Author: Frank, PANews
A on-chain transaction costing less than $0.10 can instantly wipe out market-making orders worth tens of thousands of dollars from Polymarket’s order book. This is not a theoretical scenario; it’s happening in reality.
In February 2026, a user revealed a new type of attack targeting Polymarket market makers on social media. Blogger BuBBliK described it as “elegant & brutal,” because the attacker only needs to pay less than $0.10 in Gas fees on the Polygon network to complete an attack cycle in about 50 seconds. The victims—those placing real buy and sell orders on the order book and automated trading bots—face order destruction or passive losses.
PANews examined a community-tagged attacker address registered in February 2026, which participated in only 7 markets but has already recorded a total profit of $16,427, mostly within a single day. Even a leading prediction market with a valuation of $9 billion, backed by liquidity, can have its foundation shaken by just a few cents in attack costs. This reveals far more than just a technical vulnerability.
PANews will analyze the technical mechanism, economic logic, and potential industry impact of this attack.
How the attack occurs: A precise “time gap” hunting method
To understand this attack, first, we need to grasp Polymarket’s trading process. Unlike most DEXs, Polymarket aims to provide a user experience similar to centralized exchanges by adopting a “off-chain matching + on-chain settlement” hybrid architecture. Orders are matched instantly off-chain, and only the final settlement is submitted to the Polygon chain. This design offers zero Gas order placement and second-level execution, but it also creates a “time gap” of a few seconds to over ten seconds between off-chain and on-chain states. Attackers target this window.
The attack logic is straightforward. The attacker first places a normal buy or sell order via API. The off-chain system verifies signatures and balances without issue, then compares it with other market makers’ orders on the order book. Almost simultaneously, the attacker initiates a high Gas fee USDC transfer on-chain, draining all funds from their wallet. Because Gas fees are much higher than the platform’s relay preset, this “drain” transaction gets confirmed first. When the relay submits the matching result later, the attacker’s wallet is already empty, causing the transaction to fail and revert due to insufficient funds.
If the story ends here, it’s just a waste of some relay Gas fees. But the real deadly step is: although the on-chain transaction fails, Polymarket’s off-chain system forcibly removes all participating market maker orders involved in this failed match from the order book. In other words, the attacker uses a doomed transaction to “clear out” all genuine buy and sell orders posted with real money.
An analogy: it’s like loudly bidding at an auction, then suddenly claiming “I have no money” when the hammer falls, but the auction house confiscates all other legitimate bidders’ paddles, causing the auction to be canceled.
Notably, the community later discovered an “upgraded version” of this attack, called “Ghost Fills.” Instead of rushing to transfer funds, the attacker, after off-chain matching but before on-chain settlement, directly calls a contract’s “cancel all orders” function, instantly invalidating their own orders and achieving the same effect. More cunningly, the attacker can place orders across multiple markets, observe price movements, keep only profitable orders, and cancel unprofitable ones—effectively creating a “win-only, no-loss” free option.
Economic analysis of the attack: a few cents cost, $16,000+ profit
Beyond simply clearing market maker orders, this off-chain/on-chain state mismatch is also used to hunt automated trading bots. According to GoPlus security team monitoring, affected bots include Negrisk, ClawdBots, MoltBot, and others.
The attacker’s profit isn’t directly from order removal or “ghost fills.” So how do they make money?
PANews found that the attacker’s profit mainly comes from two routes.
The first is “post-clearance market domination.” Normally, a popular prediction market’s order book has multiple market makers competing, with a narrow bid-ask spread—say, buy at 49 cents, sell at 51 cents, earning a 2-cent profit per trade. The attacker repeatedly triggers “doomed transactions” to force all competitors’ orders off the book. The order book then becomes a vacuum, and the attacker posts their own orders with a wide spread—say, buy at 40 cents, sell at 60 cents. Other traders, lacking better prices, must accept these, earning the attacker a 20-cent “monopoly spread.” This cycle repeats: clear, dominate, profit, then clear again.
The second, more direct profit route is “hunting hedge bots.” For example: suppose the “Yes” price is 50 cents. The attacker uses API to place a $10,000 “Yes” buy order with a market-making bot. After off-chain matching confirms, the API immediately tells the bot “you sold 20,000 Yes tokens.” To hedge risk, the bot quickly buys 20,000 “No” tokens in another related market. But then, the attacker causes that $10,000 buy order to fail and revert on-chain, meaning the bot never actually sold “Yes.” Its hedge position is now exposed—holding 20,000 “No” tokens without a corresponding short position. The attacker then trades on the market, forcing the bot to sell these unhedged positions for profit or arbitrage from price deviations.
Each attack cycle costs less than $0.10 in Gas on Polygon, takes about 50 seconds, and could theoretically run about 72 times per hour. One attacker built a “dual-wallet cycle system” (alternating between Cycle A Hub and Cycle B Hub) to automate high-frequency attacks. Hundreds of failed transactions have been recorded on-chain.
On the profit side, a community-tagged attacker address registered in February 2026, participated in only 7 markets, but achieved a total profit of $16,427, with a maximum single-profit of $4,415, mostly within a very short window. This means the attacker, with less than $10 in Gas costs, could move over $16,000 in profit in a single day. And this is just one tagged address; the actual number of participants and total gains could be much higher.
For affected market makers, losses are even harder to quantify. Reddit traders running 5-minute BTC market bots report losses “in the thousands of dollars.” The deeper damage includes opportunity costs from frequent order removals and increased operational expenses due to strategy adjustments.
More troubling is that this vulnerability stems from Polymarket’s core design, which cannot be fixed quickly. As these attack methods become public, similar tactics are likely to proliferate, further damaging Polymarket’s already fragile liquidity.
Community self-defense, warnings, and platform silence
So far, Polymarket has not issued a detailed statement or fix for this order attack. Some users on social media say the bug was reported multiple times months ago but ignored. Notably, Polymarket previously refused refunds during the “governance attack” involving UMA Oracle voting manipulation.
Without official action, the community has started to develop solutions. A community developer created an open-source monitoring tool called “Nonce Guard,” which tracks order cancellations on Polygon, blacklists attacker addresses, and provides alerts for trading bots. However, this is essentially a monitoring patch and does not fundamentally resolve the issue.
Compared to other arbitrage methods, this attack’s potential impact could be more profound.
For market makers, their carefully maintained orders can be wiped out en masse without warning, destroying the stability and predictability of their strategies—possibly discouraging continued liquidity provision on Polymarket.
For users running automated bots, API signals become unreliable, and ordinary traders may suffer significant losses due to sudden liquidity disappearance.
For Polymarket itself, if market makers stop posting orders and bots cease hedging, the order book depth will inevitably shrink, creating a vicious cycle of further deterioration.
