ContractAddressGuard

sec.contractaddressguard

Security planned Ready to build frozen reference impl flagship

ContractAddressGuard refuses to allow a signature or on-chain submission against any contract address that is not present on the committed CLOB V2 all

What it does

ContractAddressGuard refuses to allow a signature or on-chain submission against any contract address that is not present on the committed CLOB V2 allow-list. It enforces the EIP-712 domain separator match against the expected V2 domain and rejects any order that targets a V1 Exchange address. This is a hard security control for the V1-to-V2 migration and must not be loosened without an explicit signed-off admin change. It cannot modify orders — it only approves or rejects.

Pipeline placement

runs after: Strategy OrderIntent and all Risk guardrails → ContractAddressGuard → runs before: Any order signing or submission

Applies to: Every pending order before signature or on-chain submission

Why it matters

If this fails	Consequence
Order signed against V1 contract after migration	Funds are sent to a deprecated contract that may not be monitored, potentially locking or losing assets that cannot be recovered through normal settlement.
Unknown contract address accepted	Signing an order against an unrecognised contract is the primary vector for phishing and malicious contract substitution attacks in decentralised trading environments.
Domain separator mismatch not detected	A forged or misconfigured EIP-712 domain separator could cause a valid-looking signature to be replayed on a different contract or chain, leading to unintended asset transfers.
No alert on block	Without an alert every time a suspicious address is blocked, security incidents may not be noticed until significant damage has occurred.

Inputs

Polymarket inputs

Input	Source	Required	Use
CLOB V2 Exchange contract addresses by chain	on-chain	required	Build and maintain the allow-list of valid contract addresses that orders may target.
EIP-712 domain separator for the V2 CLOB exchange	on-chain	required	Verify that the domain separator in the pending order matches the expected V2 domain before allowing signature.
Order-type schema of the pending intent	CLOB	required	Confirm the order conforms to the V2 order schema specification; V1 schema orders are rejected regardless of address.

Internal inputs

Input	Source	Required	Use
Committed V2 address allow-list	Admin UI	required	Authoritative list of permitted contract addresses and chain IDs; must be signed off before any address is added or removed.
KillSwitch active flag	KillSwitch	required	Reject all orders immediately if KillSwitch is active, before address checks run.

Authority

What this bot is permitted to do

Reject Pause

State

Readiness

Ready to build

Status

planned

Class

Guardrail

Default mode

shadow_only

Developer owner

Polytraders core — Security pod

Capital impact

Direct

Reason codes emitted

Code	Severity	Meaning	Action
KILL_SWITCH_ACTIVE	HARD_REJECT	Global kill switch is active.	Immediately return DENY with security alert.
CONTRACT_ADDRESS_NOT_ALLOWED	HARD_REJECT	Order targets a contract address not in the V2 allow-list, a V1 address, an empty allow-list, or has a domain separator mismatch.	Return DENY and emit security alert with full metadata.
WALLET_PERMISSION_DENIED	HARD_REJECT	The signing wallet does not have permission to submit to the target contract (chain_id or permissions mismatch).	Return DENY without proceeding to signing.
CONTRACT_GUARD_V1_DETECTED	HARD_REJECT	Order carries a known V1 CTFExchange address; block_v1_signing is locked true.	Return DENY; emit security alert with submitted_address.
CONTRACT_GUARD_DOMAIN_MISMATCH	HARD_REJECT	EIP-712 domain separator version is not '2' (e.g., still '1' from V1 SDK).	Return DENY; emit security alert with domain details.
CONTRACT_GUARD_V1_SCHEMA	HARD_REJECT	Order contains V1-only fields (nonce, feeRateBps, taker) that must be absent in V2.	Return DENY; emit security alert.
CONTRACT_GUARD_ALLOW_LIST_EMPTY	HARD_REJECT	The V2 allow-list has not been configured; fail-closed default.	Return DENY; emit configuration alert.
PARAMETER_CHANGE_REQUIRES_APPROVAL	HARD_REJECT	An attempt was made to modify a locked parameter (block_v1_signing, require_domain_match, alert_on_block, or v2_addresses) without a signed admin action.	Reject the configuration change and emit an alert.

Related bots in Security

sec.allowancemonitor sec.chainstateverifier sec.keyrotationreminder

Used by

Reverse index — strategies that currently reference sec.contractaddressguard. If you change this bot's authority or reason codes, these strategies must re-pass shadow.

Strategy	State	Activity
US Elect — book-builder	demo-wired	last triggered 21m ago
NBA H2H — moneyline market-make	demo-wired	last triggered 28m ago
US Elections — sentiment fade	demo-wired	last triggered 35m ago

Showing 3 of 3 · demo-wired ≠ production-live

Why this matters

Security bots does NOT propose or execute trades; only guards signing and wallet operations. Understanding the authority boundary prevents misuse and makes promotion-gate reviews faster and more reliable. View raw spec JSON →

Polytraders Operator UX Mock · INTERNAL · demo-wired ≠ production-live · the plan · reason codes · shadow-mode pipeline