Users of social network
Vulnerabilities detected will be artificially altered Explore the probabilities of different markets without performing any actual operations.
One of the whistleblowers, known in X as Lirrato, has been warning about this issue since February 21st and speaking about this vulnerability in the market. Specifically, he mentioned “What is the probability that Judy Shelton will be named Fed Chair on February 20th?” Polymarket.
According to his presentation, That market would have been artificially inflated by 30%, from 0.6% to 5,000%.. However, at the time of CriptoNoticias’ review, markets related to “Judy Shelton and the FED” could not be operated on the Polymarket website.
According to a screenshot shared by Lirrato on February 23 this year, the market is talking about the “Dutch Prime Minister”. The probability goes from 0.1% to 35%, an increase of 35,000%.. This is without any movement within Polygon, the network on which Polymarket operates and where funds are actually transferred.
This exploit aims to change the probability. Activate an arbitrage bot that works with Polymarket.
These programs monitor the order book and likely detect strong demand (such as large orders pushing up quotas). It also automatically reacts by buying or adjusting positions to capture price differences.
According to Lirrato, the exploit leverages the following automated behavior: Simulate the demand for the bot to workdrag even other users and cancel the order before it is completed, leaving the bot exposed.
If a third party reacts believing that there is a real profit in that new price, the entity that caused the move can exploit that time distortion to profit. This is true even if the original transaction was never actually settled on-chain.
According to the Rillert publication, after the sudden market movement of “Judy Shelton and the F.E.D.” The Polymarket team would have alerted you to the alleged exploit. The following message is displayed:
“Polymarket is aware of a technological exploit that may be artificially distorting prices. Rather than reflecting the true underlying market price, prices clearly resulting from this exploit are not taken into account during market resolution.
@itslirato on Twitter.
When testing other bets, the platform rejected some order attempts, but approved others. CriptoNoticias was unable to verify whether the denial is related to the alleged exploit.
As of this writing, the Polymarket team is still They have not released any official statement on this matter..
How does this exploit work on Polymarket?
According to Lirrato’s report, the issue is related to the central order book (CLOB) used by Polymarket.
In a CLOB system, buy and sell orders are matched outside of the blockchain (i.e., on a server that coordinates users’ bids). The final conclusion of the operation is polygon.
If an order is canceled after being matched in the order book but before the transaction is confirmed on the Polygon network, Temporal distortion of probabilities can occur Displayed by the platform even if the operation is not performed on the chain.
Plaintiffs say this hybrid design could create vulnerabilities.
The attacker likely placed a large number of orders in the off-chain order book, causing the system to display new probabilities and the arbitrage bot to react automatically. I believe that the order will be carried out.
However, before the transaction is actually settled on Polygon, i.e. before any money is exchanged on-chain, the user uses a technical function called “incrementNonce” to submit a cancellation transaction, invalidating the previously signed order. In this way, orders are matched off-chain but never fulfilled on the blockchain.
Simply put, create The emergence of real bets that move the oddsbut cancel before the money changes.
An easy way to understand this is to imagine an auction. Someone raises their hand and offers a very high amount, forcing others to readjust their bids, but they withdraw their bids just before the sale ends. Even though there was never any actual operation, psychological effects and price fluctuations were already occurring.
Although the network fee for the entire exploit cycle is only a few dollars, bots that react to the movement are left with a position that can result in larger losses, Lillato explained.
Is it a bug or a structural problem?
Polymarket’s market analyst, known as Bubblik on X, also provided insight into the alleged exploits on its platform.
He said the problem was not a simple one-time error. However, architectural weaknesses. According to the description, since there is no central sequencer or risk management engine to ensure that pair orders are effectively executed on-chain, the system relies on a final confirmation on Polygon, which can take several seconds.
From a practical point of view, This opens a temporary window where actors can simulate fluidity.causing quota movement and disabling the operation before final execution.
As evidence, Bubblik provided images showing the potential moves Polymarket attackers could make within the Polygon chain.
However, so far, we are unable to know the true scope of the reported exploit as there is no official statement from Polymarket.
You will have to wait for a response from the betting platform team confirming, denying, or providing more details about what happened.
