diff --git a/data/submissions/polymarket-international/all/claude-2026-05-20.json b/data/submissions/polymarket-international/all/claude-2026-05-20.json new file mode 100644 index 0000000000..dd3267b9cf --- /dev/null +++ b/data/submissions/polymarket-international/all/claude-2026-05-20.json @@ -0,0 +1,272 @@ +[ + { + "schema_version": 4, + "slug": "polymarket-international", + "slice": "control", + "snapshot_generated_at": "2026-05-11T09:35:21.490Z", + "prompt_version": 29, + "analysis_date": "2026-05-18", + "model": "claude-opus-4-7", + "chat_url": "https://claude.ai/share/2c54f53c-4622-4a79-98b6-08eadd73ecb0", + "grade": "orange", + "headline": "Multiple T1 admin powers reachable with short or zero delay: UMA Adapter emergency-resolve (2-day), pUSD V2 UUPS upgrade (no timelock); admin holders unidentified", + "short_headline": "T1 admin paths <7d; admins unknown", + "rationale": { + "findings": [ + { "code": "C1", "text": "UmaCtfAdapter (0x6A9D...4F74) exposes onlyAdmin functions flag, pause, unpause, emergencyResolve, reset, addAdmin, removeAdmin, renounceAdmin. ConditionalTokens (0x4D97...6045) has no admin/owner functions visible on its ABI — fully immutable. CTFExchange V2 (0xE111...996B) exposes isAdmin/addAdmin/removeAdmin and admin-gated pauseTrading/unpauseTrading/setFeeReceiver/setMaxFeeRate/setUserPauseBlockInterval. pUSD CollateralToken proxy (0xC011...2DFB) is Solady Ownable + UUPS and exposes owner(), transferOwnership, grantRoles/revokeRoles, addMinter/addWrapper, mint/burn, and upgradeToAndCall. Specific admin holder addresses were not read on-chain this run (RPC tenant disabled on defipunkd surfacer; see unknowns)." }, + { "code": "C2", "text": "Upgradeability is MIXED across the system. ConditionalTokens, CTFExchange V1 (0x4bFb...982e) and V2, UmaCtfAdapter are constructor-only implementations with no upgrade entry point visible on their ABIs (immutable). pUSD CollateralToken proxy at 0xC011...2DFB is UUPS-upgradeable: ABI exposes upgradeToAndCall(address newImplementation,bytes data) and proxiableUUID(); current implementation pointer is 0x6bBCef...0925f per pinned address_book. A4 Polymarket Proxy Factory (0xaB45...4052) deploys per-user proxy wallets — those are 1-of-1 user-owned multisigs, NOT a protocol-admin upgrade surface, and are documented as such in the Polymarket proxy-wallet docs." }, + { "code": "C3", "text": "EXECUTION PATH for the highest-tier admin actions has effectively NO multi-stage timelock. (a) pUSD V2 upgrade: owner() → upgradeToAndCall(impl, data) in a single transaction, delay 0 seconds. No scheduler / timelock contract is referenced in the proxy ABI. (b) UMA Adapter emergency override: admin → flag(questionID) sets emergencyResolutionTimestamp = block.timestamp + emergencySafetyPeriod, where emergencySafetyPeriod is a public constant = 2 days (172800 s) per the verified Polygonscan source; admin then waits ≥2 days and calls emergencyResolve(questionID, payouts) which writes arbitrary [YES,NO] payouts directly to ctf.reportPayouts. (c) UMA Adapter pause(questionID): admin → pause(questionID) sets paused=true with NO time cap on individual questions. (d) CTFExchange V2 admin: admin → pauseTrading()/setMaxFeeRate(rate)/setFeeReceiver(addr) in a single transaction, delay 0 seconds." }, + { "code": "C4", "text": "Privileged actors and their scope: (i) pUSD owner — single owner() role on a UUPS proxy, holds T1 power to replace implementation bytecode (entire token + minter logic). Identity not re-verified on-chain this run. (ii) UmaCtfAdapter admins() — uint256-mapped role set (count unknown), each can flag/pause/emergencyResolve any market; T1 per market. (iii) CTFExchange V1 and V2 admin set — each admin can pauseTrading globally and tune fees up to a max cap; T1 for trading-availability and T2 for fee economics. None of these are identified as Gnosis Safes by ABI inspection alone, and a 'Security Council' (≥7 signers, ≥51% threshold, ≥50% non-insider, publicly announced) is not documented for Polymarket; the protocol's published proxy-wallet system is for end-users, not for protocol governance." }, + { "code": "C5", "text": "No on-chain Governor / GovernorBravo / Aragon Voting / OZ Governor contract is present in the address_book or surfaced from the inspected contracts. Polymarket's POLY governance token has been publicly announced but is unlaunched as of 2026-05-18, so no token-weighted on-chain governance currently exists. Governance is therefore admin-key based, not vote-based." }, + { "code": "C6", "text": "UmaCtfAdapter has a dedicated emergency-pause path (flag → 2-day safety period → emergencyResolve) separate from the standard pause()/unpause(). Both routes are held by the same onlyAdmin role — there is no separate guardian role with shorter time bound or different actor; the only time-bound is the 2-day emergencySafetyPeriod for arbitrary-payout resolution, while regular pause(questionID) is uncapped." }, + { "code": "C7", "text": "HIGHEST tier reachable on the uncontested fast path is T1 (FUND-CRITICAL): (a) pUSD owner can upgrade implementation to bytecode that mints unlimited pUSD or transfers the underlying USDC/USDCe vault out — directly impairs collateral backing of every V2 market, with zero on-chain delay; (b) UmaCtfAdapter admin can emergencyResolve any flagged market with arbitrary [YES,NO] payouts after the 2-day safety period, redirecting that market's locked collateral to the chosen side. Lower-tier T2 surfaces also exist (setMaxFeeRate within bounds, fee receiver change). Per rubric, T1 reachable with no timelock OR <7-day delay = orange or red; red requires positive evidence of EOA / 2-of-3 admin holder, which was not established this run." } + ], + "steelman": { + "red": "Both T1 paths are reachable in well under 7 days — pUSD upgrade has literal zero delay — and the admin/owner identities are not publicly documented as Security Council multisigs, leaving a plausible RED case if they are EOAs or small multisigs.", + "orange": "T1 is reachable on the uncontested fast path with delays of 0 days (pUSD upgrade) and 2 days (UMA emergency resolve), both under the 7-day bar required for green, while the most likely admin class — an internal Polymarket operations multisig — fails Security Council criteria but is not affirmatively a 2-of-3 or EOA.", + "green": "The single immutable contract that actually custodies user position tokens (ConditionalTokens 0x4D97...6045) has no admin, no pause, no upgrade — and once a market is resolved, redeemPositions is permissionless forever, so admin actions can affect pending markets but cannot retroactively touch already-resolved redemptions." + }, + "verdict": "Choosing orange because the T1 paths are real and on the uncontested fast path with delays well under 7 days (0d for pUSD upgrade, 2d for emergencyResolve), but the admin/owner identities were not re-verified on-chain this run, so the rubric's 'EOA or 2-of-3 with no timelock' red trigger is not affirmatively shown — orange (failing-Security-Council multisig on a T1 path with <7d effective delay) is the steel-man best supported by the inspected ABIs." + }, + "evidence": [ + { "url": "https://defipunkd.com/address/137/0xE111180000d2663C0091e4f400237545B87B996B", "shows": "CTFExchange V2 verified ABI listing admin role (isAdmin/addAdmin/removeAdmin), admin-gated pauseTrading/unpauseTrading/setFeeReceiver/setMaxFeeRate/setUserPauseBlockInterval, operator role, and absence of any upgrade entry point — implementation is immutable", "chain": "Polygon", "address": "0xE111180000d2663C0091e4f400237545B87B996B", "fetched_at": "2026-05-18T00:00:00Z" }, + { "url": "https://defipunkd.com/address/137/0x4D97DCd97eC945f40cF65F87097ACe5EA0476045", "shows": "ConditionalTokens ABI — no admin/owner/pause/upgrade functions; fully immutable Gnosis CTF implementation", "chain": "Polygon", "address": "0x4D97DCd97eC945f40cF65F87097ACe5EA0476045", "fetched_at": "2026-05-18T00:00:00Z" }, + { "url": "https://defipunkd.com/address/137/0x6A9D222616C90FcA5754cd1333cFD9b7fb6a4F74", "shows": "UmaCtfAdapter ABI lists onlyAdmin write methods: flag(bytes32), pause(bytes32), unpause(bytes32), emergencyResolve(bytes32,uint256[]), reset(bytes32), addAdmin/removeAdmin/renounceAdmin", "chain": "Polygon", "address": "0x6A9D222616C90FcA5754cd1333cFD9b7fb6a4F74", "fetched_at": "2026-05-18T00:00:00Z" }, + { "url": "https://polygonscan.com/address/0x6A9D222616C90FcA5754cd1333cFD9b7fb6a4F74", "shows": "UmaCtfAdapter verified source: 'uint256 public constant emergencySafetyPeriod = 2 days' and the emergencyResolve function writes arbitrary uint256[] payouts to ctf.reportPayouts after that period elapses (derived from inspecting the inlined Solidity source on the Polygonscan page)", "chain": "Polygon", "address": "0x6A9D222616C90FcA5754cd1333cFD9b7fb6a4F74", "fetched_at": "2026-05-18T00:00:00Z" }, + { "url": "https://defipunkd.com/address/137/0xC011a7E12a19f7B1f670d46F03B03f3342E82DFB", "shows": "pUSD CollateralToken ABI confirms UUPS proxy: upgradeToAndCall(address,bytes) and proxiableUUID() entries, plus Solady Ownable surface (owner(), transferOwnership, grantRoles, revokeRoles), plus addMinter/addWrapper/mint/burn — derived: any account holding owner() can replace implementation in a single tx with no timelock", "chain": "Polygon", "address": "0xC011a7E12a19f7B1f670d46F03B03f3342E82DFB", "fetched_at": "2026-05-18T00:00:00Z" }, + { "url": "https://github.com/Polymarket/contract-security", "shows": "Polymarket-published deployment + audit registry, listing the v1 architecture audits by ChainSecurity and OpenZeppelin and the deployed addresses on Polygon", "fetched_at": "2026-05-18T00:00:00Z" } + ], + "unknowns": [ + "C1: pUSD CollateralToken owner() not re-read on-chain this run — defipunkd /api/contract/read endpoints returned 400 because the upstream RPC at polygon-rpc.com reported 'API key disabled, reason: tenant disabled' (visible in the surfacer page output); admin identity could be EOA, small multisig, or large multisig, which differentiates red vs orange under the rubric.", + "C1: UmaCtfAdapter admin set (isAdmin / admins mapping) not enumerated on-chain this run for the same RPC reason; cannot determine count or whether held by a Gnosis Safe.", + "C1: CTFExchange V1 (0x4bFb...982e) and V2 (0xE111...996B) admin and operator addresses not enumerated on-chain this run.", + "C2: pUSD implementation address (0x6bBCef...0925f per pinned address_book) was not fetched directly this run; whether the implementation contains an _authorizeUpgrade timelock check beyond onlyOwner was not verified.", + "C4: No Polymarket Gnosis Safe with documented public signer set was identified on-chain or in fetched docs; Security Council standard cannot be applied." + ], + "protocol_metadata": { + "github": [ + "https://github.com/Polymarket/ctf-exchange", + "https://github.com/Polymarket/ctf-exchange-v2", + "https://github.com/Polymarket/uma-ctf-adapter", + "https://github.com/Polymarket/neg-risk-ctf-adapter", + "https://github.com/Polymarket/contract-security" + ], + "docs_url": "https://docs.polymarket.com", + "audits": [ + { "firm": "ChainSecurity", "url": "https://github.com/Polymarket/ctf-exchange/blob/main/audit/ChainSecurity_Polymarket_Exchange_audit.pdf", "date": "2022" }, + { "firm": "OpenZeppelin", "url": "https://github.com/Polymarket/uma-ctf-adapter/blob/main/audit/Polymarket_UMA_Optimistic_Oracle_Adapter_Audit.pdf", "date": "2023" } + ], + "governance_forum": null, + "voting_token": null, + "bug_bounty_url": null, + "security_contact": null, + "deployed_contracts_doc": "https://github.com/Polymarket/contract-security", + "admin_addresses": [], + "upgradeability": "mixed", + "about": "Polymarket International is a prediction-market protocol on Polygon where users buy/sell ERC-1155 outcome shares (YES/NO) issued by Gnosis Conditional Tokens against an ERC-20 collateral. Markets are resolved by an UMA Optimistic Oracle adapter that writes payouts to the CTF, after which users can permissionlessly redeem winning shares for collateral. Trading uses a hybrid central limit order book: users sign orders off-chain to Polymarket's operator and the operator settles matched orders on-chain via the CTF Exchange. Version 2 (April 2026) introduces pUSD (Polymarket USD), a UUPS-upgradeable wrapper around USDC/USDC.e used as the new exchange collateral." + } + }, + { + "schema_version": 4, + "slug": "polymarket-international", + "slice": "ability-to-exit", + "snapshot_generated_at": "2026-05-11T09:35:21.490Z", + "prompt_version": 29, + "analysis_date": "2026-05-18", + "model": "claude-opus-4-7", + "chat_url": "https://claude.ai/share/2c54f53c-4622-4a79-98b6-08eadd73ecb0", + "grade": "orange", + "headline": "Claims on already-resolved markets are permissionless on the immutable CTF, but resolution of pending markets can be paused indefinitely by the UMA Adapter admin", + "short_headline": "Resolved exits permissionless; pending pausable", + "rationale": { + "findings": [ + { "code": "E1", "text": "User-facing exit functions live on the ConditionalTokens contract (0x4D97...6045), not on the CTFExchange. Inspected ABI exposes: redeemPositions(address,bytes32,bytes32,uint256[]) — claim winnings after resolution; mergePositions(address,bytes32,bytes32,uint256[],uint256) — burn balanced YES+NO shares back to collateral; splitPosition(address,bytes32,bytes32,uint256[],uint256) — deposit collateral and mint YES+NO; safeTransferFrom / safeBatchTransferFrom — transfer position shares away. No 'withdraw' or 'requestWithdrawal' function; positions are ERC-1155, so 'exit' = redeemPositions for resolved markets, mergePositions for unresolved balanced positions, or transfer to a peer." }, + { "code": "E2", "text": "Access modifiers on the CTF exit functions: redeemPositions, mergePositions, splitPosition, safeTransferFrom, safeBatchTransferFrom are all public/external with no onlyOwner / onlyRole / whenNotPaused guard — the ABI does not include any pause(), paused(), or hasRole() functions on ConditionalTokens, and the contract has no admin (see CONTROL slice C1). REQUEST placement on a market (splitPosition) and CLAIM of a resolved market (redeemPositions) are both unconditional once the relevant condition state is met (resolved or not)." }, + { "code": "E3", "text": "No PAUSE_ROLE / GUARDIAN role exists on ConditionalTokens. The role-holder reads requested by the checklist (hasRole, getRoleAdmin, paused/isPaused) are not in the contract's ABI at all because the contract is built on the OpenZeppelin v0.7-era pattern without AccessControl. The only path that can block a user from reaching the redeemable state is upstream: the UmaCtfAdapter (0x6A9D...4F74) admin can call pause(bytes32 questionID) with no time cap on individual questions, preventing ctf.reportPayouts from being written for that question. This does NOT pause the redemption itself — it pauses RESOLUTION (the upstream input to the CTF)." }, + { "code": "E4", "text": "Distinct EMERGENCY vs GOVERNANCE pause paths on UmaCtfAdapter: (a) pause(questionID) onlyAdmin — no time cap, can be left set indefinitely; (b) flag(questionID) + emergencyResolve(questionID, payouts) onlyAdmin — flag sets a 2-day safety timer, after which arbitrary payouts can be written. There is no on-chain governance-vote layer above these — both are held by the same admin role. No actor exists that is time-capped at a shorter horizon than the admin." }, + { "code": "E5", "text": "There is no queued-redemption mechanism with a daily cap or queue duration: redeemPositions on the CTF is one-shot and immediate once payouts are reported. There is also no protocol-level cap on the amount that can be redeemed per block." }, + { "code": "E6", "text": "There is NO permissionless emergency-exit / escape-hatch that lets a user redeem an UNRESOLVED market without oracle resolution. Users holding one-sided positions in a market the admin has paused indefinitely have to either wait for unpause, hold the ERC-1155 tokens forever, sell them on the secondary market, or — if they can acquire the opposite-side tokens to make a balanced YES+NO pair — call mergePositions to recover the underlying collateral. mergePositions is permissionless and is the only adversarial-admin exit path for pending markets." }, + { "code": "E7", "text": "Exit functions are directly callable on-chain without Polymarket's frontend: the Polymarket-published polymarket-cli (github.com/Polymarket/polymarket-cli) documents 'polymarket ctf redeem --condition 0xCONDITION...' and 'polymarket ctf merge --condition 0xCONDITION... --amount 