Polymarket

Polymarket

@polymarket
Live

Maximum reward

$5,000,000

Severity

Max. Reward

Critical

$5,000,000

High

$500,000

Medium

$50,000

Low

$5,000

Deposit required

$5

Findings submitted

95

Start date

12 Apr 2026

Please sign in as a researcher to join the bounty.

Log in
InstructionsScope

In scope

Smart ContractWeb & App

Severity

Min and Max Reward

Critical

$50,000 to $5,000,000

High

$10,000 to $500,000

Medium

$2,500 to $50,000

Low

$1,000 to $5,000

InformationalDiscretionary

Network: All smart contracts are deployed on Polygon PoS (Chain ID: 137). Only vulnerabilities affecting mainnet deployments are eligible.

Critical Reward Calculation

Mainnet assets:

  • Reward amount is 10% of the funds directly affected up to a maximum of: $5,000,000
  • Minimum reward to discourage security researchers from withholding a bug report: $50,000
Name
Description
Asset
ConditionalTokens

Gnosis Conditional Tokens Framework (ERC1155). Manages all prediction market position tokens — condition preparation, position splitting/merging, payout reporting, and redemption. Uses ECMH for collection ID derivation. Holds all collateral backing positions. Third-party contract: only vulnerabilities arising from Polymarket's integration patterns are in scope.

0x4d97…6045

CTFExchange

V1 hybrid-decentralized exchange for atomic order matching between CTF ERC1155 positions and ERC20 collateral. Supports 4 signature types (EOA, POLY_PROXY, POLY_GNOSIS_SAFE, POLY_1271). Includes fee handling, nonce management, and token registry.

0x4bfb…982e

FeeModule

Fee proxy that intercepts order matching, delegates to CTFExchange, and handles maker fee refunds based on BPS calculations. Admin-only matchOrders() and withdrawFees().

0x56C7…E113

NegRiskAdapter

Core adapter for multi-outcome (negative risk) markets. Manages YES/NO position conversion, collateral splitting/merging/redemption via WrappedCollateral. Routes fees to Vault.

0xd91E…5296

NegRiskCtfExchange

Modified CTFExchange for negative risk markets with pre-approved NegRiskAdapter interactions.

0xC5d5…f80a

NegRiskFeeModule

Fee module variant for NegRiskCtfExchange with ERC1155 approvals for NegRiskAdapter interaction.

0x7876…f29e

NegRiskOperator

Permissioned operator for market preparation, question resolution, and dispute flagging. Prevents multiple TRUE resolutions per market.

0x7152…B820

NegRiskUmaCtfAdapter

UmaCtfAdapter instance configured for NegRisk markets. Same codebase as UmaCtfAdapter.

0x2F5e…aA9d

NegRiskWrappedCollateral

RC20 wrapper around USDC.e enabling the NegRiskAdapter to manage collateral separately from ConditionalTokens. Permissionless unwrap; owner-restricted mint/burn.

0x3A3B…02E2

ProxyFactory

Deploys deterministic (CREATE2) proxy wallets for Polymarket users. Integrates with Gas Station Network for relay functionality.

0xaB45…4052

SafeFactory

eploys deterministic Gnosis Safe proxies for Polymarket users. EIP-712 signature verification for proxy creation.

0xaacF…541b

UmaCtfAdapter

Oracle adapter integrating UMA's Optimistic Oracle for market resolution. Handles initialization, data requests, dispute escalation (2-hour proposal period, DVM escalation), and CTF condition resolution.

0x6A9D…4F74

CollateralToken

UUPS upgradeable ERC20 (pUSD, 6 decimals). Wraps USDC/USDC.e. Role-based access: MINTER_ROLE for mint/burn, WRAPPER_ROLE for wrap/unwrap. Both proxy contract and implementation contract are in scope.

0xC011…2DFB

CollateralOnramp

Wraps USDC/USDC.e into pUSD (CollateralToken). Admin-gated with pausable per-asset functionality.

0x9307…B8ee

CollateralOfframp

Unwraps pUSD back to USDC/USDC.e. Admin-gated with pausable per-asset functionality.

