A new security study reveals a critical vulnerability in Polymarket's hybrid trading architecture where orders appear filled to users but fail during on-chain settlement, allowing attackers to exploit the timing gap for risk-free profit. Researchers at arXiv identified nearly 2 million reverted transactions across the prediction market platform, uncovering what they call "Ghost Fills". This phenomenon exposes a structural weakness in how modern DeFi platforms balance speed with security, and the problem has already spread to at least 167 other blockchain projects.

What Are Ghost Fills and Why Do They Matter?

Polymarket operates on a hybrid model to keep trading fast and responsive. Orders are matched off-chain through a central limit order book (CLOB), then settled on-chain on the Polygon network for final execution. This split-execution design creates a dangerous window: an order can show as "filled" in Polymarket's user interface and API while the actual on-chain transaction is still pending or may never complete. Users, trading bots, and AI agents see the fill and act on it, believing the trade is done. But if the on-chain settlement fails, they're left exposed to price movements they thought they'd locked in.

For prediction markets hosting short-cycle contracts (like five-minute Bitcoin price predictions), this timing gap is especially damaging. The value of a fill can shift within seconds as new information arrives. A Ghost Fill isn't just a failed transaction; it shifts settlement risk onto the party that trusted the reported fill.

How Widespread Is the Problem?

The scale of Ghost Fills on Polymarket is substantial. Between August 15, 2025, and May 6, 2026, researchers identified 1,952,440 reverted matchOrders transactions involving 233,887 distinct participants. The daily rate of Ghost Fills rose sharply in early 2026, peaking at 8.5% of all settlements. During peak hours in May 2026, more than 24.3% of all filled orders reverted, creating what researchers describe as a de facto denial-of-service attack.

The financial impact is striking. These failures affected fills involving $1.78 billion in collateral and burned 2.35 million POL tokens (Polymarket's operator token) in wasted gas fees. Polymarket had grown to over $450 million in total value locked and roughly 1.9 million filled orders per day by the time of the study, making even a small percentage of failures significant in absolute terms.

How Are Attackers Exploiting Ghost Fills?

Researchers identified four distinct attack vectors that malicious actors use to deliberately trigger Ghost Fills and profit from them. These attacks span 35 different implementation variants, suggesting an active cat-and-mouse cycle as Polymarket patches vulnerabilities and attackers adapt.

• Nonce Bump: Attackers increment a wallet's transaction nonce to invalidate pending orders before they settle on-chain, preventing the trade from completing.
• Balance Drain: Attackers remove collateral from a wallet between off-chain matching and on-chain settlement, causing the settlement transaction to fail due to insufficient funds.
• Allowance Revoke: Attackers revoke token spending permissions that the settlement contract needs, blocking the transfer of funds required to finalize the trade.
• Proxy Trap: Attackers manipulate proxy contracts used in the settlement process, causing the on-chain execution to revert unexpectedly.

Of the 1,952,440 Ghost Fills, researchers attributed 980,133 (50.2%) directly to these attack patterns. Together, they placed $1.44 billion of collateral at risk and burned 2.17 million POL tokens in operator gas fees, worth approximately $212,000. This accounts for 92% of all gas burned by reverts on the platform.

Attackers use these Ghost Fills to enable three main profit strategies: risk-free prediction (betting on outcomes knowing they can cancel if the prediction moves against them), arbitrage-bot hunting (triggering fills to identify and exploit trading bots), and liquidity reward manipulation (gaming incentive programs by creating fake trading volume). Researchers estimate attackers realized at least $1.49 million in profit, though the true amount is likely higher because some companion addresses cannot be linked with confidence.

Has the Vulnerability Spread Beyond Polymarket?

The risk extends far beyond Polymarket itself. Researchers scanned 30.65 million verified smart contracts across 401 blockchain networks and found 167 independent Polymarket-like deployments across 10 different chains. Of these, 71 contracts are byte-identical copies of Polymarket's flawed code, holding at least $23 million in user funds collectively. Researchers confirmed that Ghost Fills occur on the two largest live deployments outside Polymarket.

However, code reuse doesn't automatically create the same risk everywhere. The Ghost Fill vulnerability is most profitable in prediction markets where a reported fill has real value to cancel. In NFT trading platforms using similar settlement gaps, the same vulnerability remains largely harmless because the economics don't incentivize exploitation.

What Has Been Done to Fix the Problem?

Researchers disclosed their findings to Polymarket through three rounds of responsible disclosure, and the platform has already shipped partial mitigations. However, these fixes remain constrained by the fundamental timing gap in the hybrid architecture. An off-chain fill remains provisional until its on-chain settlement succeeds, meaning Ghost Fills persist on Polymarket even after patches. The underlying architectural tension between speed and settlement finality hasn't been fully resolved.

How Can Platforms Reduce Ghost Fill Risk?

While Polymarket's mitigations are incomplete, the research suggests several design principles that hybrid trading platforms should consider to reduce Ghost Fill exposure:

• Shorter Settlement Windows: Minimize the time between off-chain matching and on-chain settlement to reduce the window for attackers to invalidate orders.
• Provisional Fill Disclaimers: Clearly communicate to users that off-chain fills are not final until on-chain settlement completes, preventing false confidence in pending trades.
• Atomic Settlement Design: Architect systems so that off-chain matching and on-chain settlement occur as a single atomic operation, eliminating the gap entirely where possible.
• Real-Time Monitoring: Deploy detection systems that identify suspicious revert patterns and flag potential attacks before they cause widespread damage.

The Ghost Fills research highlights a broader tension in DeFi: platforms must choose between decentralized security and centralized performance. Polymarket's hybrid approach sacrifices some security guarantees to achieve the low-latency trading that users expect. As the ecosystem matures, platforms will need to find better ways to balance these competing demands without leaving users exposed to invisible settlement risks.