Author: Frank, PANews
A chain transaction costing less than $0.1 can instantly erase market orders worth tens of thousands of dollars from Polymarket's order book. This is not a theoretical deduction, but a reality that is occurring.
In February 2026, a player revealed a new type of attack against Polymarket market makers on social media. Blogger BuBBliK described it as “elegant & brutal,” as the attacker only needs to pay a Gas fee of less than $0.1 on the Polygon network to complete an attack cycle in about 50 seconds, while the victims, those market makers and automated trading bots that post real buy and sell orders on the order book, face multiple blows such as forced order removal, passive exposure of positions, and even direct losses.
PANews examined an address marked by the community as an attacker and found that this account, registered in February 2026, participated in transactions for only 7 markets but recorded a total profit of $16,427, with core profits completed within a day. When a prediction market leader valued at $9 billion can have its liquidity base leveraged by a few cents, it reveals far more than just a technical vulnerability.
PANews will delve into the technical mechanisms, economic logic, and potential impacts of this attack on the prediction market industry.
How the Attack Occurs: A Precision Hunt Using “Time Difference”
To understand this attack, one needs to comprehend the trading process on Polymarket. Unlike most DEXs, Polymarket adopts a “off-chain matching + on-chain settlement” hybrid architecture to pursue a user experience close to centralized exchanges, where order placement and matching are completed off-chain instantly, and only the final fund settlement is submitted to the Polygon chain for execution. This design allows users to enjoy a seamless experience of zero Gas order placement and second-level transaction completion, but it also creates a “time difference” of several seconds to tens of seconds between off-chain and on-chain, which is precisely the window targeted by the attacker.
The logic of the attack is not complicated. The attacker first places a normal buy or sell order through the API, at which point the off-chain system verifies that the signature and balance are fine, and matches it with orders from other market makers on the order book. But almost at the same time, the attacker initiates an extraordinarily high Gas fee USDC transfer on-chain, withdrawing all the money from the wallet. As the Gas fee is far higher than the platform's relay default setting, this “drain” transaction is confirmed by the network first. By the time the relay submits the matching results on-chain, the attacker's wallet is already empty, and the transaction fails due to insufficient balance and rolls back.
If the story ended here, it would only waste a bit of the relay's Gas fee. But the truly fatal step is: although the transaction fails on-chain, Polymarket's off-chain system forcibly removes all innocent market maker orders that participated in this failed match from the order book. In other words, the attacker used a transaction that was destined to fail to “one-click clear” the buy and sell orders posted by others with real money.
To use an analogy: it's like loudly bidding at an auction, only to turn around at the moment the hammer falls and say “I have no money,” but the auction house confiscates all the normal bidders' paddles, leading to the auction failing.
It is worth noting that the community later discovered an “upgraded version” of the attack, named “Ghost Fills.” The attacker no longer needs to rush for the transfer; instead, after orders are matched off-chain and before on-chain settlement, they directly call the contract's “one-click cancel all orders” function to make their orders instantly invalid, achieving the same effect. More cunningly, the attacker can place orders on multiple markets simultaneously, observe price trends, and only retain favorable orders for normal transactions, cancelling the unfavorable ones using this method, effectively creating a “win only” free option.
The Economics of the Attack: A Few Cents Cost, $16,000 Gain
In addition to directly clearing market maker orders, this off-chain and on-chain status desynchronization has also been used to hunt automated trading bots. According to monitoring by the GoPlus security team, the affected bots include Negrisk, ClawdBots, MoltBot, and others.
The attacker clears others' orders and creates “ghost fills,” and these actions do not directly generate profits, so how is money actually made?
PANews found that the attacker's profit path primarily consists of two routes.
