Risk Level
HIGH
File
core/src/exchanges/polymarket/auth.ts
Findings
- Line 143:
const address = this.signerAddress!; — used to call the Polymarket profiles API; crashes if wallet not initialized before discoverProxy() is called
- Line 263:
const signerAddress = this.signerAddress!; — used as fallback address when building the CLOB client; crashes if signer was never set
- Line 298:
return this.credentials.funderAddress || this.signerAddress!; — getFunderAddress() silently crashes at runtime if both funder and signer are absent
- Line 305:
return this.signerAddress!; — getAddress() crashes instead of returning a meaningful error
Unsafe as casts (same file):
- Line 163:
proxyAddress: this.discoveredProxyAddress as string — discoveredProxyAddress is typed as string | undefined; if discovery fails and the fallback branch is not reached, this produces undefined disguised as string
- Line 164:
signatureType: this.discoveredSignatureType as number — same issue for the signature type
What Happens When It's Wrong
An un-initialized PolymarketAuth instance (e.g., credentials object missing privateKey) crashes with:
TypeError: Cannot read properties of undefined
at the first authenticated API call, with no actionable error message.
Suggested Fix
Add an initialization guard or throw a descriptive error early:
if (!this.signerAddress) throw new Error('[polymarket] Wallet not initialized — privateKey or provider required');Replace as string / as number casts with explicit checks after the assignment block:
if (!this.discoveredProxyAddress || this.discoveredSignatureType === undefined) {
throw new Error('[polymarket] Proxy discovery incomplete');
}
Found by automated non-null assertion audit
Risk Level
HIGH
File
core/src/exchanges/polymarket/auth.tsFindings
const address = this.signerAddress!;— used to call the Polymarket profiles API; crashes if wallet not initialized beforediscoverProxy()is calledconst signerAddress = this.signerAddress!;— used as fallback address when building the CLOB client; crashes if signer was never setreturn this.credentials.funderAddress || this.signerAddress!;—getFunderAddress()silently crashes at runtime if both funder and signer are absentreturn this.signerAddress!;—getAddress()crashes instead of returning a meaningful errorUnsafe
ascasts (same file):proxyAddress: this.discoveredProxyAddress as string—discoveredProxyAddressis typed asstring | undefined; if discovery fails and the fallback branch is not reached, this producesundefineddisguised asstringsignatureType: this.discoveredSignatureType as number— same issue for the signature typeWhat Happens When It's Wrong
An un-initialized
PolymarketAuthinstance (e.g., credentials object missingprivateKey) crashes with:at the first authenticated API call, with no actionable error message.
Suggested Fix
Add an initialization guard or throw a descriptive error early:
Replace
as string/as numbercasts with explicit checks after the assignment block:Found by automated non-null assertion audit