A trader manipulated a Paris weather sensor, likely with a hairdryer, to win Polymarket bets on the city’s daily high temperature.
Key Takeaways
On April 15, one trader made $21,000 betting the max temperature would not hit 18C, after odds had priced that outcome at 99.6% probability.
April 6 appears to have been a test run, with less favorable odds; April 15 was the main event.
Polymarket’s Paris temperature market sourced data from a specific sensor, making the oracle a direct attack surface.
After the manipulation, Polymarket’s data source for Paris’s hottest temperature shifted to the Paris-Le Bourget airport sensor.
Winners have not been required to return their payouts.
Hacker News Comment Review
Commenters flagged that oracle manipulation is the core exploit class: any prediction market tied to a single physical sensor is as secure as that sensor’s physical perimeter.
The Paris case is seen as small-scale proof-of-concept; Colorado farmers ran a structurally identical scheme against federal crop insurance via rain gauge tampering, resulting in a $6.5 million fraud conviction.
Moving the data source to Le Bourget is not a fix – it just relocates the target, and commenters expect the pattern to repeat until sensors are hardened or multi-sourced.
Notable Comments
@ambicapter: points out the negative externality – repeated attacks will force accurate weather infrastructure into a “fortified compound” to stay reliable.
@happyopossum: notes that in a physical red-team scenario, parabolic mirrors heating the sensor from distance would be more practical and harder to detect than a hairdryer.
@ikeboy: describes making ~$40k on a CO2 prediction market by finding a near-real-time data source while competitors used a 12-hour-delayed feed – information arbitrage, not manipulation, but the same oracle-edge dynamic.
