle notes by hand
The app picks and splits notes for you automatically. The model is what makes the privacy work — but day to day you just see a single balance, like in any normal app.

What's inside a note

A note is four pieces of information. Picture it as a sealed envelope: the vault takes the sealed envelope and keeps only a tamper-evident stamp of it, never the contents.

SPENDING NOTEsecretrandom, wallet-derivedbalanceUSDC, 6 decimalsnonceincrements per spendowner_addressyour walletlives only in your browserPoseidon4()hashcommitmentstored on the treePoseidon2()secret + noncenullifierrevealed once, on spend
A note is private data you hold. Only its commitment (a hash) is ever stored on-chain — like depositing a sealed envelope whose contents nobody can read. The nullifier is a separate one-time stamp derived from the secret.
secret
a random value derived from your wallet signature; the key to spending the note.
balance
the USDC the note is worth, in micro-units (6 decimals).
nonce
a counter that increments every time you spend, so each spend is distinct.
owner_address
your depositing wallet, as a field element. This is what pins withdrawals to you.

Two derived values

From those fields the circuit derives two things that matter on-chain:

commitment  C = Poseidon4(secret, balance, nonce, owner_address)
nullifier   N = Poseidon2(secret, nonce)
  • The commitment is the public fingerprint stored as a leaf in the Merkle tree. It reveals nothing — you can't recover the balance or owner from it.
  • The nullifier is published only when you spend, to mark the note as used. Crucially it's built from just secret and nonce — not balance or owner — so it can't be correlated to a deposit amount or address.
Nothing to back up
The secret is re-derived from your wallet on demand, so notes are never stored in plaintext anywhere and there is no seed phrase. The encrypted note cache in your browser is a convenience; your wallet is the real backup.