Author: Frank, PANews
An on-chain transaction costing less than $0.10 can instantly wipe out market-making orders worth tens of thousands of dollars from Polymarket’s order book. This is not a theoretical scenario; it’s happening in reality.
In February 2026, a user disclosed a new attack method targeting Polymarket market makers on social media. Blogger BuBBliK described it as “elegant & brutal,” because the attacker only needs to pay less than $0.10 in Gas fees on the Polygon network to complete an attack cycle in about 50 seconds. The victims—market makers and automated trading bots posting real buy and sell orders—face forced order removals, exposed positions, and even direct losses.
PANews examined a community-flagged attacker address that was registered in February 2026. It participated in only 7 markets but has already recorded a total profit of $16,427, with most gains made within a single day. When a leading prediction market valued at $9 billion has its liquidity foundation shaken by just a few cents in transaction costs, it reveals far more than just a technical vulnerability.
PANews will analyze the technical mechanics, economic logic, and potential industry impact of this attack.
How the Attack Occurs: A Precise “Time-Delay” Kill Shot
To understand this attack, first, grasp Polymarket’s trading process. Unlike most DEXes, Polymarket aims to provide a user experience similar to centralized exchanges by adopting a “off-chain matching + on-chain settlement” hybrid architecture. Users place orders and matching occurs instantly off-chain, with only final fund transfers submitted to the Polygon chain for execution. This design offers zero-Gas limit orders and instant trades but creates a “time gap” of a few seconds to over ten seconds between off-chain and on-chain states, which attackers exploit.
The attack logic is straightforward. The attacker first places a normal buy or sell order via API. The off-chain system verifies signatures and balances without issue, and matches it against other market makers’ orders. Almost simultaneously, the attacker initiates an on-chain transaction with very high Gas fees to transfer all funds out of their wallet. Because the Gas cost exceeds the platform’s relay default settings, this “drain” transaction gets confirmed first. When the relay submits the matching result on-chain afterward, the attacker’s wallet is already empty, causing the transaction to fail and roll back due to insufficient balance.
If this were the end of the story, it would just be a waste of relay Gas fees. But the real damage comes from: although the on-chain transaction fails, Polymarket’s off-chain system forcibly removes all the innocent market maker orders involved in that failed match from the order book. In other words, the attacker uses a doomed-to-fail transaction to “clear out” genuine buy and sell orders posted with real money.
A good analogy is shouting bids at an auction, then suddenly claiming “I have no money” at the hammer drop, but the auction house confiscates all other legitimate bidders’ paddles, causing the auction to collapse.
Notably, the community later discovered an “upgraded” version of this attack, called “Ghost Fills.” Instead of rushing to transfer funds, the attacker, after off-chain matching but before on-chain settlement, directly calls a contract’s “cancel all orders” function to instantly invalidate their orders, achieving the same effect. More cunningly, the attacker can place orders across multiple markets, observe price movements, and only keep profitable orders while canceling unprofitable ones—effectively creating a “risk-free” free option.
Economic Analysis of the Attack: A Few Cents Cost, $16,000+ Profit
Beyond simply clearing market maker orders, this off-chain/on-chain state mismatch is also used to hunt automated trading bots. According to GoPlus security team monitoring, affected bots include Negrisk, ClawdBots, MoltBot, and others.
While removing others’ orders and creating “ghost fills” doesn’t directly generate profit, how does the attacker make money?
PANews found that the attacker’s profit mainly comes from two paths.
First is “post-clear monopoly market making.” Normally, a popular prediction market’s order book has multiple market makers competing with narrow spreads—say, buy at 49 cents, sell at 51 cents, earning 2 cents per trade. The attacker repeatedly initiates “doomed-to-fail” transactions to forcibly clear out these competitors’ orders. The order book then becomes a vacuum, and the attacker posts their own orders with a wide spread—say, buy at 40 cents, sell at 60 cents. Without better quotes, other traders must accept these prices, and the attacker profits from the 20-cent “monopoly spread.” This cycle repeats: clear, monopolize, profit, then clear again.
The second, more direct profit method is “hunting hedge bots.” For example: suppose the “Yes” price in a market is 50 cents. The attacker places a $10,000 “Yes” buy order via API to a market-making bot. After off-chain matching confirms, the API immediately signals the bot: “You sold 20,000 Yes tokens.” To hedge risk, the bot quickly buys 20,000 “No” tokens in another related market to lock in profit. But then, the attacker causes that $10,000 buy order to fail and rollback on-chain, meaning the bot never actually sold the Yes tokens. Its supposed hedge position now becomes a naked bet with only 20,000 No tokens and no corresponding short position. The attacker can then trade on the real market, forcing the bot to sell these unhedged positions at a loss or arbitrage from price discrepancies.
Each attack cycle costs less than $0.10 in Gas on Polygon, takes about 50 seconds, and theoretically can be executed around 72 times per hour. An attacker set up a “dual-wallet cycle system” (Cycle A Hub and Cycle B Hub alternating) to automate high-frequency attacks. Hundreds of failed transactions are recorded on-chain.
On the profit side, a community-flagged address registered in February 2026 has participated in only 7 markets but already earned $16,427, with a maximum single-profit of $4,415, mostly within a very short window. This means the attacker used less than $10 in Gas costs to generate over $16,000 in profit in a single day. And this is just one flagged address; the total number of attacker addresses and profits could be much higher.
For the victims—market makers—the losses are even harder to quantify. Reddit traders running BTC 5-minute market bots report losses “in the thousands of dollars.” The deeper damage lies in opportunity costs from frequent forced order removals and the operational overhead of adjusting market-making strategies.
More troubling is that this vulnerability stems from fundamental design flaws in Polymarket’s underlying mechanism, which cannot be fixed quickly. As this attack method becomes public, similar exploits are likely to become more common, further damaging Polymarket’s already fragile liquidity.
Community Self-Help, Warnings, and Platform Silence
So far, Polymarket has not issued a detailed statement or fix for this order attack. Some users on social media say the bug was reported months ago but ignored. Notably, Polymarket previously refused refunds after a “governance attack” involving UMA Oracle voting manipulation.
Without official action, the community has started to develop solutions. A community developer created an open-source monitoring tool called “Nonce Guard,” which tracks order cancellations on Polygon, blacklists attacker addresses, and provides general alerts for trading bots. But this is merely a patch for monitoring and cannot fundamentally resolve the issue.
Compared to other arbitrage methods, this attack could have more profound impacts.
For market makers, their carefully maintained orders can be wiped out en masse without warning, destroying the stability and predictability of their strategies—potentially discouraging liquidity provision on Polymarket.
For users running automated bots, API signals become unreliable, and ordinary traders may suffer significant losses due to sudden liquidity disappearance.
For the platform itself, if market makers hesitate to post orders and bots avoid hedging, the order book depth will inevitably shrink, creating a vicious cycle of deteriorating liquidity.