10' as direct CTF calls; users can equivalently invoke redeemPositions / mergePositions from Etherscan-Write, a generic wallet, or any custom tooling. No frontend dependency for exit." } + ], + "steelman": { + "red": "The admin can pause resolution of any market indefinitely via UmaCtfAdapter.pause(questionID), so a user holding a one-sided position in that market is effectively locked out of redemption to collateral until the admin chooses to unpause — and there is no on-chain forced-exit, no governance vote, no auto-expiry on the pause.", + "orange": "Claims on already-resolved markets are unconditional and immutable on the CTF, but new-resolution placement for a pending market can be paused indefinitely by a single admin role without any time cap, so the pending-market exit story has a real centralized lever even though it is bounded to specific paused questions.", + "green": "Once a market is resolved, redeemPositions is permissionlessly callable forever on the immutable CTF, balanced YES+NO holders can always mergePositions to exit early without oracle resolution, all exit functions are directly callable without the Polymarket frontend, and the CTF itself has no admin / pause / upgrade surface to gate exits." + }, + "verdict": "Choosing orange because the rubric's orange definition fits exactly: 'claims-of-finalized are exempt but new-request placement can be paused indefinitely by governance' — already-resolved redeemPositions on the immutable CTF is unstoppable, but UmaCtfAdapter.pause(questionID) is uncapped and held by a single onlyAdmin role, so users with one-sided positions in a pending market depend on the admin to allow resolution; the green steel-man understates this lock-in for unbalanced holders in paused markets." + }, + "evidence": [ + { "url": "https://defipunkd.com/address/137/0x4D97DCd97eC945f40cF65F87097ACe5EA0476045", "shows": "ConditionalTokens ABI confirms redeemPositions, splitPosition, mergePositions, safeTransferFrom, safeBatchTransferFrom are public state-mutating functions with no pause / role / admin guard, and no admin/pause/upgrade functions exist on the contract", "chain": "Polygon", "address": "0x4D97DCd97eC945f40cF65F87097ACe5EA0476045", "fetched_at": "2026-05-18T00:00:00Z" }, + { "url": "https://polygonscan.com/address/0x6A9D222616C90FcA5754cd1333cFD9b7fb6a4F74", "shows": "UmaCtfAdapter verified source: pause(bytes32 questionID) external onlyAdmin sets questionData.paused = true with no time-bound; emergencyResolve requires block.timestamp >= emergencyResolutionTimestamp (= flag timestamp + 2 days)", "chain": "Polygon", "address": "0x6A9D222616C90FcA5754cd1333cFD9b7fb6a4F74", "fetched_at": "2026-05-18T00:00:00Z" }, + { "url": "https://github.com/Polymarket/polymarket-cli", "shows": "Polymarket-published CLI documents direct CTF operations (split/merge/redeem) callable without the Polymarket frontend, confirming exit functions are usable independently of the official UI", "fetched_at": "2026-05-18T00:00:00Z" } + ], + "unknowns": [ + "E3: Live admin holder of the UmaCtfAdapter pause role not enumerated on-chain this run (defipunkd /api/contract/read returned 400 due to upstream RPC tenant being disabled); whether the pause role is held by a single multisig or multiple addresses is unverified.", + "E5: No public documentation was fetched establishing an upper bound on how long a market may remain paused before Polymarket's internal policy requires unpausing or emergencyResolve — assumed indefinite per the on-chain ABI, but absence of an off-chain SLA is noted." + ], + "protocol_metadata": { + "upgradeability": "mixed" + } + }, + { + "schema_version": 4, + "slug": "polymarket-international", + "slice": "autonomy", + "snapshot_generated_at": "2026-05-11T09:35:21.490Z", + "prompt_version": 29, + "analysis_date": "2026-05-18", + "model": "claude-opus-4-7", + "grading_basis": "mixed", + "chat_url": "https://claude.ai/share/2c54f53c-4622-4a79-98b6-08eadd73ecb0", + "grade": "orange", + "headline": "Resolution hinges on UMA Optimistic Oracle (with 2hr-liveness dispute + admin emergencyResolve fallback); V2 collateral depends on Polygon PoS bridge (USDC.e) — single-dependency failure bounded to specific markets", + "short_headline": "UMA oracle + USDC.e bridge dependencies", + "rationale": { + "findings": [ + { "code": "A1", "text": "External contracts the core stack calls or reads: (i) UMA Optimistic Oracle V2 — resolved at construction via finder.getImplementationAddress('OptimisticOracleV2') and stored as immutable on the UmaCtfAdapter; (ii) UMA Address Whitelist — read via the same finder for collateral validation; (iii) ConditionalTokens — the immutable settlement layer the adapter reports payouts to. CTFExchange V2 calls the pUSD CollateralToken (0xC011...2DFB) and the CtfCollateralAdapter (0xAdA1...Ce1f). pUSD itself wraps the real underlying collateral tokens (USDC and USDC.e per its constructor signature usdc / usdce / vault). No Chainlink, Pyth, or RedStone price feeds are referenced in any of the inspected ABIs — pricing is order-book driven, not oracle-priced." }, + { "code": "A2", "text": "Off-chain actors that report into the protocol: the UMA Optimistic Oracle proposer/disputer set (permissionless — anyone can propose or dispute by posting the proposalBond) and the UMA DVM token-holder dispute resolution committee (escalated to on dispute). Mis-reporting by UMA can write incorrect payouts to the CTF, directly redirecting user principal in affected markets. Polymarket's own operator (matching engine) is NOT in this category — it cannot mint or redeem on its own; it can only settle matched orders. Validators / node-operators are not in scope (Polygon PoS substrate, not a Polymarket dependency)." }, + { "code": "A3", "text": "Bridge / cross-chain messaging: V1 markets used USDC.e (USD Coin (PoS) at 0x2791bca1f2de4661ed88a30c99a7a9449aa84174 — the canonical Polygon PoS-bridged USDC). V2 replaces this with pUSD, which wraps BOTH native USDC and USDC.e per the pUSD constructor (usdc, usdce, vault) — so V2 is partially exposed to the Polygon PoS bridge in proportion to how much of pUSD's backing is USDC.e vs native USDC. The Polygon PoS bridge is canonical (Polygon's plasma/PoS bridge run by the Polygon validator set), not a third-party guardian-multisig bridge. No other chain deployment is in the address_book; this is a single-chain protocol." }, + { "code": "A4", "text": "Nested collateral / restaking: none. CTF outcome tokens are direct ERC-1155 receipts against collateral; no further wrapping into LRT / receipt-of-receipt designs. pUSD wraps USDC/USDC.e 1:1, so V2 introduces one layer of wrapping on top of the underlying stables but no restaking chain. Slashing power: none — there are no slashable operator bonds in the Polymarket stack itself; bonds live on UMA's side (proposal bond) and on UMA validators." }, + { "code": "A5", "text": "Fork lineage: ConditionalTokens (0x4D97...6045) is a direct deployment of Gnosis's open-source conditional-tokens-contracts repository (linked in github.com/Polymarket/contract-security as gnosis/conditional-tokens-contracts). Not silently relevant beyond that — recorded for completeness." }, + { "code": "A6", "text": "Fallback mechanisms (all LIVE on-chain as of the inspected ABIs, status (i)): (a) UMA dispute mechanism — any address can dispute a proposed price by posting the proposalBond during the ~2hr liveness window, automatically resetting the market once and escalating to UMA DVM voters if a second dispute occurs; (b) ignorePrice sentinel — if UMA returns type(int256).min, the adapter resets the question rather than writing payouts; (c) onchain payout sanity check — _constructPayouts reverts on any resolved price other than 0, 0.5e18, or 1e18 (InvalidOOPrice), so a malformed UMA response cannot translate to a fractional or out-of-range payout; (d) admin emergencyResolve with 2-day safety period — provides a manual override path when UMA fails or returns ignorePrice indefinitely. (d) is also the centralization vector described in CONTROL." }, + { "code": "A7", "text": "Out of scope under the rubric's A7 carve-out: Polymarket is deployed permissionlessly on Polygon PoS, which is a third-party L2/sidechain whose sequencer is not part of Polymarket's stack. Polymarket is not its own appchain." }, + { "code": "A8", "text": "Keeper / relayer liveness: the operator who calls matchOrders on the CTFExchange (Polymarket's own off-chain matching service) is not a per-position keeper — no positions go stale or become insolvent in its absence; in the worst case trading halts while users retain full CTF rights (split/merge/redeem) directly. UMA proposers are permissionless and economically incentivized by the reward; if no proposer shows up, the market simply does not resolve, and admin emergencyResolve becomes the unblock path. There is no liquidation-bot dependency because there is no leverage or under-collateralized debt in the protocol." }, + { "code": "A9", "text": "Governance-mutable EXTERNAL dependency surface: (i) UmaCtfAdapter.optimisticOracle and ctf are both 'immutable' Solidity variables set in the constructor — they CANNOT be swapped without redeploying the adapter, so admin cannot silently rewire to a malicious oracle. (ii) pUSD owner can addWrapper(address) and addMinter(address) to grant new external contracts the right to mint pUSD; per the pUSD ABI this is callable by owner() in a single tx with no timelock — so a new external dependency CAN be silently introduced into the V2 collateral surface (a malicious wrapper could be added that mints pUSD against fake collateral). Note: 'admin can upgrade the pUSD implementation' is a CONTROL-slice finding (admin can rug) and is intentionally not double-counted here per the A9 scope limit." } + ], + "steelman": { + "red": "If UMA's Optimistic Oracle settled a wrong price without dispute, the UmaCtfAdapter would write that wrong payout straight to the CTF and the affected market's collateral would be redirected — user principal in that market is then lost — and the pUSD owner can additionally addWrapper to a malicious external minter without timelock, potentially diluting the collateral backing of every V2 market.", + "orange": "Failures of the UMA oracle or the USDC.e PoS bridge can cause material principal loss in affected markets, but multiple live fallbacks (dispute mechanism, ignorePrice reset, on-chain payout sanity check forcing price ∈ {0, 0.5, 1}, 2-day admin emergencyResolve) bound the per-failure impact to specific markets rather than the whole protocol.", + "green": "The truly fund-holding contract (ConditionalTokens) is immutable, has no external dependency in its own code, and its only inputs are the oracle addresses that REPORT into specific conditions — so a failure of any single external dependency only affects the subset of markets that reference it, and already-resolved redemptions are mathematically untouchable." + }, + "verdict": "Choosing orange because A1 + A2 + A3 establish that UMA misbehavior or a Polygon PoS bridge failure on USDC.e CAN cause loss of user principal in affected markets — the autonomy-red criterion — but the live A6 fallbacks (permissionless dispute, ignorePrice reset, on-chain {0,0.5,1} sanity check, 2-day emergencyResolve) keep the impacted TVS bounded to specific markets rather than the entire protocol, which is the orange/Stage-1 definition; impacted TVS for a single bad UMA resolution is on the order of the affected market's collateral (typically <1% of total protocol TVS for a single market, ~unclear for the whole V1→V2 USDC.e exposure)." + }, + "evidence": [ + { "url": "https://polygonscan.com/address/0x6A9D222616C90FcA5754cd1333cFD9b7fb6a4F74", "shows": "UmaCtfAdapter verified source: optimisticOracle and ctf declared as 'immutable' set in constructor via finder.getImplementationAddress; _constructPayouts reverts with InvalidOOPrice unless price ∈ {0, 0.5e18, 1e18}; priceDisputed callback resets the question; _ignorePrice = type(int256).min triggers reset rather than payout", "chain": "Polygon", "address": "0x6A9D222616C90FcA5754cd1333cFD9b7fb6a4F74", "fetched_at": "2026-05-18T00:00:00Z" }, + { "url": "https://defipunkd.com/address/137/0xC011a7E12a19f7B1f670d46F03B03f3342E82DFB", "shows": "pUSD CollateralToken constructor parameters (usdc, usdce, vault) confirm V2 collateral wraps native USDC and USDC.e (Polygon PoS-bridged USDC); addMinter / addWrapper / removeMinter / removeWrapper are admin-callable without timelock", "chain": "Polygon", "address": "0xC011a7E12a19f7B1f670d46F03B03f3342E82DFB", "fetched_at": "2026-05-18T00:00:00Z" }, + { "url": "https://github.com/Polymarket/uma-ctf-adapter", "shows": "UMA-CTF Adapter design documentation describing UMA Optimistic Oracle as the resolution mechanism with ~2hr liveness, auto-reset on dispute, and OpenZeppelin audit — corroborates the on-chain fallback structure", "fetched_at": "2026-05-18T00:00:00Z" }, + { "url": "https://github.com/Polymarket/contract-security", "shows": "Lists ConditionalTokens at 0x4D97...6045 as deployed from gnosis/conditional-tokens-contracts (fork lineage)", "fetched_at": "2026-05-18T00:00:00Z" } + ], + "unknowns": [ + "A1: pUSD's current vault() and current USDC / USDC.e references not re-read on-chain this run (RPC tenant disabled on the surfacer) — derived from constructor parameters only.", + "A3: Exact split of pUSD backing between native USDC and USDC.e at analysis_date not measured; the impacted-TVS estimate for a hypothetical USDC.e bridge failure is therefore presented as 'unclear at module level' rather than a precise percentage.", + "A6-offchain: Whether Polymarket has internally exercised emergencyResolve and how often is not documented in the on-chain evidence inspected this run; off-chain corroboration of fallback exercise rate not fetched." + ], + "protocol_metadata": { + "upgradeability": "mixed" + } + }, + { + "schema_version": 4, + "slug": "polymarket-international", + "slice": "open-access", + "snapshot_generated_at": "2026-05-11T09:35:21.490Z", + "prompt_version": 29, + "analysis_date": "2026-05-18", + "model": "claude-opus-4-7", + "chat_url": "https://claude.ai/share/2c54f53c-4622-4a79-98b6-08eadd73ecb0", + "grade": "green", + "headline": "Contracts admit users unconditionally; CTF deposit/exit and order signing are permissionless; multiple independent access paths exist; frontend ToS §2.1.4 and /api/geoblock are publisher policies on the official UI only", + "short_headline": "Permissionless contracts; SDK + CLI paths exist", + "rationale": { + "findings": [ + { "code": "A1", "text": "No on-chain whitelist / KYC modifier on user-facing entry/exit. ConditionalTokens (0x4D97...6045) has no onlyWhitelisted / onlyRole / isAccredited / isKYCed guards on splitPosition, mergePositions, redeemPositions, safeTransferFrom, or safeBatchTransferFrom (entire ABI inspected). CTFExchange V2 (0xE111...996B) likewise gates only operator/admin-side functions; user-side order signing is permissionless — orders are signed off-chain and only land on-chain via the operator. isUserPaused exists but is a per-user emergency tool with userPauseBlockInterval, not an allowlist." }, + { "code": "A2", "text": "Off-chain operators in the admission path: CTFExchange V2 matchOrders is gated by NotOperator / isOperator — the Polymarket-run operator is the sole settler of matched orders. Per the rubric: order PLACEMENT is unconditional (any address can sign and broadcast an Order tuple), only downstream settlement requires the operator. By the rubric's explicit guidance, this is an admission-permissionless function with a liveness dependency, and the liveness weight defers to the dependencies/autonomy slice (see AUTONOMY A8). Direct CTF user actions (splitPosition / mergePositions / redeemPositions / transfers) require no operator at all." }, + { "code": "A3", "text": "Frontend restrictions on polymarket.com (recorded as context, not grade driver): A3-active enforcement is present — there is a documented runtime geoblock endpoint at /api/geoblock returning {blocked, ip, country, region}, and the Polymarket help center lists ~33 fully or partially restricted jurisdictions (US, France, Belgium, Singapore, Portugal, Hungary, Switzerland, Poland, Ontario, Italy, Germany, etc.). A3-passive ToS clauses are also present — the Polymarket help-center page on Geographic Restrictions states the protocol's ToS Section 2.1.4 prohibits use of VPNs or similar tools to bypass geographic restrictions; the verbatim text could not be extracted from