The Ghosts of Polymarket: When Off-Chain Matches Meet On-Chain Reverts

📅 2026-06-15
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This study addresses the "ghost trade" problem in hybrid prediction markets like Polymarket, where off-chain order matching and on-chain settlement decoupling enable malicious rollback of already matched orders. The authors propose GHOSTHUNTER, the first system to systematically uncover and categorize four attack vectors—nonce bumping, balance exhaustion, approval revocation, and proxy traps—along with 35 of their variants. By integrating on-chain transaction tracing, behavioral pattern recognition, and smart contract reverse engineering, the work reconstructs attack pathways using large-scale empirical data. Analysis reveals that 980,000 orders were selectively rolled back, causing at least $1.49 million in profit losses and exposing $178 million in at-risk assets. The vulnerabilities span 167 contracts across 10 blockchains, affecting user funds exceeding $23 million.
📝 Abstract
Polymarket has emerged as a prominent prediction market platform and one of the fastest-growing applications in DeFi. To achieve low-latency trading, it adopts a hybrid architecture that matches orders off-chain but settles them on-chain for final execution. This design creates a consistency gap we call Ghost Fills: an order that is successfully matched off-chain may later fail during on-chain settlement. To understand the security implications of this gap, we investigate such failed settlements by building GHOSTHUNTER, which reconstructs them from on-chain traces and attributes to concrete attack patterns. Across 1,952,440 reverted match-order transactions, we find that attackers exploit the time gap between matching and settlement to invalidate already matched orders before they are finalized on-chain. We then identify four attack vectors from these incidents: nonce bump, balance drain, allowance revoke, and proxy trap, realized via 35 evolving variants. These vectors allow attackers to selectively revert 980,133 filled orders, enabling risk-free prediction, arbitrage-bot hunting, and liquidity reward manipulation, realizing at least \$1.49M in profit, which places \$1.78 B USD at risk and 2.17 M POL (about \$212 K) paid by operator. During peak hours, more than 24.3% of all filled orders reverted, causing de facto DoS attacks. We also find that code derived from the flawed contract still appears in 167 independent contracts across 10 chains holding at least \$23 M in user funds, extending the impact beyond Polymarket. We have disclosed our evidence to affected parties, and the issue has been partially mitigated.
Problem

Research questions and friction points this paper is trying to address.

Ghost Fills
prediction market
on-chain reverts
off-chain matching
DeFi security
Innovation

Methods, ideas, or system contributions that make the work stand out.

Ghost Fills
Hybrid Prediction Markets
On-chain Reverts
Attack Vector Identification
GHOSTHUNTER
🔎 Similar Papers
No similar papers found.