# Security Audit Report: Polymarket Smart Money Analyzer

**Extension ID:** `cocnhjgkdpjfkaphifacpoalnpbcbdag`
**Version:** 1.0.0
**Audit Date:** January 17, 2026
**Auditor:** Claude Opus 4.5

---

## Executive Summary

| Category | Finding |
|----------|---------|
| **Overall Risk** | LOW - Extension appears safe |
| **Private Key Access** | NONE detected |
| **External Server Communication** | NONE - Only official Polymarket API |
| **Known Malicious Patterns** | NONE detected |
| **Obfuscation** | NONE - Code is readable |

---

## 1. Files Analyzed

| File | Lines | Purpose |
|------|-------|---------|
| manifest.json | 22 | Extension configuration |
| content.js | 431 | Main extension logic |
| popup.js | 62 | Popup status display |
| popup.html | 191 | Popup UI |
| content.css | 67 | Injected styles |

---

## 2. Permissions Analysis

### Requested Permissions (manifest.json)

```json
"permissions": ["activeTab", "scripting"],
"host_permissions": ["https://polymarket.com/*"]
```

| Permission | Risk | Justification |
|------------|------|---------------|
| `activeTab` | LOW | Standard permission for popup interaction |
| `scripting` | LOW | Required to inject content script, limited to polymarket.com |
| `host_permissions: polymarket.com/*` | LOW | Domain-restricted, cannot access other sites |

### Permissions NOT Requested (Good Signs)

- `storage` - No persistent data storage
- `cookies` - No cookie access
- `webRequest` / `webRequestBlocking` - No request interception
- `<all_urls>` or `*://*/*` - No broad access
- `tabs` - No access to other tabs
- `history` - No browsing history access
- `clipboardRead/Write` - No clipboard access

---

## 3. Network Communications

### API Endpoints Used

**Single endpoint found in content.js:24:**
```javascript
const url = `https://data-api.polymarket.com/v1/leaderboard?timePeriod=all&orderBy=VOL&limit=1&offset=0&category=overall&user=${walletAddress}`;
```

| Aspect | Finding |
|--------|---------|
| **Domain** | `data-api.polymarket.com` (Official Polymarket API) |
| **Protocol** | HTTPS only |
| **Data Sent** | Public wallet addresses (extracted from visible page links) |
| **Data Received** | Public PnL leaderboard statistics |

### External Servers Contacted

| Server | Found |
|--------|-------|
| Third-party analytics | NO |
| External APIs | NO |
| Cryptocurrency nodes | NO |
| Telemetry services | NO |
| Advertisement networks | NO |

---

## 4. Sensitive Data Access Analysis

### Private Keys / Wallet Secrets

**RESULT: NOT ACCESSED**

Searched for patterns:
- `privateKey`, `private_key`, `privKey` - NOT FOUND
- `seed`, `mnemonic`, `recovery` - NOT FOUND
- `keystore`, `wallet.dat` - NOT FOUND
- MetaMask/wallet extension access - NOT FOUND
- `window.ethereum` - NOT FOUND
- `eth_sign`, `personal_sign` - NOT FOUND

### Storage Access

| Storage Type | Accessed |
|--------------|----------|
| localStorage | NO |
| sessionStorage | NO |
| chrome.storage | NO |
| IndexedDB | NO |
| Cookies | NO |

### Form Data / Credentials

**RESULT: NOT ACCESSED**

- No input field reading
- No form interception
- No credential harvesting code

---

## 5. Known Malicious Extension Patterns Check

### Code Injection Techniques

| Pattern | Found | Notes |
|---------|-------|-------|
| `eval()` | NO | |
| `new Function()` | NO | |
| `document.write()` | NO | |
| `innerHTML` with user data | NO | Uses safe `textContent` |
| Dynamic script injection | NO | |
| `setTimeout/setInterval` with string arg | NO | |

### Obfuscation Techniques

| Pattern | Found | Notes |
|---------|-------|-------|
| Base64 encoded code (`atob`/`btoa`) | NO | |
| Hex-encoded strings | NO | |
| String splitting/joining | NO | |
| Variable name obfuscation | NO | Code uses clear names |
| Webpack/minification | NO | Clean, readable source |
| Packed/encrypted code | NO | |

### Data Exfiltration Patterns

| Pattern | Found | Notes |
|---------|-------|-------|
| XMLHttpRequest to unknown domains | NO | |
| fetch() to non-Polymarket servers | NO | |
| WebSocket connections | NO | |
| Image pixel tracking | NO | |
| Form POST to external servers | NO | |
| navigator.sendBeacon | NO | |

### Clipboard Hijacking

| Pattern | Found | Notes |
|---------|-------|-------|
| `navigator.clipboard` | NO | |
| `document.execCommand('copy')` | NO | |
| Crypto address replacement | NO | |