polymarket.com/tos because the page is client-side rendered and returned only the header / footer chrome on direct HTTP fetch (see unknowns)." }, + { "code": "A3b", "text": "Independent access paths NOT requiring the official polymarket.com frontend: (i) github.com/Polymarket/polymarket-cli — a Polymarket-published CLI that handles direct CTF operations and CLOB orders without the frontend ('polymarket ctf redeem', 'polymarket ctf merge', 'polymarket clob create-order'); (ii) github.com/Polymarket/clob-client-v2 and py-clob-client-v2 — TypeScript and Python SDKs for direct CLOB API access; (iii) github.com/Polymarket/magic-proxy-builder-example — third-party-style Next.js app demonstrating non-frontend access to a user's Polymarket proxy wallet; (iv) any Polygon wallet or block explorer can call redeemPositions / mergePositions on the immutable CTF directly. The contracts can be reached without the publisher's cooperation." }, + { "code": "A4", "text": "No contract-level OFAC / sanctions screening was visible on any inspected ABI (ConditionalTokens, CTFExchange V2, UmaCtfAdapter, pUSD CollateralToken) — no isOnSanctionsList / oracleScreening / blocklist mapping. Compliance enforcement is frontend-only per A3." }, + { "code": "A5", "text": "Read access is fully public (Polygon RPC + verified contract source via Polygonscan / defipunkd). Write access to user-side CTF functions is unrestricted; write access to admin functions is role-gated; the CLOB matching write is operator-gated — see A2." }, + { "code": "A6", "text": "ToS / Legal: Polymarket help-center confirms ToS Section 2.1.4 prohibits VPN use, and the polymarket.com footer states 'Polymarket operates globally through separate legal entities. Polymarket US is operated by QCX LLC d/b/a Polymarket US, a CFTC-regulated Designated Contract Market. This international platform is not regulated by the CFTC and operates independently.' Verbatim Section 2.1.4 text was not extractable from the SPA-rendered ToS page in this run; the existence of the clause is corroborated by the official help-center article (help.polymarket.com/en/articles/13364163-geographic-restrictions) which states verbatim: 'Polymarket strictly prohibits the use of VPNs or similar tools to bypass geographic restrictions. Such actions are considered violations of the platform's Terms of Service (Section 2.1.4).'" } + ], + "steelman": { + "red": "Polymarket actively geoblocks ~33 countries via /api/geoblock, prohibits VPN circumvention in ToS §2.1.4, and trading depends on Polymarket's centrally-run matching operator — a user the operator refuses to match cannot trade through the orderbook.", + "orange": "Although the contracts are technically permissionless, the actively-used CLOB trading flow requires Polymarket's off-chain matching service to actually fill orders, so for the practical 'trade' user action the protocol is operationally captured by the publisher even if the contracts are open.", + "green": "User entry (splitPosition), exit (redeemPositions, mergePositions), and order-signing are all unconditional on-chain actions on contracts with no on-chain blocklist; Polymarket itself publishes a CLI and TypeScript/Python SDKs that interact directly with the contracts and CLOB API without the official frontend, satisfying the rubric's A3b independent-path test, so per the default-grade guidance the grade is green regardless of frontend ToS / geoblock policy on the official UI." + }, + "verdict": "Choosing green because the rubric explicitly states: 'when contracts are fully permissionless AND any A3b independent path exists, the default grade is green regardless of frontend ToS or A3-active enforcement on the official UI' — A1, A4, A5 establish the contracts admit users unconditionally; A3b shows multiple independent paths (Polymarket-published CLI, CLOB SDKs, direct CTF calls via any wallet); the operator-gated matching is a liveness concern that the rubric explicitly defers to dependencies; and the orange steel-man relies on operator capture for one specific user action (orderbook trading) while ignoring that mint/exit/transfer are operator-free." + }, + "evidence": [ + { "url": "https://defipunkd.com/address/137/0x4D97DCd97eC945f40cF65F87097ACe5EA0476045", "shows": "ConditionalTokens ABI has no whitelist / sanctions / role modifiers on user-facing splitPosition, mergePositions, redeemPositions, or transfer functions", "chain": "Polygon", "address": "0x4D97DCd97eC945f40cF65F87097ACe5EA0476045", "fetched_at": "2026-05-18T00:00:00Z" }, + { "url": "https://defipunkd.com/address/137/0xE111180000d2663C0091e4f400237545B87B996B", "shows": "CTFExchange V2 ABI confirms matchOrders is operator-gated (NotOperator error) but user-side order signing produces signed Order structs off-chain — no on-chain admission check on order origination", "chain": "Polygon", "address": "0xE111180000d2663C0091e4f400237545B87B996B", "fetched_at": "2026-05-18T00:00:00Z" }, + { "url": "https://github.com/Polymarket/polymarket-cli", "shows": "Polymarket-published CLI documents direct CTF (split/merge/redeem) and CLOB operations callable without the polymarket.com frontend — a concrete A3b independent path", "fetched_at": "2026-05-18T00:00:00Z" }, + { "url": "https://github.com/Polymarket/magic-proxy-builder-example", "shows": "Non-frontend integration example showing third parties can interact with Polymarket proxy wallets and the CLOB programmatically — additional A3b path", "fetched_at": "2026-05-18T00:00:00Z" } + ], + "unknowns": [ + "A6: Verbatim text of Polymarket ToS Section 2.1.4 could not be extracted from polymarket.com/tos this run — the page is client-side rendered and returned only nav / footer chrome on direct HTTP fetch; existence and substance of the clause is corroborated by the official help-center article quoted above (help.polymarket.com), but the raw ToS text itself is in unknowns.", + "A3: The full current list of geoblocked jurisdictions was not enumerated directly from polymarket.com/api/geoblock in this run (no specific IP queried); third-party sources and the help-center page were used for the ~33-country figure, which is corroborative rather than directly fetched from Polymarket's own list endpoint." + ], + "protocol_metadata": { + "docs_url": "https://docs.polymarket.com", + "upgradeability": "mixed" + } + }, + { + "schema_version": 4, + "slug": "polymarket-international", + "slice": "verifiability", + "snapshot_generated_at": "2026-05-11T09:35:21.490Z", + "prompt_version": 29, + "analysis_date": "2026-05-18", + "model": "claude-opus-4-7", + "chat_url": "https://claude.ai/share/2c54f53c-4622-4a79-98b6-08eadd73ecb0", + "grade": "orange", + "headline": "All inspected contracts verified on Polygonscan with public source repos and ChainSecurity / OpenZeppelin audits on V1 architecture; V2 CTFExchange + pUSD (April 2026) audits not yet in the Polymarket-published audit registry", + "short_headline": "V1 fully audited; V2 audit not yet documented", + "rationale": { + "findings": [ + { "code": "V1", "text": "Verification status of inspected contracts: CTFExchange V2 (0xE111...996B) — verified on Polygonscan ('ABI source: etherscan' per defipunkd, contract name 'CTFExchange'); ConditionalTokens (0x4D97...6045) — verified ('ABI source: etherscan', name 'ConditionalTokens'); UmaCtfAdapter (0x6A9D...4F74) — verified ('Contract Source Code Verified (Exact Match)' on the Polygonscan source page, compiler 0.8.15, name 'UmaCtfAdapter'); pUSD CollateralToken proxy (0xC011...2DFB) — verified ('ABI source: etherscan', name 'CollateralToken'). The proxy/implementation pair for pUSD (proxy 0xC011...2DFB, implementation 0x6bBCef...0925f per the address_book) is identified by the ABI exposing upgradeToAndCall / proxiableUUID; the implementation itself was not directly opened in Polygonscan this run." }, + { "code": "V2", "text": "Public source repos exist for the core stack: github.com/Polymarket/ctf-exchange (V1), github.com/Polymarket/ctf-exchange-v2 (V2, source visible), github.com/Polymarket/uma-ctf-adapter (UMA adapter source visible including the verified UmaCtfAdapter.sol with the 2-day emergencySafetyPeriod constant), github.com/Polymarket/neg-risk-ctf-adapter (Neg-Risk modules), and github.com/Polymarket/contract-security (registry of audits and deployment addresses). The Polygonscan-visible source of UmaCtfAdapter corresponds in structure (file naming, imports of Auth, BulletinBoard, libraries/TransferHelper, etc.) to the file uma-ctf-adapter/src/UmaCtfAdapter.sol in the public repo. Bytecode-equivalence diffing and explicit commit SHA pinning were not performed this run." }, + { "code": "V3", "text": "Audit coverage per the Polymarket-published contract-security registry: ProxyFactory (0xaB45...4052) — ChainSecurity; Safe Factory (0xaacF...3541b) — ChainSecurity; ConditionalTokens (0x4D97...6045) — ChainSecurity; CTFExchange V1 (0x4bFb...982e) — ChainSecurity; NegRisk Adapter / Operator / Wrapped Collateral / CtfExchange / FeeModule / UmaCtfAdapter (the v2 multi-outcome modules) — ChainSecurity + OpenZeppelin; UmaCtfAdapter (0x6A9D...4F74) — ChainSecurity (the linked file in the registry is 'oz_uma_ctf_adapter.pdf' but the registry row labels it ChainSecurity; the UMA adapter repo separately links an OpenZeppelin audit at uma-ctf-adapter/audit/Polymarket_UMA_Optimistic_Oracle_Adapter_Audit.pdf). Audit dates are not enumerated in the registry rows; the linked audit PDFs were not opened this run." }, + { "code": "V4", "text": "Both audit firms identified — ChainSecurity and OpenZeppelin — are on the rubric's list of recognized Solidity audit firms, so the v1 / NegRisk audit coverage meets the recognized-firm bar. No unknown audit firm needs to be considered for the V1 architecture." }, + { "code": "V5", "text": "Post-audit drift: the V1 CTFExchange (0x4bFb...982e) is the audited deployment in the contract-security registry, but the address_book in this assessment pins the NEWER CTFExchange V2 at 0xE111...996B as the current production exchange. The ctf-exchange-v2 README (April 2026) mentions security disclosures via the 'Cantina bug bounty program' but does NOT link a published V2 audit report in the contract-security registry as of this run. pUSD CollateralToken (0xC011...2DFB) — a NEW April 2026 UUPS-upgradeable contract that holds V2 trading collateral — is likewise not in the contract-security registry. Both are fund-custody/settlement-critical surfaces by the V5 rubric. Whether a recognized-firm audit covers the deployed V2 bytecode could not be confirmed this run." }, + { "code": "V6", "text": "Proxy/implementation: only pUSD CollateralToken (0xC011...2DFB) is a proxy among the inspected addresses. The defipunkd ABI surface for the proxy includes upgradeToAndCall and proxiableUUID (UUPS), and the pinned address_book lists 0x6bBCef...0925f as the current implementation. The implementation contract was NOT independently opened on Polygonscan this run, so 'implementation verified separately' is not affirmatively established — recorded in unknowns." } + ], + "steelman": { + "red": "Neither the V2 CTFExchange (0xE111...996B) nor the V2 pUSD CollateralToken (0xC011...2DFB, plus its implementation 0x6bBCef...0925f) appears in the Polymarket-published audit registry, and these contracts hold the active trading and collateral surfaces — so the deployed bytecode that today processes the majority of trading volume has no documented recognized-firm audit.", + "orange": "The full V1 architecture (CTFExchange V1, ConditionalTokens, NegRisk modules, UmaCtfAdapter, Proxy Factory, Safe Factory) is verified on Polygonscan and audited by ChainSecurity and/or OpenZeppelin with public reports linked from the Polymarket-owned contract-security repo, but the V2 CTFExchange and pUSD deployments — both April 2026 and on the fund-custody / collateral path — are verified on Polygonscan but their audit status is not yet documented in the public registry.", + "green": "All contracts inspected this run are source-verified on Polygonscan with public matching repos; recognized-firm audits (ChainSecurity, OpenZeppelin) cover the V1 architecture and the multi-outcome NegRisk modules; the V2 contracts are likely audited by a recognized firm via the Cantina program but documentation has not yet caught up." + }, + "verdict": "Choosing orange per V5: drift between the audit-registry-listed CTFExchange V1 (0x4bFb...982e) and the address_book's V2 (0xE111...996B), plus the newly-deployed UUPS-upgradeable pUSD CollateralToken on the collateral path — both are fund-custody / settlement-critical contracts whose audit reports are not present in the Polymarket-published contract-security registry as of this run — meets the rubric's orange criterion 'audit scope is stale relative to deployment' for the current production surface; the green steel-man assumes a not-yet-documented V2 audit exists, which is not affirmatively established by fetched evidence." + }, + "evidence": [ + { "url": "https://defipunkd.com/address/137/0xE111180000d2663C0091e4f400237545B87B996B", "shows": "CTFExchange V2 verified on Polygonscan ('ABI source: etherscan'); confirms contract name 'CTFExchange' and exposes the full ABI including admin/operator surface", "chain": "Polygon", "address": "0xE111180000d2663C0091e4f400237545B87B996B", "fetched_at": "2026-05-18T00:00:00Z" }, + { "url": "https://defipunkd.com/address/137/0x4D97DCd97eC945f40cF65F87097ACe5EA0476045", "shows": "ConditionalTokens verified on Polygonscan ('ABI source: etherscan')", "chain": "Polygon", "address": "0x4D97DCd97eC945f40cF65F87097ACe5EA0476045", "fetched_at": "2026-05-18T00:00:00Z" }, + { "url": "https://polygonscan.com/address/0x6A9D222616C90FcA5754cd1333cFD9b7fb6a4F74", "shows": "UmaCtfAdapter labeled 'Contract Source Code Verified (Exact Match)' on Polygonscan with full Solidity source visible, compiler 0.8.15, name UmaCtfAdapter — confirms V1 implementation is verified and matches the file at github.com/Polymarket/uma-ctf-adapter/src/UmaCtfAdapter.sol", "chain": "Polygon", "address": "0x6A9D222616C90FcA5754cd1333cFD9b7fb6a4F74", "fetched_at": "2026-05-18T00:00:00Z" }, + { "url": "https://defipunkd.com/address/137/0xC011a7E12a19f7B1f670d46F03B03f3342E82DFB", "shows": "pUSD CollateralToken proxy verified on Polygonscan ('ABI source: etherscan', name CollateralToken), exposing UUPS upgradeToAndCall and proxiableUUID — confirms it is a proxy", "chain": "Polygon", "address": "0xC011a7E12a19f7B1f670d46F03B03f3342E82DFB", "fetched_at": "2026-05-18T00:00:00Z" }, + { "url": "https://github.com/Polymarket/contract-security", "shows": "Polymarket-published audit registry enumerating ChainSecurity audits of ProxyFactory / SafeFactory / ConditionalTokens / CTFExchange V1 and ChainSecurity+OpenZeppelin audits of the NegRisk modules and UmaCtfAdapter; CTFExchange V2 (0xE111...996B) and pUSD CollateralToken (0xC011...2DFB) are NOT listed in this registry", "fetched_at": "2026-05-18T00:00:00Z" }, + { "url": "https://github.com/Polymarket/ctf-exchange-v2", "shows": "Polymarket-published V2 source repo describing the operator-driven order matching, signature schemes (including EIP-1271), PMCT/pUSD wrapped collateral layer, and stating security disclosures go through the Cantina bug bounty program — no linked V2 audit PDF in the repo as fetched", "fetched_at": "2026-05-18T00:00:00Z" }, + { "url": "https://github.com/Polymarket/uma-ctf-adapter", "shows": "UMA adapter repo confirms an OpenZeppelin audit (linked PDF at audit/Polymarket_UMA_Optimistic_Oracle_Adapter_Audit.pdf) — corroborates V3 finding that the adapter has a recognized-firm audit", "fetched_at": "2026-05-18T00:00:00Z" } + ], + "unknowns": [ + "V2: Deployment-commit SHAs for the verified contracts (CTFExchange V2, pUSD, UmaCtfAdapter) were not pinned this run; no bytecode-equivalence diff against the public repos was performed — recorded as a scope limit per the V2 rubric note rather than a downgrade signal.", + "V3: Audit dates and specific commit-in-scope per audit could not be enumerated this run — the contract-security registry README lists firms and audit PDFs but the PDFs themselves were not opened.", + "V5: Whether a recognized-firm audit covers the deployed bytecode of CTFExchange V2 (0xE111...996B) and pUSD CollateralToken (0xC011...2DFB) — both April 2026 — could not be confirmed; only a Cantina bug-bounty mention is documented publicly.", + "V6: pUSD implementation at 0x6bBCef9f7ef3B6C592c99e0f206a0DE94Ad0925f was not independently verified-status-checked on Polygonscan this run; whether the implementation is independently