Polymarket suffers governance attack: large players manipulate the oracle, can they still win money even when they lose bets?
"Lost a bet? No problem, just change the answer."Author: Fairy, ChainCatcher
Editor: TB, ChainCatcher
Last night, community users reported that Polymarket experienced the "wildest" governance attack recently. A large UMA holder manipulated the oracle using last-minute voting weight in a market that was about to incur losses, allowing the market to settle based on a result that did not occur in reality, successfully turning the tables for profit.
When the rules of gambling become "change the answer if you can't afford to lose," is this still a fair market?
A Brazen "Casino Cheating"
The prediction market issue involved in this incident was: "Will Ukraine agree to sign a mineral agreement with Trump before April?"
As of the market settlement, there was no official statement or decision confirming that the agreement had been reached. On March 25, Trump stated that he "expected to sign" the U.S.-Ukraine mineral agreement "soon," but in fact, this deal was neither formally signed nor publicly announced.
However, Polymarket ultimately ruled the result as YES.
Image source: Polymarket
How Was the Polymarket Governance Attack Achieved?
According to community users @Web3Marmot and @hermansen_folke, the Polymarket governance attack was primarily achieved through UMA oracle voting manipulation.
Polymarket relies on UMA's decentralized oracle to verify results. UMA has its own arbitration system to resolve disputes, where arbitrators are real people—participants in the UMA ecosystem, particularly UMA token holders. This system is known as DVM (Data Verification Mechanism).
However, the decision-making power of the UMA oracle is concentrated in the hands of a few "whales" holding large amounts of UMA tokens. Community analysis indicates that just two large holders control over 50% of the voting power; they are not only voters but also players on Polymarket.
According to @hermansen_folke's analysis, UMA is theoretically a neutral oracle, but in practice, it tends to "follow the crowd." In the UMA oracle, voters need to stake tokens to vote, and if their vote differs from the majority, they will lose those tokens. This means that voters do not necessarily choose the true outcome but are inclined to follow those large holders with substantial tokens and a history of profitable outcomes.
Additionally, to propose a market resolution of "yes" or "no," a margin (usually $750 USDC) must be paid, and raising an objection also requires the same amount. If the voting result is unfavorable to the challenger, they will lose this margin, and even if they are correct, the final reward is minimal. This mechanism leads to a severe asymmetry: whales holding large stakes and UMA voting rights can easily pay the margin and sway market decisions, while ordinary users are deterred from challenging out of fear of losing their funds.
In this incident, a large holder of UMA tokens manipulated the voting to tilt the result in their favor just before the market was about to settle.
As shown in the image below, this large holder cast 5 million tokens through three accounts, accounting for 25% of the total votes.
Image source: betmoar.fun
Official Response: Acknowledging the Dispute but Refusing Refunds
After the incident, Polymarket officially announced on Discord that they acknowledged the discrepancy between the ruling result of the Ukrainian rare earth market and user expectations as well as official clarifications, but since this was not a market system failure, the platform cannot provide refunds.
Polymarket stated that they have initiated urgent discussions with the UMA team and promised to enhance system monitoring and improve rules to prevent similar situations from occurring again. They will further optimize the ruling mechanism in the future to ensure clearer rules and more transparent and timely clarification processes, with more details to be announced later.
Oracles should be impartial referees, but ultimately they have become tools of capital manipulation.
Although Polymarket acknowledged that the ruling result did not meet user expectations, they refused to issue refunds. This decision not only caused losses for affected users but also plunged the trust in the entire market to a freezing point.
When ordinary players realize that even if they bet correctly, they cannot compete against the large holders' ability to change outcomes with a click, who can continue to play the role of a lamb to be slaughtered in this manipulated game?
