Polymarket

Polymarket

@polymarket
Live

Maximum reward

$5,000,000

Severity

Max. Reward

Critical

$5,000,000

High

$500,000

Medium

$50,000

Low

$5,000

Deposit required

$5

Findings submitted

99

Start date

12 Apr 2026

Please sign in as a researcher to join the bounty.

Log in
InstructionsScope

In scope

Smart ContractWeb & App

Severity

Min and Max Reward

Critical

$50,000 to $250,000

High

$10,000 to $75,000

Medium

$5,000 to $25,000

Low

$1,000 to $5,000

InformationalDiscretionary

Web & App in scope

Name
Description
Asset
Home Page

Polymarket's Home Page

https://polymarket.com/

Out of scope

Smart Contract Specific

  • Incorrect data supplied by third party oracles
    • Not to exclude oracle manipulation/flash loan attacks
  • Impacts requiring basic economic and governance attacks (e.g. 51% attack)
  • Lack of liquidity impacts
  • Impacts from Sybil attacks
  • Impacts involving centralization risks
  • Vulnerabilities in the Gnosis ConditionalTokens contract that do not specifically arise from or affect Polymarket's integration patterns (general Gnosis CTF bugs should be reported to Gnosis)
  • Issues requiring >$50M in capital to exploit with no practical economic incentive
  • Payout rounding precision loss in ConditionalTokens.redeemPositions() below $1 per redemption (known design tradeoff of integer division)

Web & App Specific

  • Theoretical impacts without any proof or demonstration
  • Impacts involving attacks requiring physical access to the victim device
  • Impacts involving attacks requiring access to the local network of the victim
  • Reflected plain text injection (e.g. url parameters, path, etc.)
    • This does not exclude reflected HTML injection with or without JavaScript
    • This does not exclude persistent plain text injection
  • Any impacts involving self-XSS
  • Captcha bypass using OCR without impact demonstration
  • CSRF with no state modifying security impact (e.g. logout CSRF)
  • Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as "httponly") without demonstration of impact
  • Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces
  • Impacts causing only the enumeration or confirmation of the existence of users or tenants
  • Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows
  • Lack of SSL/TLS best practices
  • Impacts that only require DDoS
  • UX and UI impacts that do not materially disrupt use of the platform
  • Impacts primarily caused by browser/plugin defects
  • Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)
  • Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)
  • SPF/DMARC misconfigured records
  • Missing HTTP Headers without demonstrated impact
  • Automated scanner reports without demonstrated impact
  • UI/UX best practice recommendations
  • Non-future-proof NFT rendering
  • Using VPN to bypass geo-restrictions

All Categories

  • Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
  • Impacts caused by attacks requiring access to leaked keys/credentials
  • Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed
  • Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
  • Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
  • Best practice recommendations
  • Feature requests
  • Impacts on test files and configuration files unless stated otherwise in the bug bounty program
  • Impacts requiring phishing or other social engineering attacks against project's employees and/or customers

Known Issues

  • Unfixed vulnerabilities from previous audits listed at the Polymarket contract-security repository
  • Audit reports and any unfixed vulnerabilities mentioned in these reports are not eligible for a reward:
  • Issues already recorded as self-reported bug submissions on the Cantina platform
  • Issues already submitted in Immunefi's bounty program
  • Known centralization risks in Auth modules (admin can add/remove other admins) — this is by design
  • ConditionalTokens uses Solidity ^0.5.1 without native overflow protection (SafeMath is used where needed) — this is a known design choice of the Gnosis CTF
  • Single oracle per condition in ConditionalTokens with no on-chain dispute mechanism — disputes are handled off-chain via UMA's Optimistic Oracle integration

Other Out-of-Scope Targets

In addition to the above, all items in the Cantina Bug Bounty Out-of-Scope Policy apply.