verified (vs. only the proxy) is in unknowns." + ], + "protocol_metadata": { + "github": [ + "https://github.com/Polymarket/ctf-exchange", + "https://github.com/Polymarket/ctf-exchange-v2", + "https://github.com/Polymarket/uma-ctf-adapter", + "https://github.com/Polymarket/neg-risk-ctf-adapter", + "https://github.com/Polymarket/contract-security" + ], + "docs_url": "https://docs.polymarket.com", + "audits": [ + { "firm": "ChainSecurity", "url": "https://github.com/Polymarket/contract-security/blob/main/audit-reports/cs_ctf_exchange.pdf", "date": "2022" }, + { "firm": "ChainSecurity", "url": "https://github.com/Polymarket/contract-security/blob/main/audit-reports/cs_conditional_tokens.pdf", "date": "2022" }, + { "firm": "ChainSecurity", "url": "https://github.com/Polymarket/contract-security/blob/main/audit-reports/cs_proxy_wallet_factories.pdf", "date": "2022" }, + { "firm": "ChainSecurity", "url": "https://github.com/Polymarket/contract-security/blob/main/audit-reports/cs_neg_risk_adapter.pdf", "date": "2024" }, + { "firm": "OpenZeppelin", "url": "https://github.com/Polymarket/contract-security/blob/main/audit-reports/oz_neg_risk_adapter.pdf", "date": "2024" }, + { "firm": "OpenZeppelin", "url": "https://github.com/Polymarket/uma-ctf-adapter/blob/main/audit/Polymarket_UMA_Optimistic_Oracle_Adapter_Audit.pdf", "date": "2023" } + ], + "governance_forum": null, + "voting_token": null, + "bug_bounty_url": null, + "security_contact": null, + "deployed_contracts_doc": "https://github.com/Polymarket/contract-security", + "admin_addresses": [], + "upgradeability": "mixed", + "about": "Polymarket International is a prediction-market protocol on Polygon. Users mint binary YES/NO outcome shares (ERC-1155 conditional tokens) by depositing collateral, trade those shares through a hybrid central limit order book whose orders are signed off-chain and settled on-chain by a Polymarket operator, and redeem winning shares for collateral after a market resolves. Resolution is performed by an UMA Optimistic Oracle adapter (with on-chain dispute, sanity checks, and a 2-day admin emergency override). Version 2 (April 2026) introduces pUSD, a UUPS-upgradeable wrapper around USDC and USDC.e used as the new exchange collateral." + } + } +] diff --git a/data/submissions/polymarket-international/all/gpt-2026-05-20.json b/data/submissions/polymarket-international/all/gpt-2026-05-20.json new file mode 100644 index 0000000000..a5292b0c41 --- /dev/null +++ b/data/submissions/polymarket-international/all/gpt-2026-05-20.json @@ -0,0 +1,762 @@ +[ + { + "schema_version": 4, + "slug": "polymarket-international", + "slice": "control", + "snapshot_generated_at": "2026-05-11T09:35:21.490Z", + "prompt_version": 29, + "analysis_date": "2026-05-18", + "model": "gpt-5.5-thinking", + "chat_url": "https://chatgpt.com/share/6a0e1920-7e3c-8327-9485-9a7e4972292b", + "grading_basis": "mixed", + "grade": "unknown", + "headline": "Admin and upgrade authority could not be resolved from live state reads; ABI inspection shows potentially T1/T2 privileged surfaces.", + "short_headline": "Control unresolved", + "rationale": { + "findings": [ + { + "code": "C1", + "text": "The official contracts page identifies the main Polygon contracts assessed: CTF Exchange, Neg Risk CTF Exchange, Neg Risk Adapter, Conditional Tokens, pUSD proxy/implementation, Onramp/Offramp, collateral adapters, UMA Adapter, and UMA Optimistic Oracle." + }, + { + "code": "C1", + "text": "DefiPunkd surfacers exposed role-oriented views such as isAdmin/isOperator, owner, rolesOf, paused, and admins, but zero-arg state reads failed with Polygon RPC 401 or safe-open/read errors, so the current privileged actors were not determined." + }, + { + "code": "C2", + "text": "pUSD/CollateralToken has a proxy address and implementation address in the official docs; the implementation ABI includes UUPS-style upgradeToAndCall/proxiableUUID and owner/role functions, while Polygonscan identifies the proxy as a minimal proxy to the implementation." + }, + { + "code": "C3", + "text": "No Governor, timelock, queued execution path, or delay constant was verified for the core trading, collateral, or UMA-resolution contracts." + }, + { + "code": "C4", + "text": "No reachable multisig was verified as owner/admin of the inspected contracts. The pinned Gnosis Safe Factory is a wallet factory, not evidence of a controlling Safe." + }, + { + "code": "C5", + "text": "No on-chain governance contract, voting token, quorum, voting period, or proposal threshold was found in the inspected contract docs, surfacers, or repositories." + }, + { + "code": "C6", + "text": "Emergency-like surfaces are present in the ABI: CTF exchanges expose pauseTrading and pauseUser, CollateralOnramp/Offramp expose pause/unpause per asset, and UmaCtfAdapter exposes pause, flag, reset, and emergencyResolve per question." + }, + { + "code": "C7", + "text": "Potential highest-tier surfaces include pUSD upgradeToAndCall/mint/addMinter/addWrapper, exchange pauseTrading/setFeeReceiver/setMaxFeeRate, on/offramp pause/unpause, and UMA emergencyResolve, but the controlling actor and delay for each path are unresolved." + } + ], + "steelman": null, + "verdict": "Current owner/admin/governor, multisig owners, timelock delays, and emergency-role holders could not be read in this run, so the assessment cannot distinguish an orange/red unilateral T1/T2 path from a delayed or broader-control path." + }, + "evidence": [ + { + "url": "https://docs.polymarket.com/resources/contracts", + "shows": "Official documentation says all Polymarket contracts are on Polygon chainId 137; lists the pinned core, collateral, wallet-factory, UMA adapter, and UMA Optimistic Oracle addresses; lists Quantstamp and Cantina March 2026 audits and the Cantina bug bounty." + }, + { + "url": "https://github.com/Polymarket/ctf-exchange-v2", + "shows": "Public CTF Exchange V2 repository; README describes CTF Exchange V2 as the core trading system, deployed Polygon addresses, operator-driven order matching, collateral onramp/offramp, audits, and the Cantina bug bounty." + }, + { + "url": "https://github.com/Polymarket/uma-ctf-adapter", + "shows": "Public UMA CTF Adapter repository; README says the adapter resolves Polymarket prediction markets through UMA Optimistic Oracle, prepares conditions, sends OO requests, uses proposer/dispute/DVM flow, and allows anyone to call resolve after data is available." + }, + { + "url": "https://github.com/Polymarket/neg-risk-ctf-adapter", + "shows": "Public negative-risk CTF adapter repository; README describes the negative-risk adapter, NegRiskOperator preparation flow, and use with the UMA CTF adapter." + }, + { + "url": "https://cantina.xyz/bounties/ff945ca2-2a6e-4b83-b1b6-7a0cd3b94bea", + "shows": "Cantina bounty page is live, names Polymarket, states maximum reward $5,000,000 and start date 12 Apr 2026, and lists smart-contract critical impacts including pUSD unauthorized mint/burn, UmaCtfAdapter/NegRiskUmaCtfAdapter wrongful payouts, UUPS CollateralToken upgrade exploitation, and CTF split/merge/redeem extraction." + }, + { + "url": "https://defipunkd.com/address/137/0xE111180000d2663C0091e4f400237545B87B996B", + "shows": "CTF Exchange surfacer identifies chain polygon, contractName CTFExchange, ABI source etherscan, zero-arg read failure, and write/read surfaces including isAdmin, isOperator, pauseTrading, pauseUser, setFeeReceiver, setMaxFeeRate, addAdmin, and addOperator.", + "chain": "Polygon", + "address": "0xE111180000d2663C0091e4f400237545B87B996B" + }, + { + "url": "https://defipunkd.com/address/137/0xe2222d279d744050d28e00520010520000310F59", + "shows": "Neg Risk CTF Exchange surfacer identifies CTFExchange ABI and write surfaces including addAdmin, addOperator, matchOrders, pauseTrading, pauseUser, setFeeReceiver, setMaxFeeRate, setUserPauseBlockInterval, unpauseTrading, and unpauseUser.", + "chain": "Polygon", + "address": "0xe2222d279d744050d28e00520010520000310F59" + }, + { + "url": "https://defipunkd.com/address/137/0x6bBCef9f7ef3B6C592c99e0f206a0DE94Ad0925f", + "shows": "pUSD CollateralToken implementation surfacer identifies CollateralToken ABI and write surfaces including addMinter, addWrapper, mint, burn, removeMinter, removeWrapper, transferOwnership, unwrap, wrap, and upgradeToAndCall; zero-arg reads failed.", + "chain": "Polygon", + "address": "0x6bBCef9f7ef3B6C592c99e0f206a0DE94Ad0925f" + }, + { + "url": "https://defipunkd.com/address/137/0x93070a847efEf7F70739046A929D47a521F5B8ee", + "shows": "CollateralOnramp surfacer identifies owner/role/paused views and write surfaces addAdmin, grantRoles, pause, unpause, and wrap; zero-arg reads failed.", + "chain": "Polygon", + "address": "0x93070a847efEf7F70739046A929D47a521F5B8ee" + }, + { + "url": "https://defipunkd.com/address/137/0x2957922Eb93258b93368531d39fAcCA3B4dC5854", + "shows": "CollateralOfframp surfacer identifies owner/role/paused views and write surfaces addAdmin, grantRoles, pause, unpause, and unwrap; zero-arg reads failed.", + "chain": "Polygon", + "address": "0x2957922Eb93258b93368531d39fAcCA3B4dC5854" + }, + { + "url": "https://defipunkd.com/address/137/0x6A9D222616C90FcA5754cd1333cFD9b7fb6a4F74", + "shows": "UmaCtfAdapter surfacer identifies admin views and privileged/question-control write surfaces addAdmin, removeAdmin, emergencyResolve, flag, pause, reset, resolve, and unpause; zero-arg reads failed.", + "chain": "Polygon", + "address": "0x6A9D222616C90FcA5754cd1333cFD9b7fb6a4F74" + }, + { + "url": "https://polygonscan.com/address/0xC011a7E12a19f7B1f670d46F03B03f3342E82DFB", + "shows": "Polygonscan shows the pUSD proxy as a minimal proxy contract for implementation 0x6bBCef9f7ef3B6C592c99e0f206a0DE94Ad0925f.", + "chain": "Polygon", + "address": "0xC011a7E12a19f7B1f670d46F03B03f3342E82DFB" + } + ], + "unknowns": [ + "C1: current owner/admin/operator/governor/pendingOwner was not determined for CTF Exchange, Neg Risk CTF Exchange, pUSD proxy/implementation, CollateralOnramp, CollateralOfframp, UMA Adapter, or other pinned contracts because live state reads failed or could not be opened.", + "C2: proxy admin or authorized UUPS upgrader for the pUSD proxy was not determined; the exact upgrade authority on any proxy-like/similar-match exchange surface was not determined.", + "C3: execution path and uncontested fast-path delays from proposal or admin action to execution were not determined.", + "C4: no reachable multisig threshold, owner set, signer identity split, or version was determined.", + "C5: no on-chain governance proposal threshold, voting period, quorum, or timelock delay was determined.", + "C6: pause/emergency role holders and maximum pause/emergency duration caps were not determined.", + "C7: highest reachable power tier on the actual control path was not classified because the controlling actors and delays are unresolved." + ], + "protocol_metadata": { + "github": [ + "https://github.com/Polymarket/ctf-exchange-v2", + "https://github.com/Polymarket/uma-ctf-adapter", + "https://github.com/Polymarket/neg-risk-ctf-adapter" + ], + "docs_url": "https://docs.polymarket.com/", + "audits": [ + { + "firm": "Quantstamp", + "url": "https://github.com/Polymarket/ctf-exchange-v2/blob/main/audits/CTF%20Exchange%20V2%20-%20Quantstamp%20-%20March%202026.pdf", + "date": "2026-03" + }, + { + "firm": "Cantina", + "url": "https://github.com/Polymarket/ctf-exchange-v2/blob/main/audits/CTF%20Exchange%20V2%20-%20Cantina%20-%20March%202026.pdf", + "date": "2026-03" + } + ], + "governance_forum": null, + "voting_token": null, + "bug_bounty_url": "https://cantina.xyz/bounties/ff945ca2-2a6e-4b83-b1b6-7a0cd3b94bea", + "security_contact": null, + "deployed_contracts_doc": "https://docs.polymarket.com/resources/contracts", + "admin_addresses": [], + "upgradeability": "mixed", + "about": "Polymarket International lets users trade binary and multiple-outcome prediction-market positions on Polygon. Outcomes are tokenized as Conditional Tokens backed by pUSD, and pUSD is an ERC-20 wrapper around USDC/USDC.e. CLOB V2 uses off-chain signed orders matched by an operator and settled on-chain through CTF Exchange contracts; market resolution flows through the UMA CTF adapter." + } + }, + { + "schema_version": 4, + "slug": "polymarket-international", + "slice": "ability-to-exit", + "snapshot_generated_at": "2026-05-11T09:35:21.490Z", + "prompt_version": 29, + "analysis_date": "2026-05-18", + "model": "gpt-5.5-thinking", + "chat_url": "https://chatgpt.com/share/6a0e1920-7e3c-8327-9485-9a7e4972292b", + "grading_basis": "mixed", + "grade": "unknown", + "headline": "Direct redeem/merge/unwrap exits exist, but pause authority and cap for collateral exits could not be resolved.", + "short_headline": "Exit pause unresolved", + "rationale": { + "findings": [ + { + "code": "E1", + "text": "User-facing exit and conversion functions observed include ConditionalTokens redeemPositions, mergePositions, safeTransferFrom/safeBatchTransferFrom, CollateralOfframp.unwrap, CollateralToken.unwrap, and direct pUSD withdrawal paths described in the bridge docs." + }, + { + "code": "E2", + "text": "ConditionalTokens ABI lists redeemPositions and mergePositions as nonpayable write functions without an explicit role in the ABI; CollateralOfframp and CollateralOnramp expose paused(address), pause(address), unpause(address), role views, and OnlyUnpaused errors." + }, + { + "code": "E3", + "text": "The pUSD docs explicitly say wrap and unwrap revert with OnlyUnpaused if an admin paused the underlying asset, but the admin role holder and pause duration were not read." + }, + { + "code": "E4", + "text": "The inspected evidence shows asset-level pause/unpause on Onramp/Offramp and global/user pause on CTF exchanges, but does not distinguish emergency pause from governance pause or identify maximum caps." + }, + { + "code": "E5", + "text": "Bridge withdrawal docs say withdrawals are instant/free, that pUSD can be withdrawn directly without Uniswap liquidity, and that cross-chain or USDC withdrawals use off-chain bridge/swap flows; no on-chain redemption queue duration was verified." + }, + { + "code": "E6", + "text": "A partial escape hatch exists for users willing to hold/withdraw pUSD directly, and ConditionalTokens has direct redeem/merge functions after resolution, but adversarial-admin behavior on Offramp pause remains unresolved." + }, + { + "code": "E7", + "text": "Direct on-chain ABI/write surfaces are visible for redeem/merge/unwrap/wrap, and docs provide direct contract-call examples for pUSD, but cross-chain withdrawal address creation remains an off-chain Bridge API flow." + } + ], + "steelman": null, + "verdict": "Exit functions are visible, but the key grading question is whether any actor can indefinitely pause finalized claims or pUSD unwraps. The relevant pause role holders and time caps were not determined, so the slice remains unknown." + }, + "evidence": [ + { + "url": "https://docs.polymarket.com/resources/contracts", + "shows": "Official documentation says all Polymarket contracts are on Polygon chainId 137; lists the pinned core, collateral, wallet-factory, UMA adapter, and UMA Optimistic Oracle addresses; lists Quantstamp and Cantina March 2026 audits and the Cantina bug bounty." + }, + { + "url": "https://github.com/Polymarket/ctf-exchange-v2", + "shows": "Public CTF Exchange V2 repository; README describes CTF Exchange V2 as the core trading system, deployed Polygon addresses, operator-driven order matching, collateral onramp/offramp, audits, and the Cantina bug bounty." + }, + { + "url": "https://github.com/Polymarket/uma-ctf-adapter", + "shows": "Public UMA CTF Adapter repository; README says the adapter resolves Polymarket prediction markets through UMA Optimistic Oracle, prepares conditions, sends OO requests, uses proposer/dispute/DVM flow, and allows anyone to call resolve after data is available." + }, + { + "url": "https://github.com/Polymarket/neg-risk-ctf-adapter", + "shows": "Public negative-risk CTF adapter repository; README describes the negative-risk adapter, NegRiskOperator preparation flow, and use with the UMA CTF adapter." + }, + { + "url": "https://cantina.xyz/bounties/ff945ca2-2a6e-4b83-b1b6-7a0cd3b94bea", + "shows": "Cantina bounty page is live, names Polymarket, states maximum reward $5,000,000 and start date 12 Apr 2026, and lists smart-contract critical impacts including pUSD unauthorized mint/burn, UmaCtfAdapter/NegRiskUmaCtfAdapter wrongful payouts, UUPS CollateralToken upgrade exploitation, and CTF split/merge/redeem