Detect and defend against the nonce race exploit on Polymarket's CTF Exchange.
Exploiters on Polymarket call incrementNonce() on the CTF Exchange contract to invalidate their losing orders before the operator can settle them. This means:
- They place bets on both sides of a market
- When the outcome becomes clear, they cancel the losing side via
incrementNonce() - The winning side settles normally → risk-free profit
- You end up holding shares that were supposed to be matched but never settle ("ghost fills")
First publicly disclosed Feb 19, 2026 by @itslirrato on X.
Polls Polygon blocks every 2s, filters for incrementNonce() calls (method sig 0x627cdcb9) to the CTF Exchange. Logs every event with timing relative to BTC 5-min market windows.
python nonce_monitor.pyOutput: data/nonce_events.jsonl — append-only log of every detected call with caller address, tx hash, block, gas price, and market window timing.
Loads known exploiter addresses from nonce_events.jsonl + a manual data/blacklist_manual.txt. Auto-refreshes every 60s.
from blacklist import Blacklist
bl = Blacklist()
bl.is_blacklisted("0x1234...") # True/FalseGiven a transaction hash, parses CTF Exchange logs to extract maker/taker addresses from settled orders.
from counterparty_checker import get_counterparty
counterparty = get_counterparty(tx_hash="0x...")Monitors Polymarket orderbook for suspicious patterns (large orders appearing/disappearing, price manipulation around settlement windows).
pip install web3 requests py-clob-clientRequires a Polygon RPC endpoint. Default: https://polygon-bor-rpc.publicnode.com
Set these environment variables or edit the constants at the top of each file:
CTF_EXCHANGE— CTF Exchange contract address (default:0x4bFb41d5B3570DeFd03C39a9A4D8dE6Bd8B8982E)- Polygon RPC URLs are hardcoded with fallbacks
All output goes to data/:
nonce_events.jsonl— incrementNonce event logmanipulation_alerts.jsonl— orderbook anomaly alertsblacklist_manual.txt— manually added addresses (one per line)
- Run
nonce_monitor.pyalongside your trading bot to build a blacklist - After each fill, use
counterparty_checker.pyto identify who you traded with - If blacklisted, immediately sell your position (take small spread loss vs total ghost fill loss)
- Report repeat offenders to Polymarket with on-chain evidence — they have CFTC regulatory pressure to act
incrementNonce() is a nuclear option — it invalidates ALL pending orders from the caller's address, not just one. The CLOB API's cancel endpoint is surgical (cancels specific orders). Exploiters who use incrementNonce are leaving clear on-chain fingerprints.
MIT