Prior known-ignored disclosure

Polymarket's assessment for RD-F-177 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Trust Security reported a UmaCtfAdapter frontrunning vulnerability via Immunefi in 2024. Polymarket responded: paid a $500 good-faith bounty, acknowledged the issue was already known internally (reported 3 months prior by another researcher), and explicitly chose not to fix the contract code — opting for private mempool mitigation and a future fixed adapter instead. The vulnerability was not subsequently exploited at scale. This is a known-ignored disclosure pattern (code not patched despite awareness). Yellow rather than red because: mitigations were applied and bounty was paid (not a complete ignore); the vulnerability was not exploited post-disclosure.

Sources #

URL
https://www.schneier.com/blog/archives/2026/05/hacking-polymarket.htmlretrieved 2026-05-06

Methodology #

Determine whether evidence exists in prior-incident post-mortems that a disclosed vulnerability was reported to the team and not actioned before exploit.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol polymarket factor RD-F-177 score yellow collected_at 2026-04-29 16:25:39