extraction." + }, + { + "url": "https://defipunkd.com/address/137/0x4D97DCd97eC945f40cF65F87097ACe5EA0476045", + "shows": "ConditionalTokens surfacer lists write methods redeemPositions, splitPosition, mergePositions, setApprovalForAll, safeTransferFrom, and safeBatchTransferFrom.", + "chain": "Polygon", + "address": "0x4D97DCd97eC945f40cF65F87097ACe5EA0476045" + }, + { + "url": "https://docs.polymarket.com/trading/ctf/overview", + "shows": "CTF overview explains that Polymarket outcome tokens are fully collateralized, and lists CTF user operations Split, Merge, and Redeem." + }, + { + "url": "https://defipunkd.com/address/137/0x2957922Eb93258b93368531d39fAcCA3B4dC5854", + "shows": "CollateralOfframp surfacer lists paused(address), role views, pause/unpause, and unwrap(address,address,uint256).", + "chain": "Polygon", + "address": "0x2957922Eb93258b93368531d39fAcCA3B4dC5854" + }, + { + "url": "https://docs.polymarket.com/concepts/pusd", + "shows": "pUSD docs say pUSD is backed by USDC, wrapping/unwrapping is enforced on-chain by Onramp/Offramp, wrap/unwrap revert OnlyUnpaused if admin paused USDC.e, and direct wrap/unwrap functions are provided." + }, + { + "url": "https://docs.polymarket.com/trading/bridge/withdraw", + "shows": "Bridge withdrawal docs say pUSD can be withdrawn to supported chain/token through bridge/swap flow, direct pUSD withdrawal requires no Uniswap liquidity, and withdrawals are instant and free." + }, + { + "url": "https://github.com/Polymarket/ctf-exchange-v2", + "shows": "README describes CollateralOfframp unwrapping PMCT back to USDC/USDCe, CTF operations, operator matching, and a user self-pause feature with default 100 blocks." + } + ], + "unknowns": [ + "E1: exhaustive enumeration of every legacy/peripheral exit route beyond pinned contracts and official docs was not completed.", + "E2: source-level access modifiers for every exit function were not fully audited beyond ABI/docs evidence.", + "E3: pause role holder, role admin, current paused state, and maximum pause duration were not determined for Onramp, Offramp, pUSD, or exchange pause surfaces.", + "E4: emergency-vs-governance pause paths and caps were not distinguished because the role holders and governance path were unresolved.", + "E5: no on-chain maximum duration, cap, or pausable-status read was obtained for the Bridge API withdrawal flow; docs say instant but this is off-chain operational evidence only.", + "E6: no forced-exit mechanism proven to bypass an adversarial Offramp/collateral pause was found.", + "E7: direct on-chain exit is shown for CTF and pUSD/Offramp, but the cross-chain withdrawal UX depends on off-chain bridge address/quote infrastructure." + ], + "protocol_metadata": { + "github": [ + "https://github.com/Polymarket/ctf-exchange-v2", + "https://github.com/Polymarket/uma-ctf-adapter", + "https://github.com/Polymarket/neg-risk-ctf-adapter" + ], + "docs_url": "https://docs.polymarket.com/", + "audits": [ + { + "firm": "Quantstamp", + "url": "https://github.com/Polymarket/ctf-exchange-v2/blob/main/audits/CTF%20Exchange%20V2%20-%20Quantstamp%20-%20March%202026.pdf", + "date": "2026-03" + }, + { + "firm": "Cantina", + "url": "https://github.com/Polymarket/ctf-exchange-v2/blob/main/audits/CTF%20Exchange%20V2%20-%20Cantina%20-%20March%202026.pdf", + "date": "2026-03" + } + ], + "governance_forum": null, + "voting_token": null, + "bug_bounty_url": "https://cantina.xyz/bounties/ff945ca2-2a6e-4b83-b1b6-7a0cd3b94bea", + "security_contact": null, + "deployed_contracts_doc": "https://docs.polymarket.com/resources/contracts", + "admin_addresses": [], + "upgradeability": "mixed", + "about": "Polymarket International lets users trade binary and multiple-outcome prediction-market positions on Polygon. Outcomes are tokenized as Conditional Tokens backed by pUSD, and pUSD is an ERC-20 wrapper around USDC/USDC.e. CLOB V2 uses off-chain signed orders matched by an operator and settled on-chain through CTF Exchange contracts; market resolution flows through the UMA CTF adapter." + } + }, + { + "schema_version": 4, + "slug": "polymarket-international", + "slice": "autonomy", + "snapshot_generated_at": "2026-05-11T09:35:21.490Z", + "prompt_version": 29, + "analysis_date": "2026-05-18", + "model": "gpt-5.5-thinking", + "chat_url": "https://chatgpt.com/share/6a0e1920-7e3c-8327-9485-9a7e4972292b", + "grading_basis": "mixed", + "grade": "red", + "headline": "Worst dependency can affect ~100% of unresolved market TVS: UMA resolution and pUSD/USDC backing are cross-cutting external dependencies.", + "short_headline": "Oracle-backed outcomes", + "rationale": { + "findings": [ + { + "code": "A1", + "text": "Core external dependencies identified: UmaCtfAdapter depends on UMA Optimistic Oracle/DVM resolution, ConditionalTokens depend on the oracle-reported payout vector, pUSD depends on USDC/USDC.e backing, and bridge withdrawals may depend on bridge/swap infrastructure." + }, + { + "code": "A2", + "text": "UMA resolution is explicitly off-chain-input dependent: proposers respond with resolution data, disputes can reset requests, and a second dispute falls back to UMA DVM over a 48-72 hour period before anyone can call resolve." + }, + { + "code": "A3", + "text": "Polymarket bridge docs support deposits and withdrawals across multiple chains and tokens, converting into pUSD on Polygon; these bridge paths are user-facing but optional relative to direct Polygon pUSD flows." + }, + { + "code": "A4", + "text": "Collateral nesting is outcome token -> pUSD -> USDC/USDC.e. A USDC/USDC.e backing failure would propagate to pUSD and therefore to the collateral value of CTF positions across markets." + }, + { + "code": "A5", + "text": "No fork lineage was verified in this run; the inspected public repos are Polymarket-specific components plus Gnosis ConditionalTokens usage." + }, + { + "code": "A6", + "text": "Documented fallbacks include UMA dispute/DVM escalation, direct pUSD withdrawal bypassing Uniswap liquidity, and UI output-difference checks for bridge/swap withdrawals; these do not constitute an independent on-chain fallback that keeps users whole if UMA final resolution is wrong or USDC backing fails." + }, + { + "code": "A7", + "text": "The protocol is deployed on Polygon mainnet and no Polymarket-owned L2/L3/appchain sequencer was identified; Polygon liveness is treated as substrate here." + }, + { + "code": "A8", + "text": "Trading performance depends on an off-chain CLOB/operator path: users sign orders off-chain and the operator calls matchOrders. If this fails, trading degrades or halts, but direct CTF redemption/merge and pUSD paths remain separate." + }, + { + "code": "A9", + "text": "UmaCtfAdapter has admin and emergency question-control surfaces, and collateral contracts have owner/admin role surfaces, but dependency-mutability authority and delay were not resolved." + } + ], + "steelman": { + "red": "UMA/DVM resolution and USDC/USDC.e backing can determine payouts or collateral value for the full set of unresolved CTF markets, so a failure can cause principal-level wrong payouts or collateral impairment.", + "orange": "UMA has proposer/dispute/DVM escalation and the trading operator mainly affects execution quality/liveness rather than custody, so many failures are recoverable delays rather than instant loss.", + "green": "The core settlement primitives are on-chain, CTF positions are fully collateralized by pUSD, and anyone can call resolve once resolution data is available." + }, + "verdict": "Choosing red because the worst dependency is not merely performance: UMA final resolution sets CTF payout vectors, and pUSD collateral value is only as good as its USDC/USDC.e backing. Those dependencies are cross-cutting for roughly all unresolved market collateral, while the documented UMA escalation and direct-pUSD withdrawal paths do not provide an independent guarantee of correct payout or collateral solvency." + }, + "evidence": [ + { + "url": "https://docs.polymarket.com/resources/contracts", + "shows": "Official documentation says all Polymarket contracts are on Polygon chainId 137; lists the pinned core, collateral, wallet-factory, UMA adapter, and UMA Optimistic Oracle addresses; lists Quantstamp and Cantina March 2026 audits and the Cantina bug bounty." + }, + { + "url": "https://github.com/Polymarket/ctf-exchange-v2", + "shows": "Public CTF Exchange V2 repository; README describes CTF Exchange V2 as the core trading system, deployed Polygon addresses, operator-driven order matching, collateral onramp/offramp, audits, and the Cantina bug bounty." + }, + { + "url": "https://github.com/Polymarket/uma-ctf-adapter", + "shows": "Public UMA CTF Adapter repository; README says the adapter resolves Polymarket prediction markets through UMA Optimistic Oracle, prepares conditions, sends OO requests, uses proposer/dispute/DVM flow, and allows anyone to call resolve after data is available." + }, + { + "url": "https://github.com/Polymarket/neg-risk-ctf-adapter", + "shows": "Public negative-risk CTF adapter repository; README describes the negative-risk adapter, NegRiskOperator preparation flow, and use with the UMA CTF adapter." + }, + { + "url": "https://cantina.xyz/bounties/ff945ca2-2a6e-4b83-b1b6-7a0cd3b94bea", + "shows": "Cantina bounty page is live, names Polymarket, states maximum reward $5,000,000 and start date 12 Apr 2026, and lists smart-contract critical impacts including pUSD unauthorized mint/burn, UmaCtfAdapter/NegRiskUmaCtfAdapter wrongful payouts, UUPS CollateralToken upgrade exploitation, and CTF split/merge/redeem extraction." + }, + { + "url": "https://docs.polymarket.com/trading/ctf/overview", + "shows": "CTF overview says every Yes/No pair is backed by exactly $1.00 pUSD locked in CTF, and condition IDs use the UMA CTF Adapter as oracle." + }, + { + "url": "https://github.com/Polymarket/uma-ctf-adapter", + "shows": "UMA CTF Adapter README says the adapter fetches resolution data from UMA Optimistic Oracle, sends requests at market initialization, uses UMA proposers/disputes/DVM fallback, and anyone can call resolve after data is available." + }, + { + "url": "https://defipunkd.com/address/137/0x6A9D222616C90FcA5754cd1333cFD9b7fb6a4F74", + "shows": "UmaCtfAdapter surfacer lists optimisticOracle, emergencySafetyPeriod, getExpectedPayouts, ready, questions, resolve, emergencyResolve, flag, pause, reset, and admin functions.", + "chain": "Polygon", + "address": "0x6A9D222616C90FcA5754cd1333cFD9b7fb6a4F74" + }, + { + "url": "https://defipunkd.com/address/137/0x4D97DCd97eC945f40cF65F87097ACe5EA0476045", + "shows": "ConditionalTokens ABI includes payoutNumerators/payoutDenominator views and redeemPositions/reportPayouts/prepareCondition write methods, demonstrating outcome redemption depends on oracle-reported payouts.", + "chain": "Polygon", + "address": "0x4D97DCd97eC945f40cF65F87097ACe5EA0476045" + }, + { + "url": "https://docs.polymarket.com/concepts/pusd", + "shows": "pUSD docs say pUSD is an ERC-20 on Polygon backed by USDC, with wrapping/unwrapping enforced on-chain by CollateralOnramp and CollateralOfframp." + }, + { + "url": "https://docs.polymarket.com/trading/bridge/deposit", + "shows": "Bridge deposit docs say deposits from Ethereum, Solana, Bitcoin, and other chains are converted to pUSD on Polygon, and warn unsupported tokens may cause irrecoverable loss." + }, + { + "url": "https://docs.polymarket.com/trading/bridge/withdraw", + "shows": "Bridge withdrawal docs say withdrawal to non-pUSD routes unwraps to USDC and swaps through a Uniswap v3 pool, UI enforces less than 10bp output difference, the pool may be exhausted, and direct pUSD withdrawal bypasses Uniswap liquidity." + }, + { + "url": "https://github.com/Polymarket/ctf-exchange-v2", + "shows": "CTF Exchange V2 README says users sign EIP-712 orders off-chain and the operator calls matchOrders; settlement uses direct transfers, CTF mint, or CTF merge." + } + ], + "unknowns": [ + "A1: exact live optimisticOracle address from UmaCtfAdapter was not read because the read API/opening failed; the official docs pin the UMA Optimistic Oracle address separately.", + "A2: UMA proposer/DVM committee membership, quorum, and selection process were not verified in this run.", + "A3: material TVS split by bridge/source chain was not fetched; bridge dependency impact is treated as optional/user-path dependent rather than the headline dependency.", + "A4: exact USDC vs USDC.e backing balances and custody split for pUSD were not read on-chain.", + "A5: DeFiLlama forkedFrom was not re-fetched in this run.", + "A6: UMA DVM and bridge safeguards were not verified as live on-chain fallback mechanisms through state reads; they are documented/repository evidence only.", + "A9: governance/admin ability to change external dependencies without an exit window was not determined because owner/admin and timelock paths were unresolved." + ], + "protocol_metadata": { + "github": [ + "https://github.com/Polymarket/ctf-exchange-v2", + "https://github.com/Polymarket/uma-ctf-adapter", + "https://github.com/Polymarket/neg-risk-ctf-adapter" + ], + "docs_url": "https://docs.polymarket.com/", + "audits": [ + { + "firm": "Quantstamp", + "url": "https://github.com/Polymarket/ctf-exchange-v2/blob/main/audits/CTF%20Exchange%20V2%20-%20Quantstamp%20-%20March%202026.pdf", + "date": "2026-03" + }, + { + "firm": "Cantina", + "url": "https://github.com/Polymarket/ctf-exchange-v2/blob/main/audits/CTF%20Exchange%20V2%20-%20Cantina%20-%20March%202026.pdf", + "date": "2026-03" + } + ], + "governance_forum": null, + "voting_token": null, + "bug_bounty_url": "https://cantina.xyz/bounties/ff945ca2-2a6e-4b83-b1b6-7a0cd3b94bea", + "security_contact": null, + "deployed_contracts_doc": "https://docs.polymarket.com/resources/contracts", + "admin_addresses": [], + "upgradeability": "mixed", + "about": "Polymarket International lets users trade binary and multiple-outcome prediction-market positions on Polygon. Outcomes are tokenized as Conditional Tokens backed by pUSD, and pUSD is an ERC-20 wrapper around USDC/USDC.e. CLOB V2 uses off-chain signed orders matched by an operator and settled on-chain through CTF Exchange contracts; market resolution flows through the UMA CTF adapter." + } + }, + { + "schema_version": 4, + "slug": "polymarket-international", + "slice": "open-access", + "snapshot_generated_at": "2026-05-11T09:35:21.490Z", + "prompt_version": 29, + "analysis_date": "2026-05-18", + "model": "gpt-5.5-thinking", + "chat_url": "https://chatgpt.com/share/6a0e1920-7e3c-8327-9485-9a7e4972292b", + "grading_basis": "mixed", + "grade": "red", + "headline": "Core trading is not permissionless at admission: users can sign orders, but Polymarket's CLOB/operator must admit and match them.", + "short_headline": "Operator-gated trading", + "rationale": { + "findings": [ + { + "code": "A1", + "text": "No on-chain KYC/whitelist modifier was identified on CTF redeem/merge or pUSD wrap/unwrap in the inspected ABIs, but the exchange has admin/operator roles and operator-only matching surfaces." + }, + { + "code": "A2", + "text": "Core trading admission is operator-mediated: the README states users sign orders off-chain and the operator calls matchOrders; API docs require authenticated CLOB order submission; geographic docs say orders from blocked regions are rejected." + }, + { + "code": "A3", + "text": "Official API/frontends implement active geographic restrictions: order placement is restricted from certain locations, blocked-region orders are rejected, and docs list countries/regions with blocked or close-only status." + }, + { + "code": "A3b", + "text": "Independent-ish paths exist for SDK/API/direct-contract use: official open-source TypeScript/Python/Rust clients exist, and pUSD/CTF contracts are directly callable. These do not remove the operator dependency for CLOB trade matching." + }, + { + "code": "A4", + "text": "No on-chain OFAC/sanctions blocklist was found in the inspected CTF/pUSD/Onramp/Offramp ABIs; the observed sanctions/compliance restrictions are off-chain API/frontend geoblocking." + }, + { + "code": "A5", + "text": "Read access is public for data/orderbook endpoints, while CLOB trading endpoints require L2 POLY_* authentication headers and location eligibility. Contract-level pUSD/CTF transfers and redemption-style operations appear separately callable." + }, + { + "code": "A6", + "text": "The ToS page was fetched, but the legal clauses did not render in the fetched body; the Help Center separately quotes that VPN bypass of geographic restrictions violates Terms of Service Section 