CaptchaLa Blog

Appearance

The Ghosts of Polymarket: When Off-Chain Matches Meet On-Chain Reverts

Source: arXiv:2606.16852 · Published 2026-06-15 · By Yiming Shen, Yuhan Jin, Shuohan Wu, Yanlin Wang, Jiachi Chen

TL;DR

This paper studies a critical consistency vulnerability in Polymarket, a leading decentralized prediction market platform, arising from its hybrid architecture that matches orders off-chain but settles them on-chain. The authors define and analyze "Ghost Fills," where an order is reported as filled off-chain but later fails to settle on-chain, exposing traders and bots to risk and allowing attackers to exploit the settlement delay. They build GHOSTHUNTER, a trace-based analysis tool, to comprehensively reconstruct and attribute almost two million reverted on-chain match orders over a 9-month period, identifying four main attack vectors and 35 distinct variants. These attacks enable the adversaries to selectively revert confirmed matches to secure risk-free profits, disrupt arbitrage bots, and manipulate liquidity incentives, resulting in over $1.49M in realized gains and putting $1.78B of collateral at risk. Furthermore, they show that the vulnerable contract patterns have proliferated widely across 167 reused contracts on 10 chains, holding over $23M in user funds. Although mitigations have been deployed, the fundamental timing gap remains an open security challenge intrinsic to hybrid off-chain/on-chain exchange designs.

Key findings

  • GHOSTHUNTER identified 1,952,440 reverted matchOrders (Ghost Fills) from 233,887 participants between 2025-08-15 and 2026-05-06.
  • V2 of the protocol generated 862,423 Ghost Fills within one week, nearly matching V1’s 1,090,016 over nine months, with V2’s daily revert rate more than an order of magnitude higher.
  • 51.1% of reverts are due to insufficient balance, 40.6% due to ERC1155 token-delivery callback failures, and 3.5% due to insufficient allowance, with failure surfaces shifting markedly from V1 to V2.
  • Four attack vectors—nonce bump, balance drain, allowance revoke, and proxy trap—are identified with 35 variants causing 980,133 Ghost Fills (50.2% of total reverts).
  • Attackers realized at least $1.49M in profits, placing approximately $1.78B USD in collateral at risk and burning 2.17M POL ($212K) in operator gas fees.
  • At peak times, reverted transaction rates exceeded 24.3%, effectively causing denial-of-service conditions on the platform.
  • Code with the vulnerable design was found in 167 independently deployed contracts across 10 chains, holding at least $23M in user funds.
  • Mitigations deployed reduced revert rates from ~8% to ~0.3%, but Ghost Fills remain due to the fundamental off-chain/on-chain timing gap.

Threat model

The adversary is an ordinary Polymarket participant controlling one or more funded accounts (EOAs or contract wallets). They can observe off-chain matching events and act during the interval before on-chain settlement executes, including front-running with higher gas fees and operating a large Sybil cluster to evade blacklisting. They can perform arbitrary on-chain state transitions on their controlled accounts, such as nonce increments, balance transfers, or allowance revokes, but cannot violate core blockchain properties or operator nonces. They leverage the hybrid off-chain/on-chain design timing gap to deliberately cause settlement reverts, creating Ghost Fills for profit or disruption.

Methodology — deep read

  1. Threat Model & Assumptions: The adversary is a regular Polymarket user controlling accounts (EOAs or contract wallets) with full access to their collateral and delegations. They can observe the off-chain Central Limit Order Book (CLOB) match event and act within the delay window before the on-chain matchOrders settlement transaction executes. They can front-run transactions by outbidding gas prices and operate Sybil clusters to evade blacklisting. They cannot tamper with on-chain state beyond their accounts or force operator misbehavior.

  2. Data Collection: The study collected all reverted matchOrders transactions on Polygon from Aug 15, 2025 to May 6, 2026, totaling 1,952,440 reverts. Full execution traces were retrieved from archive nodes. Off-chain market data (outcome tokens, market slugs, event categories, etc.) were sourced from Polymarket’s Gamma API. Verified contract sources across 401 chains were obtained from Sourcify to identify code reuse.

  3. Architecture / Techniques: The core tool, GHOSTHUNTER, processes each reverted matchOrders transaction by parsing calldata to recover order details and participants, then analyzing execution traces to identify failure points and revert reasons (e.g., InvalidNonce, InsufficientBalance). It applies heuristic, rule-based matching using on-chain causal facts (e.g., nonce bumps, allowance changes, balance transfers, callback failures) to classify a revert as one of four attacker vectors: nonce bump, balance drain, allowance revoke, and proxy trap. Rules incorporate timing windows (5 block proximity) and gas price comparisons to isolate front-running attacks. For reuse detection, a Jaccard similarity on function selector sets identifies contracts with Polymarket-like APIs.

  4. Training / Tuning: Not applicable as this is a measurement and forensic analysis paper, but the rule set was developed iteratively through manual inspection and snowball sampling of revert groups to cover causal mechanisms comprehensively.

  5. Evaluation Protocol: Evaluations included temporal statistics on revert volume and rate, failure surface taxonomy mapped to revert codes, attribution of attacker vectors and variants, mapping reverts to market categories and participants, profit estimation from platform data, and a large-scale cross-chain scan for reuse. Comparative revert rates before and after mitigations were measured. Abstractions were conservative to limit false positives.

