Polymarket's whole pitch rests on a compromise that sounds reasonable until you look at the seam. To feel like a fast exchange, it matches orders off-chain; to be trustless, it settles them on-chain. Between those two moments lives a gap, and a paper posted to arXiv on June 15 — The Ghosts of Polymarket: When Off-Chain Matches Meet On-Chain Reverts, by Yiming Shen, Yuhan Jin, Shuohan Wu, Yanlin Wang, and Jiachi Chen — argues that the gap is not a rough edge but an exploitable structural flaw, and it brings receipts measured in the millions.

The authors name the failure mode Ghost Fills: an order that is successfully matched off-chain may later fail during on-chain settlement. To study it at scale they built a tool, GHOSTHUNTER, that reconstructs failed settlements from on-chain traces and attributes each to a concrete attack pattern. This is the right methodology for the claim — rather than reasoning about what could go wrong in the abstract, they go to the chain's own record of what did.

"Across 1,952,440 reverted match-order transactions, we find that attackers exploit the time gap between matching and settlement to invalidate already matched orders before they are finalized on-chain."— arXiv:2606.16852, source

The number alone reframes how one should think about a hybrid order book. Nearly two million reverted match-order transactions is not a tail of unlucky timing; it is a population large enough to be a business model for whoever is on the winning side of the revert. The mechanism is that a match agreed off-chain is not yet final, and an attacker who controls one side can act in the settlement window to make the on-chain transaction fail — turning a 'filled' order into a ghost.

Four ways to kill a matched order

The paper identifies four attack vectors, each realized through what the authors count as 35 evolving variants: nonce bump, balance drain, allowance revoke, and proxy trap. The common thread is that all four exploit state the attacker still controls between the off-chain match and on-chain finalization. A nonce bump invalidates the pending settlement transaction by advancing the account's nonce; a balance drain removes the funds the settlement assumes are present; an allowance revoke pulls the ERC-20 approval the settlement needs; a proxy trap manipulates the contract path the settlement routes through. In every case the off-chain system believed a trade was done, and the on-chain system disagreed.

What makes this more than a nuisance is selectivity. The authors report attackers reverted 980,133 filled orders, and crucially they could choose which ones to revert. Selective reversion is the difference between random settlement noise and a weapon: it enables what the paper calls risk-free prediction, arbitrage-bot hunting, and liquidity-reward manipulation. If you can take only the trades that turned out badly for you and ghost the rest, you have a free option on every fill.

The money, and the blast radius

The disclosed figures are specific. The authors put realized attacker profit at at least \$1.49M, with \$1.78B at risk and 2.17M POL — about \$212K — paid by the operator. During peak hours, more than 24.3% of all filled orders reverted, amounting to a de facto denial-of-service: at that rate a quarter of the platform's matched trades evaporate at settlement. For a venue whose entire value proposition is that a match means something, a one-in-four ghost rate during peak load is close to existential.

The blast radius extends past Polymarket. The paper reports that code derived from the flawed contract still appears in 167 independent contracts across 10 chains holding at least \$23M in user funds. That is the part that should travel beyond prediction-market watchers: a settlement-finality bug in a popular contract template does not stay in one app. Forks inherit the seam. The authors note they disclosed their evidence to affected parties and that the issue has been partially mitigated — 'partially' being the operative word for anyone tracking the downstream forks.

Step back and the episode is also a governance lesson about disclosure. The researchers found this not by privileged access but by reading the chain — GHOSTHUNTER reconstructs failed settlements from the public trace record, which means the evidence of the exploit was sitting in plain view the whole time, waiting for someone to attribute it. That cuts two ways. It is a strength of on-chain systems that an independent team can audit a venue's settlement health without permission, quantify the loss, and force a fix. It is a weakness that the venue itself, with the same data, either did not run that analysis or did not act on it until disclosure. For a prediction market that markets itself on transparency, the gap between 'the data was public' and 'the failure was understood' is the part operators of any hybrid system should sit with.

The structural lesson is the one the hybrid architecture invites. Any design that matches in one trust domain and settles in another creates a window in which the two can disagree, and the side that controls the settlement preconditions controls the outcome of that disagreement. The fix is not exotic cryptography; it is removing the attacker's ability to unilaterally invalidate state the match depended on — escrowing funds and approvals at match time, ordering settlement so it cannot be front-run by a nonce bump, or collapsing the gap entirely. The paper's contribution is to quantify, from on-chain evidence, exactly how expensive leaving that gap open turned out to be, and to show that the same gap has already been copied into systems holding tens of millions of dollars.