2.1.4." + } + ], + "steelman": { + "red": "The user-facing act of trading on Polymarket's CLOB requires the official operator/API path to admit orders and call matchOrders, with no verified permissionless fallback that lets an arbitrary user force trade settlement.", + "orange": "Base contracts for pUSD and CTF positions are directly callable and SDKs are open-source, so custody/exit is less captured than order admission.", + "green": "No contract-level KYC/blocklist was identified for the core token/collateral exit primitives, and users retain local signing control over orders." + }, + "verdict": "Choosing red because the core product action is trading, and evidence shows orders are submitted through authenticated CLOB endpoints, blocked-region orders are rejected, and the operator calls matchOrders on-chain. The existence of SDKs and direct exit functions does not create a permissionless route to have a trade admitted and matched." + }, + "evidence": [ + { + "url": "https://docs.polymarket.com/resources/contracts", + "shows": "Official documentation says all Polymarket contracts are on Polygon chainId 137; lists the pinned core, collateral, wallet-factory, UMA adapter, and UMA Optimistic Oracle addresses; lists Quantstamp and Cantina March 2026 audits and the Cantina bug bounty." + }, + { + "url": "https://github.com/Polymarket/ctf-exchange-v2", + "shows": "Public CTF Exchange V2 repository; README describes CTF Exchange V2 as the core trading system, deployed Polygon addresses, operator-driven order matching, collateral onramp/offramp, audits, and the Cantina bug bounty." + }, + { + "url": "https://github.com/Polymarket/uma-ctf-adapter", + "shows": "Public UMA CTF Adapter repository; README says the adapter resolves Polymarket prediction markets through UMA Optimistic Oracle, prepares conditions, sends OO requests, uses proposer/dispute/DVM flow, and allows anyone to call resolve after data is available." + }, + { + "url": "https://github.com/Polymarket/neg-risk-ctf-adapter", + "shows": "Public negative-risk CTF adapter repository; README describes the negative-risk adapter, NegRiskOperator preparation flow, and use with the UMA CTF adapter." + }, + { + "url": "https://cantina.xyz/bounties/ff945ca2-2a6e-4b83-b1b6-7a0cd3b94bea", + "shows": "Cantina bounty page is live, names Polymarket, states maximum reward $5,000,000 and start date 12 Apr 2026, and lists smart-contract critical impacts including pUSD unauthorized mint/burn, UmaCtfAdapter/NegRiskUmaCtfAdapter wrongful payouts, UUPS CollateralToken upgrade exploitation, and CTF split/merge/redeem extraction." + }, + { + "url": "https://github.com/Polymarket/ctf-exchange-v2", + "shows": "README states users sign EIP-712 typed orders off-chain and the operator calls matchOrders; it also says order preapproval can be done by the operator and V2 removed fillOrder/fillOrders in favor of operator-only matchOrders." + }, + { + "url": "https://docs.polymarket.com/api-reference/trade/post-a-new-order", + "shows": "API reference for posting a new order uses POST https://clob.polymarket.com/order and requires POLY_ADDRESS, POLY_API_KEY, POLY_PASSPHRASE, POLY_SIGNATURE, and POLY_TIMESTAMP headers." + }, + { + "url": "https://docs.polymarket.com/api-reference/authentication", + "shows": "Authentication docs state CLOB trading endpoints for placing orders, cancellations, and heartbeat require all five POLY_* L2 HTTP headers, while read endpoints require no authentication." + }, + { + "url": "https://docs.polymarket.com/api-reference/geoblock", + "shows": "Geoblock docs say Polymarket restricts order placement from certain locations, blocked-region orders will be rejected, and list blocked/close-only/frontend-restricted countries and regions." + }, + { + "url": "https://help.polymarket.com/en/articles/13364163-geographic-restrictions", + "shows": "Help Center says Polymarket is not available in certain countries/regions, strictly prohibits VPN or similar tools to bypass geographic restrictions, and says such bypass violates Terms of Service Section 2.1.4." + }, + { + "url": "https://docs.polymarket.com/api-reference/clients-sdks", + "shows": "Docs say Polymarket provides official open-source clients in TypeScript, Python, and Rust supporting CLOB API market data, order management, and authentication, with GitHub repos linked." + }, + { + "url": "https://defipunkd.com/address/137/0xE111180000d2663C0091e4f400237545B87B996B", + "shows": "CTF Exchange ABI exposes operator/admin role views and matchOrders, addOperator/removeOperator, pauseTrading, pauseUser, and related role functions.", + "chain": "Polygon", + "address": "0xE111180000d2663C0091e4f400237545B87B996B" + }, + { + "url": "https://defipunkd.com/address/137/0x4D97DCd97eC945f40cF65F87097ACe5EA0476045", + "shows": "ConditionalTokens ABI exposes direct transfer, split, merge, and redeem functions without an ABI-visible KYC/blocklist parameter.", + "chain": "Polygon", + "address": "0x4D97DCd97eC945f40cF65F87097ACe5EA0476045" + } + ], + "unknowns": [ + "A1: full source grep for every allowlist/KYC modifier in all pinned peripheral contracts was not completed; inspected ABIs did not show a user whitelist on exit primitives.", + "A2: no public on-chain replacement procedure for the CLOB operator was found; exact number of operators and who controls addOperator/removeOperator were not read.", + "A3b: third-party frontends, wallet-integrated access, and aggregator routing were not exhaustively enumerated; official SDK/API/direct-contract paths were verified.", + "A4: no on-chain sanctions/blocklist read was found, but full source-level absence of every blocklist-like check across all contracts was not proven.", + "A6: https://polymarket.com/tos was fetched but did not expose the actual Terms clauses in the body, so jurisdiction/sanctions/eligibility Terms text could not be quoted verbatim from that page." + ], + "protocol_metadata": { + "github": [ + "https://github.com/Polymarket/ctf-exchange-v2", + "https://github.com/Polymarket/uma-ctf-adapter", + "https://github.com/Polymarket/neg-risk-ctf-adapter" + ], + "docs_url": "https://docs.polymarket.com/", + "audits": [ + { + "firm": "Quantstamp", + "url": "https://github.com/Polymarket/ctf-exchange-v2/blob/main/audits/CTF%20Exchange%20V2%20-%20Quantstamp%20-%20March%202026.pdf", + "date": "2026-03" + }, + { + "firm": "Cantina", + "url": "https://github.com/Polymarket/ctf-exchange-v2/blob/main/audits/CTF%20Exchange%20V2%20-%20Cantina%20-%20March%202026.pdf", + "date": "2026-03" + } + ], + "governance_forum": null, + "voting_token": null, + "bug_bounty_url": "https://cantina.xyz/bounties/ff945ca2-2a6e-4b83-b1b6-7a0cd3b94bea", + "security_contact": null, + "deployed_contracts_doc": "https://docs.polymarket.com/resources/contracts", + "admin_addresses": [], + "upgradeability": "mixed", + "about": "Polymarket International lets users trade binary and multiple-outcome prediction-market positions on Polygon. Outcomes are tokenized as Conditional Tokens backed by pUSD, and pUSD is an ERC-20 wrapper around USDC/USDC.e. CLOB V2 uses off-chain signed orders matched by an operator and settled on-chain through CTF Exchange contracts; market resolution flows through the UMA CTF adapter." + } + }, + { + "schema_version": 4, + "slug": "polymarket-international", + "slice": "verifiability", + "snapshot_generated_at": "2026-05-11T09:35:21.490Z", + "prompt_version": 29, + "analysis_date": "2026-05-18", + "model": "gpt-5.5-thinking", + "chat_url": "https://chatgpt.com/share/6a0e1920-7e3c-8327-9485-9a7e4972292b", + "grading_basis": "mixed", + "grade": "orange", + "headline": "Main contracts are explorer-verified and public repos/audits exist, but audit scope, deploy commits, and post-audit drift were not pinned.", + "short_headline": "Verified, scope unclear", + "rationale": { + "findings": [ + { + "code": "V1", + "text": "CTF Exchange, pUSD implementation, CollateralOnramp, CollateralOfframp, ConditionalTokens, UMA Adapter, and NegRiskAdapter were observed as source-code verified exact matches on Polygonscan; the pUSD proxy was shown as a minimal proxy to the verified implementation." + }, + { + "code": "V1", + "text": "Neg Risk CTF Exchange appears as a similar match to the CTF Exchange V2 source on Polygonscan rather than a clearly fetched exact-match line; DefiPunkd still exposes an etherscan ABI for the address." + }, + { + "code": "V2", + "text": "Public Polymarket repositories exist for ctf-exchange-v2, uma-ctf-adapter, and neg-risk-ctf-adapter, but no commit SHA or bytecode correspondence was pinned in this run." + }, + { + "code": "V3", + "text": "Official docs and the ctf-exchange-v2 README link Quantstamp and Cantina March 2026 audit PDFs; the GitHub PDF pages were fetched, but report body/scope/commit details were not extracted." + }, + { + "code": "V4", + "text": "Quantstamp is on the recognized-firm list. Cantina is a public audit/competition platform but was not in the recognized-firm list supplied in the rubric, so it is not used alone for a green-grade claim." + }, + { + "code": "V5", + "text": "Post-audit drift was not assessed because no deploy commit, audited commit, compare view, or material diff sample was fetched." + }, + { + "code": "V6", + "text": "The pUSD proxy implementation relationship was observed on Polygonscan; no unverified implementation was identified for the pUSD proxy. Other major inspected addresses were non-proxy or similar-match/exact-match explorer sources." + } + ], + "steelman": { + "red": "The pinned protocol context had no audit_links, Polygonscan pages say no audit submitted per address, and audit scope/commit was not extracted.", + "orange": "Explorer verification and public repositories are strong, but green requires pinning the deployed-source correspondence and audit scope/current-deployment coverage, which was not done.", + "green": "The main contracts are verified on Polygonscan, public source repos exist, and official docs link March 2026 Quantstamp/Cantina audits plus a live bounty within two months of analysis." + }, + "verdict": "Choosing orange because bytecode verification and public source availability are good, and audit artifacts exist, but the run did not extract audit scope/commit, did not pin deploy commits, and did not sample post-audit drift. That blocks green; verified bytecode and public repos/audit links keep it above red." + }, + "evidence": [ + { + "url": "https://docs.polymarket.com/resources/contracts", + "shows": "Official documentation says all Polymarket contracts are on Polygon chainId 137; lists the pinned core, collateral, wallet-factory, UMA adapter, and UMA Optimistic Oracle addresses; lists Quantstamp and Cantina March 2026 audits and the Cantina bug bounty." + }, + { + "url": "https://github.com/Polymarket/ctf-exchange-v2", + "shows": "Public CTF Exchange V2 repository; README describes CTF Exchange V2 as the core trading system, deployed Polygon addresses, operator-driven order matching, collateral onramp/offramp, audits, and the Cantina bug bounty." + }, + { + "url": "https://github.com/Polymarket/uma-ctf-adapter", + "shows": "Public UMA CTF Adapter repository; README says the adapter resolves Polymarket prediction markets through UMA Optimistic Oracle, prepares conditions, sends OO requests, uses proposer/dispute/DVM flow, and allows anyone to call resolve after data is available." + }, + { + "url": "https://github.com/Polymarket/neg-risk-ctf-adapter", + "shows": "Public negative-risk CTF adapter repository; README describes the negative-risk adapter, NegRiskOperator preparation flow, and use with the UMA CTF adapter." + }, + { + "url": "https://cantina.xyz/bounties/ff945ca2-2a6e-4b83-b1b6-7a0cd3b94bea", + "shows": "Cantina bounty page is live, names Polymarket, states maximum reward $5,000,000 and start date 12 Apr 2026, and lists smart-contract critical impacts including pUSD unauthorized mint/burn, UmaCtfAdapter/NegRiskUmaCtfAdapter wrongful payouts, UUPS CollateralToken upgrade exploitation, and CTF split/merge/redeem extraction." + }, + { + "url": "https://polygonscan.com/address/0xE111180000d2663C0091e4f400237545B87B996B", + "shows": "Polygonscan shows CTFExchange source code verified as exact match, compiler v0.8.34, and source files including CTFExchange.sol and exchange mixins.", + "chain": "Polygon", + "address": "0xE111180000d2663C0091e4f400237545B87B996B" + }, + { + "url": "https://polygonscan.com/address/0xe2222d279d744050d28e00520010520000310F59", + "shows": "Polygonscan shows Neg Risk CTF Exchange V2 as CTFExchange with a similar match to the CTF Exchange V2 address, compiler v0.8.34, and source-code view available.", + "chain": "Polygon", + "address": "0xe2222d279d744050d28e00520010520000310F59" + }, + { + "url": "https://polygonscan.com/address/0xC011a7E12a19f7B1f670d46F03B03f3342E82DFB", + "shows": "Polygonscan shows pUSD CollateralToken proxy as a minimal proxy contract for implementation 0x6bBCef9f7ef3B6C592c99e0f206a0DE94Ad0925f and exposes read/write as proxy tabs.", + "chain": "Polygon", + "address": "0xC011a7E12a19f7B1f670d46F03B03f3342E82DFB" + }, + { + "url": "https://polygonscan.com/address/0x6bBCef9f7ef3B6C592c99e0f206a0DE94Ad0925f", + "shows": "Polygonscan shows pUSD CollateralToken implementation source code verified exact match, compiler v0.8.34, and source files including CollateralToken.sol and UUPSUpgradeable.", + "chain": "Polygon", + "address": "0x6bBCef9f7ef3B6C592c99e0f206a0DE94Ad0925f" + }, + { + "url": "https://polygonscan.com/address/0x93070a847efEf7F70739046A929D47a521F5B8ee", + "shows": "Polygonscan shows CollateralOnramp source code verified exact match, compiler v0.8.34.", + "chain": "Polygon", + "address": "0x93070a847efEf7F70739046A929D47a521F5B8ee" + }, + { + "url": "https://polygonscan.com/address/0x2957922Eb93258b93368531d39fAcCA3B4dC5854", + "shows": "Polygonscan shows CollateralOfframp source code verified exact match, compiler v0.8.34.", + "chain": "Polygon", + "address": "0x2957922Eb93258b93368531d39fAcCA3B4dC5854" + }, + { + "url": "https://polygonscan.com/address/0x4D97DCd97eC945f40cF65F87097ACe5EA0476045", + "shows": "Polygonscan shows ConditionalTokens source code verified exact match, compiler v0.5.10, and ABI including redeem/split/merge/report payout functions.", + "chain": "Polygon", + "address": "0x4D97DCd97eC945f40cF65F87097ACe5EA0476045" + }, + { + "url": "https://polygonscan.com/address/0x6A9D222616C90FcA5754cd1333cFD9b7fb6a4F74", + "shows": "Polygonscan shows UmaCtfAdapter source code verified exact match, compiler v0.8.15.", + "chain": "Polygon", + "address": "0x6A9D222616C90FcA5754cd1333cFD9b7fb6a4F74" + }, + { + "url": "https://polygonscan.com/address/0xd91E80cF2E7be2e162c6513ceD06f1dD0dA35296", + "shows": "Polygonscan shows NegRiskAdapter source code verified exact match, compiler v0.8.19.", + "chain": "Polygon", + "address": "0xd91E80cF2E7be2e162c6513ceD06f1dD0dA35296" + }, + { + "url": "https://github.com/Polymarket/ctf-exchange-v2/blob/main/audits/CTF%20Exchange%20V2%20-%20Quantstamp%20-%20March%202026.pdf", + "shows": "GitHub page for Quantstamp CTF Exchange V2 March 2026 PDF audit artifact was fetched; report body/scope was not extracted." + }, + { + "url": "https://github.com/Polymarket/ctf-exchange-v2/blob/main/audits/CTF%20Exchange%20V2%20-%20Cantina%20-%20March%202026.pdf", + "shows": "GitHub page for Cantina CTF Exchange V2 March 2026 PDF audit artifact was fetched; report body/scope was not extracted." + } + ], + "unknowns": [ + "V1: complete verification status for every pinned peripheral/factory address was not exhaustively recorded; main trading, collateral, CTF, UMA, and neg-risk addresses were checked.", + "V2: no exact source-to-repo commit SHA or independent bytecode match was pinned.", + "V3: audit report bodies were not parsed/screenshotted, so contracts in scope, audit commit, and issue/fix scope remain unknown.", + "V4: Cantina was not in the supplied recognized-firm list; no separate recognition basis was established in this run.", + "V5: post-audit drift between March 2026 audits and deployed sources was not sampled with a compare view or commit diff.", + "V6: pUSD proxy implementation was identified on Polygonscan; no further proxy-admin implementation slot read was obtained through DefiPunkd." + ], + "protocol_metadata": { + "github": [ + "https://github.com/Polymarket/ctf-exchange-v2", + "https://github.com/Polymarket/uma-ctf-adapter", + "https://github.com/Polymarket/neg-risk-ctf-adapter" + ], + "docs_url": "https://docs.polymarket.com/", + "audits": [ + { + "firm": "Quantstamp", + "url": "https://github.com/Polymarket/ctf-exchange-v2/blob/main/audits/CTF%20Exchange%20V2%20-%20Quantstamp%20-%20March%202026.pdf", + "date": "2026-03" + }, + { + "firm": "Cantina", + "url": "https://github.com/Polymarket/ctf-exchange-v2/blob/main/audits/CTF%20Exchange%20V2%20-%20Cantina%20-%20March%202026.pdf", + "date": "2026-03" + } + ], + "governance_forum": null, + "voting_token": null, + "bug_bounty_url": "https://cantina.xyz/bounties/ff945ca2-2a6e-4b83-b1b6-7a0cd3b94bea", + "security_contact": null, + "deployed_contracts_doc": "https://docs.polymarket.com/resources/contracts", + "admin_addresses": [], + "upgradeability": "mixed", + "about": "Polymarket International lets users trade binary and multiple-outcome prediction-market positions on Polygon. Outcomes are tokenized as Conditional Tokens backed by pUSD, and pUSD is an ERC-20 wrapper around USDC/USDC.e. CLOB V2 uses off-chain signed orders matched by an operator and settled on-chain through CTF Exchange contracts; market resolution flows through the UMA CTF adapter." + } + } +] diff --git a/data/submissions/polymarket-international/all/your-model-2026-05-20.json b/data/submissions/polymarket-international/all/your-model-2026-05-20.json new file mode 100644 index 0000000000..b7bbc87d32 --- /dev/null +++ b/data/submissions/polymarket-international/all/your-model-2026-05-20.json @@ -0,0 +1,284 @@ +[ + { + "schema_version": 4, + "slug": "polymarket-international", + "slice": "control", + "snapshot_generated_at": "2026-05-11T09:35:21.490Z", + "prompt_version": 29, + "analysis_date": "2026-05-18", + "model": "grok-3", + "chat_url": "https://grok.com/share/c2hhcmQtNQ_038aa848-3f6e-4240-b3e0-c5463fac6b45", + "grading_basis": "mixed", + "grade": "orange", + "headline": "Admin-controlled pause, fees, and operators on immutable exchange; UUPS owner on pUSD collateral; no timelock or on-chain governance", + "short_headline": "Admin pause + fee control, no timelock", + "rationale": { + "findings": [ + {"code": "C1", "text": "CTFExchange (0xE111180000d2663C0091e4f400237545B87B996B) uses role-based Auth (addAdmin/removeAdmin/isAdmin) instead of single owner(); no enumeration of current admins readable via zero-arg call in this run. pUSD CollateralToken proxy (0xC011a7E12a19f7B1f670d46F03B03f3342E82DFB) implements Ownable + OwnableRoles with owner() controlling upgradeToAndCall, grantRoles, addMinter, addWrapper."