GoPlus: Polymarket Hacked, Flaws in Off-Chain and On-Chain Transaction Result Synchronization Mechanism

According to disclosures from the GoPlus Chinese community, the prediction market platform Polymarket was hacked due to a design flaw in the synchronization mechanism between off-chain and on-chain trading results in its order system.

The attacker manipulated the nonce, causing on-chain matched trades to be canceled or invalidated before execution, while off-chain records remained valid, leading to API false reports that affected trading behaviors of bots like Negrisk, resulting in user losses. The analysis of the attack process is as follows:

1. The attacker submitted/matched large reverse trades with the market-making bot on the Polymarket off-chain orderbook.

2. The attacker constructed transactions with forged/repeated nonces or utilized on-chain nonce competition, causing the on-chain transactions to inevitably revert.

3. The Polymarket API returned "transaction successful" to the bot before on-chain confirmation, leading the bot to believe that the position had been hedged, while the actual on-chain state had not changed.

4. The attacker then executed real on-chain trades to take advantage of the direction exposed by the bot, thus profiting "risk-free."

5. Since the revert occurred at the chain level, Polymarket fees would not explode, making the attack cost controllable and executable continuously.

GoPlus recommends that users pause automated trading tools, verify on-chain trading statuses, enhance wallet security, and closely monitor official announcements from Polymarket.