### Keylogging / Input Capture

| Pattern | Found | Notes |
|---------|-------|-------|
| `keydown`/`keyup`/`keypress` listeners | NO | |
| Input field monitoring | NO | |
| Form submission interception | NO | |

### Cryptojacking

| Pattern | Found | Notes |
|---------|-------|-------|
| WebAssembly mining | NO | |
| CoinHive/similar scripts | NO | |
| High CPU usage patterns | NO | |

### Background Persistence

| Pattern | Found | Notes |
|---------|-------|-------|
| Background service worker | NO | Not in manifest |
| Persistent connections | NO | |
| chrome.runtime.onStartup | NO | |
| chrome.alarms | NO | |

---

## 6. Code Behavior Analysis

### What the Extension Actually Does

1. **Injects a button** on Polymarket event pages (content.js:277-369)
2. **Finds holder sections** ("Yes holders" / "No holders") in the DOM (content.js:72-151)
3. **Extracts wallet addresses** from visible profile links using regex `/profile/(0x[a-fA-F0-9]+)` (content.js:51)
4. **Fetches public PnL data** from official Polymarket API for top 15 holders per side (content.js:22-44)
5. **Displays aggregated results** as styled spans next to section titles (content.js:154-222)

### Rate Limiting

The extension includes a 100ms delay between API requests (content.js:66), indicating responsible API usage.

### DOM Manipulation Safety

- Uses `createElement()` and `textContent` (safe)
- Does NOT use `innerHTML` with dynamic content
- No XSS vulnerabilities detected

---

## 7. External Links in Extension

Found in popup.html:

| URL | Purpose | Risk |
|-----|---------|------|
| `https://polymarket.com/profile/0x0d6eC6B50D943aa477D4cd88E0B28B91a03054Cf` | Developer tip jar | LOW - optional |
| `https://muskmeter.live` | Developer's other project | LOW - external link only |

---

## 8. Manifest V3 Compliance

The extension uses Manifest V3 (the latest and most secure manifest version):

- No remote code execution capability
- Content scripts explicitly declared
- No `webRequestBlocking` (deprecated in V3)
- Update URL is official Chrome Web Store: `https://clients2.google.com/service/update2/crx`

---

## 9. Comparison with Known Malicious Extensions

### Common Malicious Extension Behaviors NOT Present

| Malicious Behavior | Present |
|--------------------|---------|
| Stealing cryptocurrency private keys | NO |
| Replacing crypto addresses in clipboard | NO |
| Injecting ads into pages | NO |
| Redirecting searches | NO |
| Tracking browsing history | NO |
| Stealing login credentials | NO |
| Installing additional malware | NO |
| Mining cryptocurrency | NO |
| Sending data to C2 servers | NO |
| Session hijacking | NO |
| Cookie theft | NO |

---

## 10. Potential Concerns (Minor)

### Information Disclosure

The extension reveals which wallet addresses you view on Polymarket to the Polymarket API. However:
- This is public information already visible on the page
- Requests go only to official Polymarket servers
- No third-party tracking

### Developer Identity

- Developer: "YourLostMojo"
- Tip wallet: `0x0d6eC6B50D943aa477D4cd88E0B28B91a03054Cf`
- Associated site: muskmeter.live

---

## 11. Recommendations

### For Users

1. **Safe to use** - No malicious code detected
2. Extension only works on polymarket.com
3. Does not access wallets, private keys, or credentials
4. All API calls go to official Polymarket servers

### For Future Updates

Monitor for:
- New permissions added
- New external domains
- Background service workers
- Storage API usage

---

## 12. Conclusion

**VERDICT: SAFE**

This Chrome extension is a legitimate tool that:
- Analyzes publicly available PnL data from Polymarket's official API
- Has minimal, appropriate permissions
- Contains no obfuscated or malicious code
- Does not access private keys, credentials, or sensitive data
- Does not communicate with servers outside of Polymarket

The code is clean, readable, and does exactly what it claims to do.

---

## Appendix: Full Code Search Results

### Searched Patterns (All Negative)

```
privateKey, private_key, seed, mnemonic - NOT FOUND
eval, Function, atob, btoa - NOT FOUND
localStorage, sessionStorage, chrome.storage - NOT FOUND
XMLHttpRequest (only fetch to data-api.polymarket.com) - SAFE
innerHTML (not used with dynamic content) - SAFE
keydown, keypress, keyup - NOT FOUND
clipboard, execCommand - NOT FOUND
WebSocket, wss:// - NOT FOUND
background, service_worker - NOT FOUND
chrome.cookies - NOT FOUND
```

---

*Report generated by Claude Opus 4.5*