Polymarket Launches Bug Bounty Program On Cantina With Rewards Of Up To $5M

In Brief

Polymarket launches a Cantina-hosted bug bounty offering up to $5M, targeting vulnerabilities across smart contracts, web systems, oracles, and collateral infrastructure on its Polygon-based platform.

Prediction market platform Polymarket introduced a bug bounty program in partnership with the Web3 security platform Cantina, offering rewards of up to $5 million. The initiative targets vulnerabilities across the platform’s full infrastructure, including smart contracts, collateral systems, oracle integrations, and its web application.

The platform, known for enabling users to place real-money bets on events such as elections, central bank decisions, and major sports outcomes, has processed billions of dollars in trading volume, particularly during the 2024 United States election cycle. Its contracts operate on the Polygon Proof-of-Stake network and incorporate multiple settlement pathways, several signature verification methods, and a system that bridges stablecoins with an internal token.

The program is divided into two main areas. The first focuses on exchange and settlement infrastructure, which includes a set of 18 smart contracts responsible for trade execution, fee handling, collateral management, oracle-based resolution, and wallet deployment. It also covers integrations with the Gnosis Conditional Tokens framework, though core issues within that framework are excluded. The second area addresses vulnerabilities within the web platform, including critical risks such as remote code execution, data breaches, subdomain takeovers involving wallet interaction, and malicious transaction injection.

Incentive Structure And Severity Classification

Rewards are structured by severity. For smart contract vulnerabilities, critical findings can receive between $50,000 and $5 million, while high-severity issues may earn up to $500,000. Web-related vulnerabilities offer lower maximum payouts, with critical issues reaching up to $250,000. Severity levels are determined based on a standardized framework that considers both impact and likelihood.

Several technical features are expected to attract security researchers. The platform’s newer exchange contracts use low-level assembly optimizations for processes such as hashing and event handling, which can introduce risks not typically present in higher-level code. The signature verification system supports multiple validation types, each interacting with a nonce mechanism designed to prevent replay attacks, creating potential edge cases.

The collateral system adds further complexity by converting user-deposited stablecoins into an internal token through an upgradeable contract, which then interacts with a conditional token framework to manage positions. Additional adapter layers are used for multi-outcome markets, increasing the number of potential vulnerability points. Oracle functionality is handled through UMA’s Optimistic Oracle, with adapter contracts linking oracle results to market settlement also included in scope.

In order to qualify for higher-tier rewards, submissions must include detailed proof-of-concept demonstrations. Smart contract reports require reproducible tests on a local Polygon environment, while web vulnerabilities must include clear replication steps and supporting evidence. All reports are submitted via Cantina, with prompt disclosure encouraged.

The program highlights Polymarket’s complex architecture and significant financial activity, positioning it as a high-value target for security research.