Logo
My Crypto News AI

How Zero-Knowledge Proofs Are Making Public Goods Funding Actually Verifiable

Zero-knowledge proofs are moving public goods funding from trust-based systems to cryptographically verifiable ones. For decades, grant rounds and donation matching relied on off-chain computation followed by community review. Octant's Epoch 12 quadratic funding round, which closed on June 30 and distributed $9 million cumulatively to 25 nonprofits and public goods projects, changed that by running the entire tally through a zero-knowledge proof system verified on-chain before any payouts occurred.

The shift matters because it solves a problem Nick Szabo identified in 2001: trusted third parties are security holes. When an operator computes grant allocations off-chain and posts results to a blockchain, the chain stores the output but cannot verify whether the computation actually matched the inputs. Voters, donors, and recipients have to trust audits, reputation, or multisig signatures. A properly ZK-verified process moves the checking into the protocol itself, so the smart contract can confirm the proof before recording any result.

What Does a Zero-Knowledge Proof Actually Verify in a Funding Round?

Octant's architecture shows how this works in practice. The round parameters were fixed on-chain first: the project list, matching pool (200 WETH, funded from the Golem Foundation's ETH staking yield), and duration. Voters then signed ballots off-chain and submitted them to Octant's sequencer, paying gas only for signup; voting itself was free. The sequencer batched these signed ballots into Ethereum blobs, the same data type rollups use, posting 15 batches roughly once daily from June 17 through June 30.

After the round closed, an off-chain service called the coprocessor read every blob and fed all 209 signed ballots into a program built on SP1, a general-purpose zero-knowledge virtual machine (zkVM). The program re-ran the entire election under constraint: every signature was checked against the registered voter set, superseded ballots were dropped by nonce, per-round budgets were enforced, and the quadratic allocation was computed, including the alpha scaling factor that handles capital-constrained rounds. The program filtered out eight ballots, most likely participants who changed their vote and had earlier ballots superseded by nonce.

The Succinct Network then compressed the SP1 execution into a Groth16 proof, a compact cryptographic receipt binding one specific input set to one specific output. This proof is public on the Succinct explorer. When the coprocessor submitted it to a TallyVerifier contract, the contract checked it against a verifying key encoding what computation should have run. If anything in the computation was tampered with, the proof failed to verify and the transaction reverted. If the proof held, the results were written to a VoteRegistry contract, two PaymentSplitter contracts were deployed, and every project could claim its allocation permissionlessly.

How to Understand What a ZK Proof Covers and What It Doesn't

  • What the proof attests to: Every signature was valid, duplicates were removed by nonce, no voter exceeded their budget, and the quadratic funding totals and alpha-scaled allocation were computed exactly as specified. The proof also commits to the voter set fixed at signup and the recorded sequence of blobs, so neither voters nor ballots could be swapped between the flush and the proof.
  • Privacy limitations: Voter addresses and ballot choices sit in public blobs. Anyone can read how any address voted. Octant stated plainly that privacy is on the roadmap but acknowledged the current limitation rather than hand-waving it away.
  • Sequencer trust: The Octant-run sequencer cannot forge a ballot because signatures prevent that. However, it could omit one. A voter whose ballot never made it into a blob would have to notice and complain. This is the same trust profile as most rollup sequencers today, and the same mitigation path applies: either decentralizing the sequencer or adding a forced-inclusion channel.

The design principle running through all six steps is that off-chain work earns no authority until it leaves an on-chain artifact. A ballot has no standing until it sits in a public blob, and a blob has no standing until the verifier contract accepts a proof over it. This is what "verified on-chain" actually means in this context, as opposed to the looser usage where an operator simply posts results and the chain stores them.

Why This Matters Beyond Funding Rounds

Quadratic funding, first formalized by Vitalik Buterin, Glen Weyl, and Zoë Hitzig, allocates a matching pool by weighting the number of contributors more heavily than contribution size. It has been a textbook case of the gap between computation and verification. Running the tally directly on mainnet would fix the verification problem, but updating a quadratic funding computation with every vote is prohibitively expensive in gas. Octant's design accepts public ballots and goes after a different guarantee: that the tally itself is provably correct, using zero-knowledge proofs to compress expensive verification into a few pairing checks.

The Epoch 12 round showed this works at scale. Nearly half of all ballots, 101 of 209, arrived in the final day, which is typical deadline behavior in funding mechanisms. The alpha factor did no cutting this time; Epoch 12 ran at alpha equals 1.000, meaning the community's vote pattern called for 81.86 WETH of the 200 WETH pool, every project received its full ideal match, and the remainder rolls into future rounds.

For public goods funding, this shift from social trust to cryptographic verification is significant. Donors, voters, and recipients no longer have to take the operator's word that the computation ran as promised, that sybil filtering was honest, or that no ballot quietly disappeared. The proof either verifies or it does not. If it verifies, the results are written to a contract and Octant cannot delay or gate the payouts after that point. This is the honest boundary of what zero-knowledge proofs can guarantee in a funding round: not privacy, not censorship resistance at the sequencer, but mathematical certainty that the tally matches the inputs.