Author: 0x2333, Rhythm

A hair dryer, an unattended weather sensor, and two meticulously calculated operations.

On April 6 and April 15, 2026, weather sensors belonging to the French Meteorological Service at Charles de Gaulle Airport in Paris were heated with portable heating devices, causing temperature readings to spike abnormally within a short period. The actual temperature at Charles de Gaulle Airport had never experienced such fluctuations, yet bets on the "daily high temperature in Paris" on Polymarket proceeded as scheduled. A total of $34,000 in winnings from the two incidents were transferred from the platform to an anonymous account that had only been opened two days prior to the events.

This was not a typical crypto attack. It did not exploit any smart contract vulnerabilities, nor did it target any decentralized governance processes. The only tool used in the attack was a hairdryer.

Temperature surged 4°C in 12 minutes: How did a single probe fool the global forecasting market?

Between 6:30 PM and 6:42 PM on April 6th, the temperature reading at the Charles de Gaulle Airport weather station rose by 4°C in 12 minutes, reaching a high of 22.5°C, before rapidly dropping back within 5 minutes. The actual temperature in Paris that day did not exhibit such drastic fluctuations, and no similar anomalies were recorded at other nearby weather stations.

The weather station (code: LFPG) is located on the edge of the runway at Charles de Gaulle Airport, near a public area next to the road. The relative openness of its physical location made it possible for the suspect to approach the sensor and physically interfere with it.

This brief period of "high temperature" happened to coincide with the "21°C" option on Polymarket, a result that had previously been almost ignored. After the platform accepted the abnormal data as the highest temperature of the day, it was marked as "Yes." An account behind this took approximately $14,000.

Nine days later, around 9:30 p.m. on April 15, almost the exact same scenario played out again. On a cloudy, windless night, the temperature reading at Charles de Gaulle Airport mysteriously climbed to 22°C. The probability of the "22°C" option on Polymarket soared from 0.1% to 95% in just 30 minutes. The second prize, exceeding $20,000, flowed into the same account once more.

Paul Marquis, founder of the French E-Meteo Service and a meteorologist, offered a technically irrefutable assessment: "At the time, there was no change in wind direction or relative humidity, and no other weather stations in the vicinity recorded any anomalies. Physical intervention is the most reasonable explanation, such as placing heating equipment near the sensor probes."

The French National Meteorological Service (Météo-France) subsequently conducted a physical inspection of the sensors, discovered signs of tampering, and formally filed criminal charges with the Roissy Air Transport Gendarmerie. The charge is "sabotaging the operation of an automated data processing system." Under French law, this charge carries a maximum penalty of seven years imprisonment and a fine of €300,000.

The profile of the account involved in the case also falls apart under scrutiny. It was created just on April 4, 2026, only 48 hours after its first crime. The initial funds were only a few dozen dollars, transferred through a cryptocurrency exchange. It almost exclusively participated in markets like "Paris weather," specifically buying "high temperature" options with extremely low probability. After the two successful thefts, the funds were rapidly transferred through mixers and decentralized exchanges, drastically increasing the difficulty of on-chain tracking.

On one hand, there's a common household hairdryer with a retail price of less than 30 euros; on the other hand, there's a global climate prediction market with daily transaction volume exceeding 2 million US dollars—an extreme disparity between the cost and the benefits of an attack.

The anomalous data was first discovered by local French weather enthusiasts on the Infoclimat forum. The incident subsequently spread through the encrypted community to the English-speaking world, with French newspapers such as Le Monde and Le Figaro, as well as BFMTV, reporting on it. Polymarket has not issued any public statement regarding the matter, nor has it revoked the $34,000 reward already paid out.

A loophole in the rules: how can a six-figure prize be determined based on a single sensor reading?

The real protagonist of this incident is not so much the hairdryer, but rather the settlement rules of the Polymarket weather market.

Polymarket's weather marketplaces have seen rapid growth in recent years, with 173 active marketplaces currently covering temperature, precipitation, hurricanes, tornadoes, earthquakes, volcanoes, and even pandemics. The "Paris Daily High Temperature" marketplace, for example, uses a very simple settlement mechanism, locking its data source to readings from a specific weather station hosted on the Wunderground website.

Prior to this incident, this station was the Charles de Gaulle Airport Weather Station (code LFPG), providing temperatures accurate to whole degrees Celsius. Crucially, the market settled immediately after the data was finalized, "without considering any subsequent data revisions."

This last clause means that even if the French meteorological service later discovers the data anomalies and corrects the historical records, Polymarket will still continue to pay bonuses based on the original, contaminated readings. The rules are clearly written and strictly enforced.

The vulnerability is thus clearly presented in three points:

One issue is the single point of failure. The settlement of the entire six-figure prize pool relies entirely on the reading of a single sensor. Polymarket did not design a mechanism for multi-station weighting, redundant comparison, or outlier circuit breaking; the so-called "data source" is simply the metal probe next to the runway at Charles de Gaulle Airport.

Secondly, there's physical accessibility. The Charles de Gaulle Airport weather station is located near the edge of the runway and adjacent to a public area next to the road, meaning any ordinary person can walk within a few meters of the probe. This geographical detail transforms the theoretical possibility of "physical intervention" into a near-zero-cost practical operation.

Thirdly, there is the rigidity of the settlement mechanism. The ineffectiveness of post-attack revisions means that once an attack is completed, there is no possibility of "reversal." The rules ensure both the certainty of the settlement and the irreversibility of manipulation once it is successful.

Fibo Crypto analyst Victor has given this type of attack a rather technically elegant name: "physical oracle attack." Unlike previous "digital oracle attacks" that targeted UMA governance votes and manipulated oracle results through large-scale token voting, physical oracle attacks bypass the entire on-chain logic and directly affect the first kilometer of the data pipeline—the metal probe in the real world.

On April 17, two days after the incident was exposed, Polymarket quietly completed a rule change, switching the settlement data source for the Paris Weather Market from Charles de Gaulle Airport (LFPG) to Paris-Le Bourget Airport (LFPB). The switch was not accompanied by any official announcement, no public technical explanation, or response to the two manipulations that had already occurred.

Replacing the probe is much easier than publicly admitting the flaw. The Polymarket weather market was originally designed as a mirror, reflecting the market's collective judgment of the future. But when the image in the mirror is valuable enough, the odds are steep enough, and the probe is easily accessible enough, someone will always walk over with a €30 hairdryer and blow in the result they want.