0x2957…5854

PermissionedRamp

EIP-712 witness-signed wrap/unwrap for CollateralToken. Uses nonces for replay protection and deadline-based expiry.

0xebC2…Cb08

CtfCollateralAdapter

Bridges pUSD and CTF for standard markets. Unwraps pUSD to USDC.e for CTF split operations, wraps back on merge. Pausable per-asset.

0xADa1…9718

NegRiskCtfCollateralAdapter

Extends CtfCollateralAdapter for negative risk markets. Adds NO to YES position conversion via NegRiskAdapter.

0xAdA2…c6F1

CTFExchangeV2

V2 exchange with optimized assembly (EIP-712 hashing, event emission, address derivation). Three settlement paths: COMPLEMENTARY (P2P), MINT (split), MERGE. Adds UserPausable, preapproved orders, and builder metadata.

0xE111…996B

NegRiskCtfExchangeV2

V2 exchange variant for negative risk markets. Same as CTFExchangeV2 with pre-approved NegRiskAdapter interactions.

0xe222…0F59

Vault

ERC20/ERC1155 token vault for protocol fees collected by NegRiskAdapter. Admin-controlled transfer functions.

0x7f67…E11D

Out of scope

Smart Contract Specific

  • Incorrect data supplied by third party oracles
    • Not to exclude oracle manipulation/flash loan attacks
  • Impacts requiring basic economic and governance attacks (e.g. 51% attack)
  • Lack of liquidity impacts
  • Impacts from Sybil attacks
  • Impacts involving centralization risks
  • Vulnerabilities in the Gnosis ConditionalTokens contract that do not specifically arise from or affect Polymarket's integration patterns (general Gnosis CTF bugs should be reported to Gnosis)
  • Issues requiring >$50M in capital to exploit with no practical economic incentive
  • Payout rounding precision loss in ConditionalTokens.redeemPositions() below $1 per redemption (known design tradeoff of integer division)

Web & App Specific

  • Theoretical impacts without any proof or demonstration
  • Impacts involving attacks requiring physical access to the victim device
  • Impacts involving attacks requiring access to the local network of the victim
  • Reflected plain text injection (e.g. url parameters, path, etc.)
    • This does not exclude reflected HTML injection with or without JavaScript
    • This does not exclude persistent plain text injection
  • Any impacts involving self-XSS
  • Captcha bypass using OCR without impact demonstration
  • CSRF with no state modifying security impact (e.g. logout CSRF)
  • Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as "httponly") without demonstration of impact
  • Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces
  • Impacts causing only the enumeration or confirmation of the existence of users or tenants
  • Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows
  • Lack of SSL/TLS best practices
  • Impacts that only require DDoS
  • UX and UI impacts that do not materially disrupt use of the platform
  • Impacts primarily caused by browser/plugin defects
  • Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)
  • Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)
  • SPF/DMARC misconfigured records
  • Missing HTTP Headers without demonstrated impact
  • Automated scanner reports without demonstrated impact
  • UI/UX best practice recommendations
  • Non-future-proof NFT rendering
  • Using VPN to bypass geo-restrictions

All Categories

  • Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
  • Impacts caused by attacks requiring access to leaked keys/credentials
  • Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed
  • Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
  • Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
  • Best practice recommendations
  • Feature requests
  • Impacts on test files and configuration files unless stated otherwise in the bug bounty program
  • Impacts requiring phishing or other social engineering attacks against project's employees and/or customers

Known Issues

  • Unfixed vulnerabilities from previous audits listed at the Polymarket contract-security repository
  • Audit reports and any unfixed vulnerabilities mentioned in these reports are not eligible for a reward:
  • Issues already recorded as self-reported bug submissions on the Cantina platform
  • Issues already submitted in Immunefi's bounty program
  • Known centralization risks in Auth modules (admin can add/remove other admins) — this is by design
  • ConditionalTokens uses Solidity ^0.5.1 without native overflow protection (SafeMath is used where needed) — this is a known design choice of the Gnosis CTF
  • Single oracle per condition in ConditionalTokens with no on-chain dispute mechanism — disputes are handled off-chain via UMA's Optimistic Oracle integration

Other Out-of-Scope Targets

In addition to the above, all items in the Cantina Bug Bounty Out-of-Scope Policy apply.