  6. Reproducibility: The authors released the full GHOSTHUNTER implementation and SQL queries for data collection at https://github.com/shenyimings/ghost-hunter. The Polygon on-chain data is publicly accessible. Off-chain Polymarket APIs used are public but some platform APIs for profits may not be. Verified contract datasets from Sourcify are public.

Example: One key analysis involves detecting nonce bump attacks on V1. A MatchOrders revert with InvalidNonce is paired with a near-by incrementNonce() call within 5 blocks by the same signer, detected via on-chain calls and transaction traces. When matched, this shows the attacker incremented their nonce between the off-chain matching and on-chain settlement, invalidating the original signed order and causing the transaction to revert. This detection, combined with other facts, classifies the revert as a Cancellation Attack by nonce bump, allowing quantification of this variant’s frequency and impact.

Technical innovations

  • Definition and detailed characterization of Ghost Fills as a systemic security failure in hybrid off-chain/on-chain exchange designs.
  • GHOSTHUNTER, a novel trace-based analysis pipeline combining on-chain execution trace decoding, revert root cause mapping, causal on-chain event correlation, and rule-based heuristics for attribution of Ghost Fill exploits.
  • Heuristic rules to distinguish four distinct Cancellation Attack vectors—nonce bump, balance drain, allowance revoke, proxy trap—leveraging timing windows, gas price comparisons, and internal call trace analysis to attribute exploits with high confidence.
  • Selector-set similarity scanning combined with manual validation to identify vulnerable exchange contract clones across multiple chains, demonstrating vulnerability propagation beyond the original platform.

Datasets

  • Polymarket reverted matchOrders transactions — 1,952,440 transactions — Public Polygon chain data
  • Polymarket off-chain market data — 99.8% revert mapping coverage — Polymarket Gamma API (public)
  • Sourcify verified contracts — 32,103,371 contracts across 401 chains — Public repository

Baselines vs proposed

  • Polymarket V1 revert rate: peaked at ~0.3% daily before 2026 vs V2 revert rate: peaked over 8.5%, over an order of magnitude higher
  • Percent of reverts caused by known attack vectors (nonce bump, balance drain, allowance revoke, proxy trap): 50.2% (980,133 reverts) vs total reverts 1,952,440
  • Daily revert rates reduced from ~8% to ~0.3% after mitigations deployed on May 4, 2026

Limitations

  • Detection rules may miss subtle or novel cancellation variants outside the heuristic definitions.
  • Profit estimates rely on linking addresses and platform APIs, resulting in lower bounds due to unlinked companion accounts and off-chain activities.
  • Study limited to Polygon chain and Polymarket contracts due to data availability, although reuse is scanned across multiple chains.
  • No direct adversarial or red team evaluation to test future potential attack variants or simultaneously adaptive attackers.
  • Mitigations reduce but do not eliminate Ghost Fill risk, leaving unresolved inherent architecture timing gap.
  • Analyzing impact on users beyond operator gas costs and attacker profits (e.g., user losses, market efficiency) is not fully quantified.

Open questions / follow-ons

  • How can hybrid off-chain/on-chain exchange architectures be redesigned to eliminate or substantially reduce the timing consistency gap exploited by Ghost Fills?
  • Can formal verification or runtime on-chain checks be developed to preemptively detect imminent Cancellation Attacks before settlement submissions?
  • What are the broader systemic economic impacts of Ghost Fills on market efficiency, liquidity provision, and participation incentives in on-chain prediction markets?
  • To what extent do alternative on-chain delivery mechanisms (e.g., continuous on-chain order books) mitigate or reintroduce ghost fill style vulnerabilities?

Why it matters for bot defense

This work highlights a fundamental security risk in systems using hybrid on-chain/off-chain state models common in decentralized exchanges and prediction markets, where interim inconsistent states create exploitable timing windows. Bot-defense and CAPTCHA practitioners designing on-chain bot risk mitigations should be aware that transaction front-running and state manipulation attacks may induce denial-of-service and arbitrage disruptions through reverted settlement orders. Detecting such attacker strategies requires deep trace-based forensics rather than simple anomaly flags. Furthermore, the spread of vulnerable contract code across chains demonstrates the potential systemic impact of architectural vulnerabilities. While this paper focuses on prediction markets, the underlying consistency challenges and exploitation tactics could inspire bot-defense mechanisms in other DeFi and blockchain applications that rely on asynchronous settlement finalization. Defensive designs should consider attackers’ ability to rapidly leverage off-chain visibility and on-chain replay ordering to reverse apparently confirmed interactions.

Cite

bibtex
@article{arxiv2606_16852,
  title={ The Ghosts of Polymarket: When Off-Chain Matches Meet On-Chain Reverts },
  author={ Yiming Shen and Yuhan Jin and Shuohan Wu and Yanlin Wang and Jiachi Chen },
  journal={arXiv preprint arXiv:2606.16852},
  year={ 2026 },
  url={https://arxiv.org/abs/2606.16852}
}

Read the full paper

Articles are CC BY 4.0 — feel free to quote with attribution

© 2026 CaptchaLa