Guest Post by Eli Ben-Sasson
It is the one bet Polymarket cannot guarantee it would pay out. Will quantum computing break the world’s most famous prediction market, and every other one along with it?
If you follow quantum computing coverage, think “I’m not into crypto,” and skip straight to the World Cup, this is the part worth stopping for. The platform you might place that World Cup bet on carries the same quantum exposure. Not in some philosophical sense, but in the actual plumbing of how ownership, orders and settlement work. I have spent years building post-quantum systems, and this is the kind of exposure that worries me most, precisely because ordinary users never see it.
Prediction markets are one of the clearest mainstream uses of crypto. If you want the odds of a Fed rate cut, an election result, or who lifts the World Cup, a prediction market often gives a sharper signal than any pundit. People stake real money on real outcomes, and the price becomes a live estimate of probability. That is what makes them so interesting: simple to grasp, tied to things people actually care about, and usable without ever reading a blockchain white paper.
Then you look under the hood.
Polymarket runs on Polygon PoS, the widely used Ethereum-compatible chain. Orders are signed by users, matched off-chain, and settled on-chain. The positions rest on conventional blockchain signatures, the same broad family of cryptography used across much of the industry today. And that cryptography is not quantum-secure.
Let me be clear about what I am not saying. No public quantum computer today can do this. This is preparation for a coming risk, not a claim that anyone’s funds are unsafe tomorrow morning. But a sufficiently powerful quantum computer would change the security assumptions these systems are built on, and it is worth being precise about how.
What could actually happen
A quantum attacker could go after users’ wallets once enough public-key material is exposed. In Ethereum-style systems, transactions and signatures can reveal information tied to the public key behind an address. A powerful enough quantum computer could use that public key to derive the private key. At that point the attacker would not need to “hack Polymarket” in any familiar sense. They could simply sign valid instructions from the wallet itself.
Bets could be moved, sold or redeemed by someone other than the real owner. Polymarket positions are held as tokens on Polygon. Compromise the private key controlling those tokens and an attacker can transfer them away, sell them into the market, or redeem winning positions after resolution. Every step would show the system a valid signature.
The market itself could be distorted. Because the matching system depends on signed orders, an attacker holding compromised wallets could flood the book with valid-looking orders and cancellations. Fake liquidity, manipulated prices. The operator would not be cheating and the smart contracts would not be broken. The thing that breaks is simpler and more fundamental: the assumption that a signature proves the intention of the real user.
And here is what matters most. Confidence in outcomes could collapse long before every position is stolen. Prediction markets depend on trust in the whole chain of custody: who owns the shares, who can trade them, who can redeem them, and whether the settlement layer holds. Even a partial attack could drain liquidity, distort prices, and leave users wondering whether they are trading against real participants or stolen cryptographic identities.
This is the point that gets lost when quantum risk is reduced to the “what about Satoshi’s coins” question. Satoshi’s coins matter, of course. They are symbolically enormous. But the risk is not confined to old Bitcoin wallets. It reaches into the applications ordinary people actually touch. A World Cup bet, an election market, a rate-cut contract, each one rests on the quiet assumption that whoever signs an order is the person who owns the position.
A sufficiently powerful quantum computer puts that assumption in doubt. No phishing, no stolen password, no careless click. It would just do the math today’s blockchains assume nobody can do.
Prediction markets are especially fragile here, because they do not only hold money, they produce answers. If users cannot trust who owns the shares, who placed the orders, or who can redeem the winning side, the price stops being a useful signal. It becomes noise with a dollar sign attached.
The other half of the story
The reassuring part is that preparation is not hypothetical, and we know that because parts of it are already built.
I co-invented STARK cryptography, which has post-quantum security built into its design. I raise it not to champion it, but because it illustrates the point. STARKs, Scalable Transparent Arguments of Knowledge, are proof systems that let one party show a computation was done correctly without making everyone else redo the work. That is part of why blockchains can scale: a prover does the heavy lifting and produces a proof, and everyone else checks it quickly.
But STARKs are not only about scale. Their security rests on hash-based assumptions rather than the elliptic-curve assumptions that quantum computers threaten. In plain terms, they were built with the post-quantum era in mind. Whether the industry lands on STARKs or on something else, their existence proves the essential thing: quantum-resistant infrastructure can be designed and run at scale today.
A distinction inside Polygon’s own ecosystem makes this concrete, without turning into a lecture about Polygon. Polygon is not one chain but a family of networks from the same organization, each with its own architecture and security assumptions. Polymarket runs on Polygon PoS, the older proof-of-stake chain, not on a STARK-based system such as Polygon Miden, a newer network in the same family. So the vulnerable architecture and the safer one are not separated by science fiction. They sit side by side, under one roof, today.
The same is true in my own world. Starknet already relies on STARK proofs, and I have overseen a roadmap to harden the remaining parts of the system so it can become fully post-quantum secure. I mention it not as an advertisement but as an existence proof. The work is not theoretical, it is an engineering path built on cryptography we already understand. If one team can chart that path, others can too.
Credit where it is due, and pressure where it is needed
This is why I was glad to see Ethereum put quantum-safety high on its roadmap. There is a lot to like in the plan. Recursive STARKs are excellent, privacy is excellent, formal verification is excellent. Quantum-safety belongs near the top of that list, not in a footnote.
I would question some of it. A timeline running toward the end of the decade feels too long for quantum readiness specifically. Some proposals need clearer explanation of what changes, who is affected, and what trade-offs are being accepted. And if Ethereum is moving toward a new execution environment on the back of STARKs, then, with the obvious disclosure that this is my corner of the field, I think Cairo deserves serious consideration. It is battle-tested, designed for ZK-STARKs, and already works as a next-generation smart contract language. Either way, Ethereum deserves credit for treating the problem as real.
I wish Bitcoin were moving with the same urgency. There are post-quantum proposals in the Bitcoin world, BIP-360 among them, and that work matters. But there is still no adopted, protocol-wide migration plan. Bitcoin is the most symbolically important system in crypto, and the one whose failure would be hardest to contain. Waiting until quantum computers are obviously dangerous would be exactly the wrong lesson to draw from the history of cryptography.
And every one of these delays is inherited by the applications built on top, including the prediction markets where ordinary users place their bets.
Migration is hard. There will be trade-offs, governance fights, and dependencies no single team controls. But difficulty is a reason to start sooner, not later. We do not get to choose the quantum timeline. We only choose whether we prepare before it matters.
Prediction markets are useful because they force people to price the future. It would be a strange failure if the industry building them refused to price this one risk. A market that clears billions is worth very little the morning its signatures can be forged.
About Eli Ben-Sasson
Eli Ben-Sasson is the co-inventor of STARK proofs and CEO of StarkWare, the $8 billion company behind Starknet, a leading Ethereum Layer 2 network. A former professor of computer science at Technion, Israel Institute of Technology, he has spent more than two decades at the frontier of cryptographic research and was a founding scientist of Zcash before founding StarkWare in 2018. StarkWare’s technology secures billions of dollars in on-chain value using hash-based cryptography that is inherently resistant to quantum attack. He is the author of the USA Today bestseller Zero Knowledge, Infinite Trust (Wiley), co-written with Nathan Jeffay.