Polymarket has dismissed claims of a knowledge breach after a menace actor referred to as xorcat posted 300,000 information on a cybercrime discussion board. The decentralized prediction market mentioned the knowledge is publicly accessible by means of its APIs and on-chain historical past.
The actor, surfaced by the Darkish Net Informer monitoring account, claimed to have extracted consumer profiles, feedback, market knowledge, and exploit code. Polymarket responded, calling the disclosure a characteristic slightly than a vulnerability.
Polymarket Consumer Knowledge Leaked?
The discussion board put up marketed a 750 MB pack containing roughly 10,000 consumer profiles, 4,111 feedback, 48,536 markets from Polymarket’s Gamma API, and greater than 250,000 energetic markets from its CLOB API.
The actor additionally included follower lists, reward configurations, and inside consumer identifiers.
Past the uncooked knowledge, the package deal allegedly bundled proof-of-concept exploits. These coated an Axios proxy bypass tracked as CVE-2025-62718, a CORS misconfiguration on the CLOB API, a Subsequent.js middleware authentication bypass, and a pagination flaw that the vendor mentioned accepted limitless question sizes.
The put up framed the dump as proof of damaged entry controls throughout Polymarket and claimed the platform had no bug bounty program and was by no means notified earlier than publication.
Polymarket’s Response
Polymarket pushed again inside hours. In an announcement on X, the platform mentioned all knowledge flagged within the put up is auditable on-chain or reachable by means of its documented endpoints.
“A part of the fantastic thing about being on-chain is all our knowledge is publicly auditable… it is a characteristic, not a bug. No knowledge was ‘leaked’ — it’s accessible through our public endpoints & on-chain knowledge.”
The staff added that researchers don’t must pay a discussion board vendor for this. The data is already printed by the protocol without cost. The staff pointed customers to its API documentation.
Bug Bounty Limits
Polymarket additionally rebutted the declare that no bug bounty exists. The platform highlighted its $5 million program hosted with Cantina, whereas clarifying that scraping public API endpoints doesn’t qualify for any reward.
Eligible submissions contain verified vulnerabilities affecting funds, contracts, or personal consumer knowledge.
The dispute mirrors a recurring rigidity throughout prediction markets and different onchain platforms. Clear ledgers typically blur the road between disclosure and discovery.
Polymarket’s stance suggests it sees little danger in persevering with to reveal market exercise. The response could form how future findings across the platform are reported.
The put up Darkish Net Claims Polymarket Hack, However the Platform Fires Again appeared first on BeInCrypto.