Polymarket denies allegations of a leak of 300k records, saying its API data is publicly available and auditable

According to a post on X by Polymarket on April 29, Dark Web Informer, a cybersecurity account, accused the decentralized prediction market platform Polymarket of being hacked; more than 300k records and an exploit tool kit were leaked to an online criminal forum. Polymarket immediately denied this in a statement on X, saying that all on-chain data is publicly available and auditable.

Polymarket Official Response

According to a statement published by Polymarket on X on April 29, 2026, the platform said that all its on-chain data is publicly available and auditable. Anyone can access it for free through the public API, with no payment required. In the statement, Polymarket characterized this as “a feature, not a bug.”

Polymarket also pointed out that the platform has a $5 million bug bounty program, which contradicts the attackers’ claim that “Polymarket has no bug bounty program.” It also clearly stated that behavior attacking public API endpoints does not qualify for bounty claims.

The Allegations and Technical Details Claimed by Dark Web Informer

According to a post by Dark Web Informer on X on April 29, 2026, the attacker “xorcat” claimed to have completed data extraction on April 27, 2026 by using unpublished endpoints, pagination bypasses, and a CORS configuration error in Polymarket’s Gamma and CLOB APIs. The scale of the allegedly disclosed data revealed by Dark Web Informer is as follows:

· A total of more than 300k records, about 750 MB after extraction, and about 8.3 MB after compression

· About 10k unique user records containing complete personally identifiable information (PII), covering names, pseudonyms, proxy wallets, and basic addresses

· 48,536 Gamma market records containing complete metadata

· More than 250k active CLOB market records containing FPMM addresses

The post by Dark Web Informer also lists the technical vulnerabilities the attacker claimed to have exploited, including CVE-2025-62718 (Axios NO_PROXY bypass, CVSS score 9.9), a CLOB API CORS configuration error (wildcard source with credentials=true), and multiple unauthenticated API endpoints.

Background on Polymarket’s Bug Bounty Program

According to Polymarket’s official bug bounty program page, the platform has a $5 million bug bounty program. It accepts vulnerability reports through the Spearbit/Cantina platform and covers vulnerabilities in smart contracts and web applications. Severity is divided into four levels: critical, high, medium, and low. According to the program terms, behavior attacking public API endpoints is not within the scope of bounty eligibility.

Frequently Asked Questions

When was Polymarket’s denial statement about the alleged data leak published? What is the core argument?

According to Polymarket’s statement on X on April 29, 2026, the platform denied the data leak. It said that all on-chain data is originally publicly available and auditable, can be accessed for free through the public API, and noted that attacking public API endpoints does not meet the eligibility criteria for the bug bounty.

What is the scale of leaked data and the data extraction date claimed by Dark Web Informer?

According to Dark Web Informer’s post on X on April 29, 2026, the attacker claimed to have extracted more than 300k records on April 27, 2026, including about 10k user records containing complete personally identifiable information (PII) and more than 250k CLOB market records.

How large is Polymarket’s bug bounty program? Which platform manages it?

According to Polymarket’s official bug bounty program page, the program’s scale is $5 million, and vulnerability reports are accepted through the Spearbit/Cantina platform. Behavior attacking public API endpoints is not within the scope of bounty eligibility.