Leaked credential on paste/sentry site

Polymarket's assessment for RD-F-164 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Elevated exposure. CVE-class vulnerabilities publicly documented: (a) Next.js middleware auth bypass CVE-2024-51479 (CVSS 7.5) affected Polymarket's route-level authentication checks; (b) CORS misconfiguration (wildcard origin + credentials=true) enabling cross-origin authenticated API requests; (c) xorcat claimed API enumeration via undocumented endpoints + pagination bypass (Apr 2026, disputed as public data scraping by Polymarket). Immunefi bug bounty received 400+ submissions within days of Apr 2026 launch, confirming active researcher engagement with vulnerabilities. No confirmed leak of smart contract admin private keys or admin wallet material. Scored yellow — API/frontend credential exposure elevated above baseline, smart contract key material not confirmed leaked.

Sources #

URL
Polymarket Rejects Breach Claims Amid 300K Record Leak ReportsCryptoTimes — Polymarket rejects breach claimsretrieved 2026-04-29
URL
Polymarket Breach: 300,000+ Records and Exploit Kit LeakedThe CyberSec Guru — xorcat 300K records + exploit kitretrieved 2026-04-29
URL
Polymarket's 2025 Security Wake-Up Call — CORS + Next.js auth bypassMedium — CVE-2024-51479 and CORS misconfigurationretrieved 2026-04-29

Methodology #

Determine whether a public paste site, Sentry-alt, or credential-dump references protocol infrastructure endpoints or API keys.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol polymarket factor RD-F-164 score yellow collected_at 2026-04-29 16:25:39