The Ghosts of Polymarket: When Off-Chain Matches Meet On-Chain Reverts

Hugging Face Daily Papers Papers
prediction-market defi security blockchain smart-contracts vulnerability

Summary

This paper identifies a new class of attack called Ghost Fills in Polymarket's hybrid off-chain/on-chain architecture, where attackers exploit the time gap between matching and settlement to revert orders, leading to over $1.49M in illicit profits and putting $1.78B at risk.

Polymarket has emerged as a prominent prediction market platform and one of the fastest-growing applications in DeFi. To achieve low-latency trading, it adopts a hybrid architecture that matches orders off-chain but settles them on-chain for final execution. This design creates a consistency gap we call Ghost Fills: an order that is successfully matched off-chain may later fail during on-chain settlement. To understand the security implications of this gap, we investigate such failed settlements by building GHOSTHUNTER, which reconstructs them from on-chain traces and attributes to concrete attack patterns. Across 1,952,440 reverted match-order transactions, we find that attackers exploit the time gap between matching and settlement to invalidate already matched orders before they are finalized on-chain. We then identify four attack vectors from these incidents: nonce bump, balance drain, allowance revoke, and proxy trap, realized via 35 evolving variants. These vectors allow attackers to selectively revert 980,133 filled orders, enabling risk-free prediction, arbitrage-bot hunting, and liquidity reward manipulation, realizing at least \1.49M in profit, which places 1.78 B USD at risk and 2.17 M POL (about \212 K) paid by operator. During peak hours, more than 24.3% of all filled orders reverted, causing de facto DoS attacks. We also find that code derived from the flawed contract still appears in 167 independent contracts across 10 chains holding at least 23 M in user funds, extending the impact beyond Polymarket. We have disclosed our evidence to affected parties, and the issue has been partially mitigated.
Original Article
View Cached Full Text

Cached at: 06/16/26, 03:32 PM

Paper page - The Ghosts of Polymarket: When Off-Chain Matches Meet On-Chain Reverts

Source: https://huggingface.co/papers/2606.16852

Abstract

Polymarkethasemergedasaprominentpredictionmarketplatformandoneofthefastest-growingapplicationsinDeFi.Toachievelow-latencytrading,itadoptsahybridarchitecturethatmatchesordersoff-chainbutsettlesthemon-chainforfinalexecution.ThisdesigncreatesaconsistencygapwecallGhostFills:anorderthatissuccessfullymatchedoff-chainmaylaterfailduringon-chainsettlement.Tounderstandthesecurityimplicationsofthisgap,weinvestigatesuchfailedsettlementsbybuildingGHOSTHUNTER,whichreconstructsthemfromon-chaintracesandattributestoconcreteattackpatterns.Across1,952,440revertedmatch-ordertransactions,wefindthatattackersexploitthetimegapbetweenmatchingandsettlementtoinvalidatealreadymatchedordersbeforetheyarefinalizedon-chain.Wethenidentifyfourattackvectorsfromtheseincidents:noncebump,balancedrain,allowancerevoke,andproxytrap,realizedvia35evolvingvariants.Thesevectorsallowattackerstoselectivelyrevert980,133filledorders,enablingrisk-freeprediction,arbitrage-bothunting,andliquidityrewardmanipulation,realizingatleast\1.49Minprofit,whichplaces1.78BUSDatriskand2.17MPOL(about\212K)paidbyoperator.Duringpeakhours,morethan24.3%ofallfilledordersreverted,causingdefactoDoSattacks.Wealsofindthatcodederivedfromtheflawedcontractstillappearsin167independentcontractsacross10chainsholdingatleast23Minuserfunds,extendingtheimpactbeyondPolymarket.Wehavedisclosedourevidencetoaffectedparties,andtheissuehasbeenpartiallymitigated.

View arXiv pageView PDFGitHub0Add to collection

Get this paper in your agent:

hf papers read 2606\.16852

Don’t have the latest CLI?curl \-LsSf https://hf\.co/cli/install\.sh \| bash

Models citing this paper0

No model linking this paper

Cite arxiv.org/abs/2606.16852 in a model README.md to link it from this page.

Datasets citing this paper0

No dataset linking this paper

Cite arxiv.org/abs/2606.16852 in a dataset README.md to link it from this page.

Spaces citing this paper0

No Space linking this paper

Cite arxiv.org/abs/2606.16852 in a Space README.md to link it from this page.

Collections including this paper0

No Collection including this paper

Add this paper to acollectionto link it from this page.

Similar Articles

Looking at the data behind prediction markets

Hacker News Top

An analysis of prediction markets like Polymarket and Kalshi, examining whether their massive trading volume actually produces valuable forecasting information or merely serves as gambling, referencing historical academic support and current data.