| Version | Supported |
|---|---|
| 0.2.x | ✅ |
| < 0.2 | ❌ |
If you discover a security vulnerability in PolyMarket_Mimic_Trader, do not open a public issue. Instead, please report it privately:
- Email: contact@cgfixit.com
- Subject line:
[SECURITY] PolyMarket_Mimic_Trader — <brief description> - Include:
- A description of the vulnerability and its potential impact
- Steps to reproduce or a proof-of-concept
- The affected file(s) and line number(s) if known
- Your suggested fix, if any
You should receive an acknowledgment within 48 hours. We aim to release a patch within 7 days of confirmation for critical issues.
The following are in scope for security reports:
| Area | Examples |
|---|---|
| Private key handling | Key leakage via logs, env mishandling, or error messages |
| Order placement logic | Conditions where the bot could place unintended live orders |
| SQLite injection | Unsanitized input reaching portfolio DB queries |
| Dependency vulnerabilities | Known CVEs in py-clob-client, aiohttp, pydantic, aiosqlite, websockets |
| Configuration bypass | Ways to force live trading when mode: paper is set |
| Exposure cap bypass | Code paths that skip RiskManager.build_position() or _assert_exposure_cap() |
The following are out of scope:
- Polymarket API or smart contract vulnerabilities (report those to Polymarket)
- Financial losses from using the bot as intended (see Disclaimer in README)
- Social engineering attacks
This project follows these security practices:
- No hardcoded secrets — All credentials are loaded from environment variables via
.env(never committed) - Paper mode by default —
config.yamlships withmode: paper; live trading requires explicit--mode liveCLI flag and a configuredPOLY_PRIVATE_KEY - Asymmetric order retry matrix — Entry FOK/FAK orders are never retried; resting GTC/GTD entries may retry once only after cancel-confirm of the confirmed-unfilled remainder; exit orders may retry up to 3 times. See
CLAUDE.mdfor the full matrix. - Parameterized SQL — All SQLite queries in
portfolio.pyuse parameterized statements (?placeholders), not string interpolation - Input validation — All prices are validated against
[0.0, 1.0]range via_assert_valid_price(); theOrdermodel enforcesprice=Field(ge=0, le=1)andsize_usdc=Field(gt=0)at the Pydantic layer - Exposure caps —
RiskManager._assert_exposure_cap()is called on every position entry;release_exposure()rolls back on failure paths
We recommend periodically auditing dependencies:
pip install pip-audit
pip-audit -r requirements.txt