The first is “clearing the field and monopolizing market-making.” Under normal circumstances, an order book of a popular prediction market has multiple market makers competing to post orders, with the spread between the best buy and sell prices usually very narrow, for example, a buy order at $0.49 and a sell order at $0.51, where market makers earn micro-profits from a $0.02 spread. By repeatedly initiating “transactions destined to fail,” the attacker forcibly clears all these competing orders. At this time, the market becomes vacuous, and the attacker immediately posts buy and sell orders through their own account, but the spread is significantly widened, for example, a buy order at $0.40 and a sell order at $0.60. Other users needing to trade, in the absence of better quotes, have no choice but to accept this price, allowing the attacker to profit from this $0.20 “monopoly spread.” This model recycles: clear the field, monopolize, profit, then clear again.
The second profit path is more direct, which is “hunting hedging bots.” To illustrate with a specific example: suppose in a certain market, the price for “Yes” is $0.50; the attacker places a $10,000 “Yes” buy order through an API to a market-making bot. After the off-chain system confirms the match successfully, the API immediately tells the bot “you have sold 20,000 shares of Yes.” After receiving the signal, the bot, to hedge risk, immediately buys 20,000 shares of “No” in another related market to lock in profits. But then, the attacker causes that $10,000 buy order to fail and roll back on-chain, meaning the bot actually has not sold any “Yes,” reversing its prior understanding of the hedged position, now holding only 20,000 shares of “No” without a corresponding short position for protection. The attacker then trades genuinely in the market, profiting by utilizing the bot's forced selling of these unprotected positions or directly arbitraging from the price deviation.
From a cost perspective, each attack cycle only needs to pay less than $0.1 in Gas fees on the Polygon network, and each cycle takes about 50 seconds, theoretically allowing around 72 cycles per hour. One attacker built a “dual wallet cycling system” (Cycle A Hub and Cycle B Hub operating alternately), achieving fully automated high-frequency attacks. Hundreds of failed transactions have already been recorded on-chain.
From the profit side, an address marked by the community shows that this account, registered in February 2026, participated in only 7 markets but achieved a total profit of $16,427, with the maximum single profit reaching $4,415, and core profit activities clustered within a very short time window. In other words, the attacker leveraged over $16,000 in profit within a day with total Gas costs possibly less than $10. And this is just one marked address; the actual participating addresses and total profit amounts may be much higher.
For the affected market makers, the losses are even harder to quantify. Traders operating BTC 5-minute market bots in the Reddit community report losses of “thousands of dollars.” The deeper harm lies in the opportunity cost of frequently forced order removals and the operational expenses of having to adjust market-making strategies.
The more tricky issue is that this vulnerability stems from the fundamental design flaws of Polymarket's underlying mechanism, which cannot be repaired in the short term. As this attack method becomes public, similar tactics will become more prevalent, further undermining Polymarket's already fragile liquidity.
Community Self-Rescue, Early Warnings, and Platform Silence
As of now, Polymarket has not issued a detailed statement or repair plan regarding this order attack, and some users have stated on social media that this bug has been reported multiple times months ago, but no one paid attention. It is worth mentioning that previously, when faced with a “governance attack” (UMA Oracle voting manipulation), Polymarket also chose to refuse refunds.
In the absence of official action, the community began to seek its own solutions. A community developer voluntarily created an open-source monitoring tool called “Nonce Guard,” which can monitor order cancellation operations on the Polygon chain in real-time, build a blacklist of attacker addresses, and provide universal warning signals for trading bots. However, this solution essentially amounts to a monitoring patch, which cannot fundamentally resolve such problems.
Compared to other arbitrage methods, the potential impact brought by this attack strategy may be more far-reaching.
For market makers, the hard-earned posted orders can be cleared in bulk without warning, and the stability and predictability of market-making strategies may completely crumble, which could directly shake their willingness to continue providing liquidity on Polymarket.
For users operating automated trading bots, the trade signals returned by the API are no longer trustworthy, while ordinary users may encounter significant losses due to abruptly disappearing liquidity.
For the Polymarket platform itself, when market makers are afraid to post orders and bots are hesitant to hedge, the depth of the order book will inevitably shrink, further exacerbating this deteriorating cycle.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