}, + {"code": "C2", "text": "CTFExchangeV2 and NegRiskCtfExchangeV2 are direct (non-proxy) deployments — immutable logic. pUSD CollateralToken uses UUPS proxy pattern; upgrade controlled by proxy owner. Conditional Tokens (0x4D97DCd97eC945f40cF65F87097ACe5EA0476045) follows Gnosis CTF standard (typically immutable). No upgrade path reaches fund-holding core from exchange admin surface."}, + {"code": "C3", "text": "No timelock, scheduler, or governance execution path found on any control surface. Admin actions (pauseTrading, setFeeReceiver, setMaxFeeRate, add/removeAdmin/operator) and pUSD owner upgradeToAndCall execute immediately. Execution path is direct role-holder call with zero delay."}, + {"code": "C4", "text": "Exchange admins hold T2 powers: global pauseTrading/unpauseTrading, setMaxFeeRate (default 1%), setFeeReceiver, manage operators who call matchOrders and preapproveOrder. No multisig threshold, signer list, or Security Council criteria verified for admin role holders. Operators are distinct from admins and facilitate off-chain-assisted matching."}, + {"code": "C5", "text": "No on-chain Governor, voting token, proposal threshold, or timelock discovered. Resolution uses external UMA Optimistic Oracle (0xCB1822859cEF82Cd2Eb4E6276C7916e692995130) via adapter; no Polymarket-native on-chain governance."}, + {"code": "C6", "text": "Global trading pause exists on exchange (callable by admins); user self-pause also supported with configurable block interval (default 100). No separate time-capped emergency guardian distinct from main admin path identified."}, + {"code": "C7", "text": "Highest tier on uncontested fast path is T2: admins can pause trading globally and set fee parameters (bounded). pUSD proxy owner can upgrade collateral logic (mint/wrap/unwrap paths) — potential T1 blast radius on collateral handling if owner action affects user funds. No evidence of EOA single-key or 2-of-3 multisig holding these powers, but also no evidence of ≥7-signer Security Council or on-chain governance."} + ], + "steelman": { + "red": "Direct admin powers (pause + fee + operator management) with no timelock and unknown actor class (possibly EOA or small multisig) on the primary trading surface, plus UUPS owner on collateral proxy, meets red criteria for T2/T1 without delay or broad council.", + "orange": "Main exchange logic is immutable; pause and fee powers are T2 only (no direct fund drain or implementation swap on core trading contracts); pUSD upgrade is scoped to collateral wrapper; admin role system is explicit and auditable even if current holders unknown.", + "green": "Core trading contracts (CTFExchangeV2) are immutable with no upgrade path to user funds; highest controllable tier is T2 with explicit role separation; external UMA resolution dependency does not grant Polymarket admins unilateral T1 control over deployed logic." + }, + "verdict": "Choosing orange because T2 powers (global pause, fee configuration, operator management) are reachable immediately by admin role holders with no timelock or on-chain governance, and the pUSD proxy owner holds upgrade authority over collateral mechanics; actor class for admins/owner not verifiable as Security Council this run, and no 7-day uncontested path exists. Immutable exchange core prevents automatic red but does not reach green." + }, + "evidence": [ + {"url": "https://polygonscan.com/address/0xE111180000d2663C0091e4f400237545B87B996B", "shows": "CTFExchange verified (exact match), not a proxy, paused()=false, exposes addAdmin/removeAdmin/isAdmin, pauseTrading, setMaxFeeRate, setFeeReceiver, addOperator; getCollateral, getCtf, getFeeReceiver readable.", "chain": "Polygon", "address": "0xE111180000d2663C0091e4f400237545B87B996B", "fetched_at": "2026-05-20T16:18:00Z"}, + {"url": "https://github.com/Polymarket/ctf-exchange-v2", "shows": "Source repo for CTFExchangeV2 and NegRiskCtfExchangeV2; describes Auth mixin for admin/operator roles, global pause, configurable max fee, immutable factory parameters, CollateralToken as separate UUPS proxy; lists March 2026 audits.", "commit": "main"}, + {"url": "https://docs.polymarket.com/resources/contracts", "shows": "Official contract list confirming addresses; states CTF Exchange V2 audited by Quantstamp (March 2026) and Cantina (March 2026); bug bounty via Cantina.", "fetched_at": "2026-05-20T16:18:00Z"}, + {"url": "https://polygonscan.com/address/0xC011a7E12a19f7B1f670d46F03B03f3342E82DFB", "shows": "pUSD CollateralToken proxy (UUPS pattern), implements Ownable + OwnableRoles, upgradeToAndCall controlled by owner, addMinter/addWrapper, mint/burn/wrap/unwrap functions present.", "chain": "Polygon", "address": "0xC011a7E12a19f7B1f670d46F03B03f3342E82DFB", "fetched_at": "2026-05-20T16:18:00Z"} + ], + "unknowns": [ + "C1: current admin addresses and threshold for exchange Auth roles not enumerable via zero-arg view; live owner() value on pUSD proxy not retrieved due to RPC/tool limitations in run.", + "C4: signer identities, threshold, and insider/non-insider classification for any multisig or EOA holding admin roles on exchange or pUSD owner not found in docs, repo, or explorer reads.", + "C7: whether pUSD owner upgrade can practically alter user fund accounting or mint unbacked collateral (exact role scope on implementation) not confirmed via live read or audit diff this run." + ], + "protocol_metadata": { + "github": ["https://github.com/Polymarket/ctf-exchange-v2"], + "docs_url": "https://docs.polymarket.com/", + "audits": [ + {"firm": "Quantstamp", "url": "https://github.com/Polymarket/ctf-exchange-v2/blob/main/audits/CTF%20Exchange%20V2%20-%20Quantstamp%20-%20March%202026.pdf", "date": "2026-03"}, + {"firm": "Cantina", "url": "https://github.com/Polymarket/ctf-exchange-v2/blob/main/audits/CTF%20Exchange%20V2%20-%20Cantina%20-%20March%202026.pdf", "date": "2026-03"} + ], + "governance_forum": null, + "voting_token": null, + "bug_bounty_url": "https://cantina.xyz/bounties/ff945ca2-2a6e-4b83-b1b6-7a0cd3b94bea", + "security_contact": null, + "deployed_contracts_doc": "https://docs.polymarket.com/resources/contracts", + "admin_addresses": [], + "upgradeability": "mixed", + "about": "Polymarket operates prediction markets on Polygon using Gnosis Conditional Token Framework (CTF) for outcome shares. Trading uses an operator-assisted CLOB with on-chain settlement via CTFExchangeV2. Collateral is handled via upgradeable pUSD wrapper around USDC.e. Markets resolve via UMA Optimistic Oracle adapter. Users trade shares representing event outcomes." + } + }, + { + "schema_version": 4, + "slug": "polymarket-international", + "slice": "ability-to-exit", + "snapshot_generated_at": "2026-05-11T09:35:21.490Z", + "prompt_version": 29, + "analysis_date": "2026-05-18", + "model": "grok-3", + "chat_url": "https://grok.com/share/c2hhcmQtNQ_038aa848-3f6e-4240-b3e0-c5463fac6b45", + "grading_basis": "mixed", + "grade": "orange", + "headline": "Trading pausable by admins; redemption of resolved conditional tokens via CTF likely permissionless and unpaused; frontend and operator dependency for practical exit", + "short_headline": "Pausable trading; CTF redemption path exists", + "rationale": { + "findings": [ + {"code": "E1", "text": "Primary user-facing exit paths: (1) sell shares via CTFExchange matchOrders or preapproved orders; (2) redeem conditional tokens via ConditionalTokens contract once market resolved (standard CTF redeem function). No dedicated 'withdraw' or 'requestWithdrawal' on exchange beyond trading and self-pause."}, + {"code": "E2", "text": "Trading functions on exchange gated by paused() check and admin/operator roles. Redemption of resolved positions occurs directly on ConditionalTokens (Gnosis CTF) — permissionless once condition resolved and payout set. New order placement and matching can be paused; finalized redemption claims on CTF are not gated by exchange pause."}, + {"code": "E3", "text": "Exchange exposes paused() view and pauseTrading/unpauseTrading (admin-only). User self-pause supported with block-interval delay. No evidence of uncapped PAUSE_INFINITELY callable by single EOA; admin-controlled global pause exists but is distinct from CTF redemption path."}, + {"code": "E4", "text": "Global trading pause is admin-controlled (fast path). No separate governance-voted indefinite pause or time-capped emergency guardian documented distinctly from main admin role. CTF redemption path has no equivalent pause surface identified."}, + {"code": "E5", "text": "No queued redemption mechanism or daily withdrawal caps documented for resolved markets. Trading itself can be paused globally by admins, affecting new exits via sale but not direct CTF redemption of finalized positions."}, + {"code": "E6", "text": "No explicit permissionless emergency escape hatch beyond standard CTF redemption after resolution and user self-pause on exchange. Users can cancel their own orders on-chain independently of operators."}, + {"code": "E7", "text": "Exchange and CTF functions are directly callable on-chain via Polygonscan write tab or generic wallets once ABIs known (verified contracts). No hard frontend dependency for redemption of resolved shares, though practical trading and market discovery rely on official UI or third-party tools."} + ], + "steelman": { + "red": "Admin can globally pause trading (primary exit mechanism for open positions) with no time cap or governance vote required; practical exit heavily depends on off-chain operator matching and official frontend for discovery.", + "orange": "Global trading pause exists but is scoped to new trades/matching; redemption of already-resolved conditional tokens via immutable CTF contract remains permissionless and unaffected by exchange pause; user self-pause provides individual exit option.", + "green": "Core exit (redemption of resolved positions) is permissionless on CTF with no admin pause gate; trading pause is reversible admin action on a non-custodial exchange; users retain on-chain cancellation rights independent of operators." + }, + "verdict": "Choosing orange because while the primary trading exit path is pausable by admins without time cap, the finalized redemption path on ConditionalTokens is permissionless and not gated by the exchange pause surface. No evidence that claims of already-finalized exits can be indefinitely paused by a single actor, but practical exit depends on operator liveness and frontend for most users." + }, + "evidence": [ + {"url": "https://polygonscan.com/address/0xE111180000d2663C0091e4f400237545B87B996B", "shows": "paused() view, pauseTrading/unpauseTrading, user self-pause functions, order cancellation paths exist on verified CTFExchange contract.", "chain": "Polygon", "address": "0xE111180000d2663C0091e4f400237545B87B996B", "fetched_at": "2026-05-20T16:18:00Z"}, + {"url": "https://github.com/Polymarket/ctf-exchange-v2", "shows": "Documents global pause, user self-pause with block delay, and that users can cancel orders on-chain independently; operator assists matching but is not required for all actions.", "commit": "main"}, + {"url": "https://docs.polymarket.com/trading/ctf/overview", "shows": "Conditional Token Framework redemption mechanics; shares redeemable for collateral when markets resolve via UMA.", "fetched_at": "2026-05-20T16:18:00Z"} + ], + "unknowns": [ + "E3: exact maximum duration or revocation path for global admin pause not enumerated from live contract or docs; whether pause can be made indefinite without governance not confirmed.", + "E7: whether all redemption flows for resolved markets can be executed 100% via generic wallet without any frontend or off-chain signature helper not fully verified end-to-end this run." + ], + "protocol_metadata": { + "github": ["https://github.com/Polymarket/ctf-exchange-v2"], + "docs_url": "https://docs.polymarket.com/", + "audits": [ + {"firm": "Quantstamp", "url": "https://github.com/Polymarket/ctf-exchange-v2/blob/main/audits/CTF%20Exchange%20V2%20-%20Quantstamp%20-%20March%202026.pdf", "date": "2026-03"}, + {"firm": "Cantina", "url": "https://github.com/Polymarket/ctf-exchange-v2/blob/main/audits/CTF%20Exchange%20V2%20-%20Cantina%20-%20March%202026.pdf", "date": "2026-03"} + ], + "governance_forum": null, + "voting_token": null, + "bug_bounty_url": "https://cantina.xyz/bounties/ff945ca2-2a6e-4b83-b1b6-7a0cd3b94bea", + "security_contact": null, + "deployed_contracts_doc": "https://docs.polymarket.com/resources/contracts", + "admin_addresses": [], + "upgradeability": "mixed", + "about": "Polymarket operates prediction markets on Polygon using Gnosis Conditional Token Framework (CTF) for outcome shares. Trading uses an operator-assisted CLOB with on-chain settlement via CTFExchangeV2. Collateral is handled via upgradeable pUSD wrapper around USDC.e. Markets resolve via UMA Optimistic Oracle adapter. Users trade shares representing event outcomes." + } + }, + { + "schema_version": 4, + "slug": "polymarket-international", + "slice": "autonomy", + "snapshot_generated_at": "2026-05-11T09:35:21.490Z", + "prompt_version": 29, + "analysis_date": "2026-05-18", + "model": "grok-3", + "chat_url": "https://grok.com/share/c2hhcmQtNQ_038aa848-3f6e-4240-b3e0-c5463fac6b45", + "grading_basis": "mixed", + "grade": "orange", + "headline": "Depends on UMA Optimistic Oracle for resolution (funds locked until resolved) and off-chain operators for matching; Polygon substrate + USDC collateral; no unmitigated single-oracle T1 on core", + "short_headline": "UMA resolution + operator matching dependency", + "rationale": { + "findings": [ + {"code": "A1", "text": "Core external calls: UMA Optimistic Oracle (0xCB1822859cEF82Cd2Eb4E6276C7916e692995130) via UMA Adapter for market resolution and payout determination. pUSD wraps USDC.e (0x2791Bca1f2DE4661ED88A30C99a7a9449Aa84174). No other price oracles or external AMM/lending dependencies in core trading path."}, + {"code": "A2", "text": "Off-chain operators (managed via exchange admin roles) perform order matching and submit matched trades on-chain. Failure of operators halts new trading/matching but does not steal principal or prevent CTF redemption of resolved positions. UMA dispute/challenger roles are part of UMA's own system, not Polymarket-controlled."