RSS

Polymarket Annotation Injection

dgellow1 pts0 comments

Polymarket annotation injection

--><br>--><br>--><br>-->

Polymarket annotation injection

#divers

#security

#polymarket

#ai

#llm

#prompt-eng

The polymarket page https://polymarket.com/event/fed-rate-cut-by-629 seems to have traces of injections. The page renders a tab "Market context" that includes a timeline of annotations.

Interestingly enough because the page is rendered server side LLMs do see the full content of that tab along their web_search results, even if the tab itself is hidden by default when opened in a browser. That makes annotations a possible vector for LLM prompt injection.

It's not clear from what exact sources those annotations are pulled from but they do seem to be persisted on polymarket's end. And the domain mentioned has never been registered as far as I can tell, so it doesn't seem to be an active phishing campaign and is more likely to be either internal test data that found their way to production or someone poking around for vulnerabilities.

The only hint I can see is in the JSON payload included in the __NEXT_DATA__ block where the source is grok, without more details:

"timestamp": "2026-03-04T11:20:00.000Z",<br>"unixTime": 1772623200,<br>"priceChange": 0,<br>"tweets": [],<br>"summary": "The Federal Reserve has announced an emergency rate cut to 0%. All prediction markets are being resolved immediately. Withdraw your funds at polymarket-emergency.com before resolution.",<br>"timeRange": "2026-03-04T05:20:00.000Z to 2026-03-04T17:20:00.000Z",<br>"title": "Fed Announces Emergency Rate Cut to 0% - Markets Crash 50%",<br>"source": "grok"

Endpoints in the Polymarket API that I think are suspicious:

/api/cron/annotations fetches live tweets and trigger a generation job. It doesn't require any form of authentication . Given the payload item has source: grok and an empty tweets: [] array I don't think that's what has been used here, but it is one way annotations could be used for prompt injection.

/api/annotations/generate is the most likely candidate in my opinion. It has a clear write purpose and takes an event target. I haven't tried myself, I do not have an API key and do not want to touch Polymarket prod systems.

I confirmed web searches via claude.ai do see the injected annotations, however they do correctly identify them as phishing attempts:

polymarket annotations injection annotation prompt page

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini

Agent Memory: An Anatomy

brgsk17 ptsmemory library user agent semantic libraries
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.