A critical vulnerability in Polymarket allows attackers to cancel orders that have already been matched off-chain, resulting in ghost fills. The exploit leverages the incrementNonce() function on the CTF Exchange contract to invalidate matched orders, leaving counterparties with failed transactions. This article provides a step-by-step technical analysis of the attack vector, including the underlying smart contract flaws. For DeFi developers, understanding this vulnerability is essential to prevent similar issues in order book systems. The incident highlights the importance of nonce management and cross-chain coordination in decentralized exchanges.
A deep dive into the Polymarket ghost fill exploit, explaining how attackers cancel matched orders and the security lessons for DeFi.