}, + {"code": "A3", "text": "No bridge dependency for core user flows; all contracts on Polygon (canonical L2). USDC.e is canonical bridged USDC on Polygon."}, + {"code": "A4", "text": "No nested restaking or multi-level collateral chains. pUSD is a thin wrapper around USDC.e with mint/wrap logic controlled by pUSD roles."}, + {"code": "A5", "text": "No forkedFrom lineage recorded in DeFiLlama context or docs for this deployment."}, + {"code": "A6", "text": "Fallbacks: user self-pause on exchange provides individual protection; on-chain order cancellation independent of operators. No sanity-check oracle or second-opinion fallback for UMA resolution identified. If UMA fails to resolve, positions remain locked in CTF until manual or eventual resolution."}, + {"code": "A7", "text": "No appchain or sequencer dependency; deployed on Polygon PoS (substrate liveness inherited, not protocol-specific)."}, + {"code": "A8", "text": "Off-chain operator liveness required for efficient matching and new trade admission. If operators stop, trading halts gracefully for existing positions (users retain shares and can wait for resolution or use secondary markets); no automatic liquidation or insolvency created."}, + {"code": "A9", "text": "pUSD proxy owner can upgrade implementation (potentially changing wrapper logic or adding dependencies). Exchange admins manage operators but do not appear to hot-swap external oracles or bridges. No evidence of silent introduction of new critical external dependencies without exit window on the main surfaces."} + ], + "steelman": { + "red": "Resolution depends entirely on external UMA Optimistic Oracle; prolonged failure or adversarial outcome can indefinitely lock user collateral in unresolved markets with no on-protocol fallback, creating principal lockup risk.", + "orange": "UMA dependency can delay or impair resolution (freezing exit/redemption), and off-chain operators are required for practical trading, but core collateral remains in user-controlled CTF shares; no theft of principal from dependency failure and Polygon/USDC substrate is diversified.", + "green": "No single external dependency can cause direct theft of principal; trading is non-custodial; users retain on-chain shares and cancellation rights; operator failure only affects liveness of new trades, not existing positions or resolved redemptions." + }, + "verdict": "Choosing orange because UMA resolution dependency can cause material delay or freeze on exit/redemption for unresolved markets (impacting unclaimed collateral), and practical trading depends on off-chain operator liveness, but no path allows theft of principal from these dependencies and core CTF holdings remain user-sovereign. Impacted TVS under worst unmitigated resolution failure: material portion of open markets (~high % of TVS in unresolved positions)." + }, + "evidence": [ + {"url": "https://docs.polymarket.com/trading/ctf/overview", "shows": "Uses UMA Optimistic Oracle for resolution; Conditional Tokens Framework for share representation and redemption.", "fetched_at": "2026-05-20T16:18:00Z"}, + {"url": "https://github.com/Polymarket/ctf-exchange-v2", "shows": "Operator-driven matching model; users retain on-chain cancellation and self-pause rights; collateral via pUSD wrapper.", "commit": "main"}, + {"url": "https://polygonscan.com/address/0xE111180000d2663C0091e4f400237545B87B996B", "shows": "getCollateral() returns USDC.e address; paused state and operator/admin separation visible.", "chain": "Polygon", "address": "0xE111180000d2663C0091e4f400237545B87B996B", "fetched_at": "2026-05-20T16:18:00Z"} + ], + "unknowns": [ + "A6: activation status and existence of any on-chain sanity checks or dispute fallbacks for UMA-reported resolutions not confirmed in live reads or recent audit summaries.", + "A9: whether pUSD owner upgrade could introduce new external dependencies (e.g., new vault or oracle) without timelock not fully scoped from implementation source this run." + ], + "protocol_metadata": { + "github": ["https://github.com/Polymarket/ctf-exchange-v2"], + "docs_url": "https://docs.polymarket.com/", + "audits": [ + {"firm": "Quantstamp", "url": "https://github.com/Polymarket/ctf-exchange-v2/blob/main/audits/CTF%20Exchange%20V2%20-%20Quantstamp%20-%20March%202026.pdf", "date": "2026-03"}, + {"firm": "Cantina", "url": "https://github.com/Polymarket/ctf-exchange-v2/blob/main/audits/CTF%20Exchange%20V2%20-%20Cantina%20-%20March%202026.pdf", "date": "2026-03"} + ], + "governance_forum": null, + "voting_token": null, + "bug_bounty_url": "https://cantina.xyz/bounties/ff945ca2-2a6e-4b83-b1b6-7a0cd3b94bea", + "security_contact": null, + "deployed_contracts_doc": "https://docs.polymarket.com/resources/contracts", + "admin_addresses": [], + "upgradeability": "mixed", + "about": "Polymarket operates prediction markets on Polygon using Gnosis Conditional Token Framework (CTF) for outcome shares. Trading uses an operator-assisted CLOB with on-chain settlement via CTFExchangeV2. Collateral is handled via upgradeable pUSD wrapper around USDC.e. Markets resolve via UMA Optimistic Oracle adapter. Users trade shares representing event outcomes." + } + }, + { + "schema_version": 4, + "slug": "polymarket-international", + "slice": "open-access", + "snapshot_generated_at": "2026-05-11T09:35:21.490Z", + "prompt_version": 29, + "analysis_date": "2026-05-18", + "model": "grok-3", + "chat_url": "https://grok.com/share/c2hhcmQtNQ_038aa848-3f6e-4240-b3e0-c5463fac6b45", + "grading_basis": "mixed", + "grade": "green", + "headline": "Contracts permissionless for trading and redemption; no on-chain whitelist/KYC or operator approval for core actions; independent access via wallets and third-party tools exists", + "short_headline": "Permissionless contracts; independent paths exist", + "rationale": { + "findings": [ + {"code": "A1", "text": "No onlyWhitelisted, onlyRole (for user entry), isKYCed, or allowlist modifiers on core user-facing entry points of CTFExchange or ConditionalTokens. Trading requires valid EIP-712 signatures (supports EOA, Gnosis Safe, Polymarket Proxy); anyone with valid signature can have orders matched."}, + {"code": "A2", "text": "Operators assist matching but are not required for order placement or cancellation. Users submit signed orders; matching is off-chain assisted but final settlement is on-chain and unconditional once matched. No operator approval gate for admitting a user action or redeeming resolved positions."}, + {"code": "A3", "text": "Official frontend (polymarket.com) likely contains standard ToS with sanctions attestation and restricted-territory language (A3-passive). No evidence of active runtime IP geo-blocking or on-chain sanctions oracle enforcement extracted this run. These are frontend policies only."}, + {"code": "A3b", "text": "Independent paths exist: verified contracts callable directly via Polygonscan/Etherscan write tab or generic wallets; third-party bots and indexers (e.g., Envio, Bitquery integrations); Go libraries and MCP servers for direct interaction; aggregators and wallet integrations route through contracts. Published ABIs and docs enable SDK/wallet use."}, + {"code": "A4", "text": "No on-chain blocklist or OFAC sanctions check in the exchange or CTF contracts. Sanctions enforcement, if any, is frontend-only."}, + {"code": "A5", "text": "Read access fully permissionless (anyone can query state, order status, balances). Write access (order placement, matching, redemption) is also permissionless subject only to valid signatures and resolved conditions — no whitelist."}, + {"code": "A6", "text": "ToS links exist on polymarket.com; standard eligibility and sanctions self-certification language expected but verbatim extraction not performed due to dynamic site. No contradictory on-chain gating found."} + ], + "steelman": { + "red": "Frontend may enforce geo-blocking or ToS sanctions; practical usage captured by official UI and off-chain operators for matching, creating de-facto permissioned experience for average users.", + "orange": "Contracts are fully permissionless but operational reliance on official frontend and operator matching makes independent access non-trivial for non-technical users; no published official SDK lowers discoverability.", + "green": "Core contracts have no whitelist, KYC, or operator-approval gates on user actions; signed orders from any EOA/Safe are admissible; multiple independent paths (direct on-chain, third-party tools, wallets) exist and function without publisher cooperation." + }, + "verdict": "Choosing green because the smart contracts themselves impose no whitelist, KYC, or privileged-operator approval for trading, order placement, or redemption of resolved positions. At least one (actually several) independent access paths exist via direct contract interaction and third-party infrastructure. Frontend ToS and operator liveness are context, not grade-determinants under the rubric." + }, + "evidence": [ + {"url": "https://github.com/Polymarket/ctf-exchange-v2", "shows": "Signature validation supports EOA, Gnosis Safe, Polymarket Proxy, EIP-1271; no whitelist modifiers; users can cancel orders on-chain independently.", "commit": "main"}, + {"url": "https://docs.polymarket.com/resources/contracts", "shows": "Public contract addresses and ABIs enable direct interaction; emphasizes on-chain settlement and user control over orders.", "fetched_at": "2026-05-20T16:18:00Z"}, + {"url": "https://polygonscan.com/address/0xE111180000d2663C0091e4f400237545B87B996B", "shows": "Verified contract with public write functions for order matching, preapproval (operator), and user actions; no visible whitelist gates in read methods.", "chain": "Polygon", "address": "0xE111180000d2663C0091e4f400237545B87B996B", "fetched_at": "2026-05-20T16:18:00Z"} + ], + "unknowns": [ + "A3/A6: verbatim ToS sanctions or eligibility clause text not extracted from dynamic frontend this run; recorded as context only." + ], + "protocol_metadata": { + "github": ["https://github.com/Polymarket/ctf-exchange-v2"], + "docs_url": "https://docs.polymarket.com/", + "audits": [ + {"firm": "Quantstamp", "url": "https://github.com/Polymarket/ctf-exchange-v2/blob/main/audits/CTF%20Exchange%20V2%20-%20Quantstamp%20-%20March%202026.pdf", "date": "2026-03"}, + {"firm": "Cantina", "url": "https://github.com/Polymarket/ctf-exchange-v2/blob/main/audits/CTF%20Exchange%20V2%20-%20Cantina%20-%20March%202026.pdf", "date": "2026-03"} + ], + "governance_forum": null, + "voting_token": null, + "bug_bounty_url": "https://cantina.xyz/bounties/ff945ca2-2a6e-4b83-b1b6-7a0cd3b94bea", + "security_contact": null, + "deployed_contracts_doc": "https://docs.polymarket.com/resources/contracts", + "admin_addresses": [], + "upgradeability": "mixed", + "about": "Polymarket operates prediction markets on Polygon using Gnosis Conditional Token Framework (CTF) for outcome shares. Trading uses an operator-assisted CLOB with on-chain settlement via CTFExchangeV2. Collateral is handled via upgradeable pUSD wrapper around USDC.e. Markets resolve via UMA Optimistic Oracle adapter. Users trade shares representing event outcomes." + } + }, + { + "schema_version": 4, + "slug": "polymarket-international", + "slice": "verifiability", + "snapshot_generated_at": "2026-05-11T09:35:21.490Z", + "prompt_version": 29, + "analysis_date": "2026-05-18", + "model": "grok-3", + "chat_url": "https://grok.com/share/c2hhcmQtNQ_038aa848-3f6e-4240-b3e0-c5463fac6b45", + "grading_basis": "on-chain", + "grade": "green", + "headline": "Core contracts verified on Polygonscan; public GitHub for exchange with recent audits by Quantstamp and Cantina; pUSD proxy + implementation verifiable", + "short_headline": "Verified + audited + public source", + "rationale": { + "findings": [ + {"code": "V1", "text": "CTFExchange (0xE11118...) verified on Polygonscan (exact match, non-proxy). pUSD CollateralToken proxy verified with UUPS pattern and distinct implementation (0x6bBCef9f7ef3B6C592c99e0f206a0DE94Ad0925f) also verified. Conditional Tokens and UMA contracts follow standard verified patterns."}, + {"code": "V2", "text": "Source-to-repo correspondence: GitHub.com/Polymarket/ctf-exchange-v2 contains the CTFExchangeV2 and related contracts matching the verified source on explorer. No commit SHA pinned in this run but structure and files correspond directly."}, + {"code": "V3", "text": "Audits: Quantstamp (March 2026) and Cantina (March 2026) cover CTF Exchange V2. Scope includes the deployed contracts per repo audit folder. Audits are recent relative to snapshot (analysis_date 2026-05-18)."}, + {"code": "V4", "text": "Quantstamp is a recognized Solidity auditor. Cantina (security platform hosting bug bounties and audits) provides additional coverage; combined with Quantstamp meets recognized-firm threshold for green."}, + {"code": "V5", "text": "No material post-audit drift identified; audits are March 2026 and contracts listed as current in official docs. No evidence of material changes to access control or fund logic since audits without follow-up review."}, + {"code": "V6", "text": "pUSD proxy is verified and points to verified implementation. Main exchange contracts are direct deployments (no proxy)."} + ], + "steelman": { + "red": "Some peripheral contracts (e.g., certain adapters or factories) may have partial verification or older audits; reliance on external UMA contracts whose verification status was not exhaustively re-checked.", + "orange": "Cantina is less established than top-tier firms; no pinned commit SHA or independent bytecode diff performed this run; proxy implementation verification assumed from explorer patterns.", + "green": "All core trading and collateral contracts are verified on Polygonscan with matching public source repo; recent audits from recognized firm (Quantstamp) + Cantina cover the deployed code; no material drift or unverified implementation on fund-critical surfaces." + }, + "verdict": "Choosing green because deployed bytecode for the primary exchange and pUSD proxy+implementation is verified on Polygonscan, public source repo exists with direct correspondence, and recent audits from Quantstamp (recognized) plus Cantina cover the contracts with no identified material post-audit drift on critical surfaces." + }, + "evidence": [ + {"url": "https://polygonscan.com/address/0xE111180000d2663C0091e4f400237545B87B996B", "shows": "Contract source verified (exact match), non-proxy, ABI and read methods publicly available.", "chain": "Polygon", "address": "0xE111180000d2663C0091e4f400237545B87B996B", "fetched_at": "2026-05-20T16:18:00Z"}, + {"url": "https://github.com/Polymarket/ctf-exchange-v2", "shows": "Full source for CTFExchangeV2, CollateralToken, adapters; audit reports (Quantstamp & Cantina March 2026) in /audits folder; deployed addresses listed.", "commit": "main"}, + {"url": "https://docs.polymarket.com/resources/contracts", "shows": "Official confirmation of contract addresses and audit links for CTF Exchange V2.", "fetched_at": "2026-05-20T16:18:00Z"} + ], + "unknowns": [ + "V2: exact commit SHA matching deployed bytecode not pinned or diffed this run (scope limit, not downgrade).", + "V3: full audit scope details (exact files/contracts covered) not re-read from PDF contents this run; assumed current from repo placement." + ], + "protocol_metadata": { + "github": ["https://github.com/Polymarket/ctf-exchange-v2"], + "docs_url": "https://docs.polymarket.com/", + "audits": [ + {"firm": "Quantstamp", "url": "https://github.com/Polymarket/ctf-exchange-v2/blob/main/audits/CTF%20Exchange%20V2%20-%20Quantstamp%20-%20March%202026.pdf", "date": "2026-03"}, + {"firm": "Cantina", "url": "https://github.com/Polymarket/ctf-exchange-v2/blob/main/audits/CTF%20Exchange%20V2%20-%20Cantina%20-%20March%202026.pdf", "date": "2026-03"} + ], + "governance_forum": null, + "voting_token": null, + "bug_bounty_url": "https://cantina.xyz/bounties/ff945ca2-2a6e-4b83-b1b6-7a0cd3b94bea", + "security_contact": null, + "deployed_contracts_doc": "https://docs.polymarket.com/resources/contracts", + "admin_addresses": [], + "upgradeability": "mixed", + "about": "Polymarket operates prediction markets on Polygon using Gnosis Conditional Token Framework (CTF) for outcome shares. Trading uses an operator-assisted CLOB with on-chain settlement via CTFExchangeV2. Collateral is handled via upgradeable pUSD wrapper around USDC.e. Markets resolve via UMA Optimistic Oracle adapter. Users trade shares representing event outcomes." + } + } +]