Summary
The public predictions-markets endpoint executes 12 Polymarket search queries on every request, aggregates them, and returns up to 60 markets without authentication, request shaping, or provider-failure controls.
Evidence
https://github.com/Juliusolsson05/pharos-ai/blob/main/src/app/api/v1/predictions/markets/route.ts#L6-L10 hardcodes 12 search terms.https://github.com/Juliusolsson05/pharos-ai/blob/main/src/app/api/v1/predictions/markets/route.ts#L50-L57 runs all 12 requests in parallel via Promise.allSettled.https://github.com/Juliusolsson05/pharos-ai/blob/main/src/app/api/v1/predictions/markets/route.ts#L74-L98 sorts and returns up to 60 aggregated markets in the public response.- The route has no auth check, no caller quota, and no explicit timeout or circuit breaker around the upstream fetches.
Why this matters
- Every anonymous request fans out into a fixed upstream workload.
- Burst traffic turns the endpoint into a provider-amplification surface and increases app latency under load.
- Because the route is intended for a live intelligence-like surface, stale or partial upstream failure can silently distort what users see as the "market view."
Attack or failure scenario
A client polls the endpoint aggressively or a link is embedded in a high-traffic page. Each hit launches 12 external searches and full aggregation work. Upstream responses slow, application latency spikes, and the route becomes a recurring cost and reliability hotspot.
Root cause
A convenience aggregation route was exposed publicly as if it were a cheap cache read, even though it is implemented as a fixed high-fan-out fetch pipeline.
Recommended fix
- Add server-side caching or scheduled snapshots so the route does not refetch on every anonymous request.
- Add request quotas and concurrency control.
- Bound upstream latency with explicit timeouts and degrade visibly when partial data is returned.
- Consider moving the heavy aggregation step to background refresh rather than request time.
Acceptance criteria
- Anonymous requests do not trigger 12 live upstream searches per call.
- Route behavior remains stable under burst traffic.
- Partial upstream failure is visible in the response contract.
- Load tests demonstrate bounded latency and upstream call counts.
Suggested labels
- reliability
- performance
- bug
- production-readiness
Priority
P1 (High)
Severity
High — the route exposes a public, fixed-cost fan-out pipeline that scales poorly and can silently degrade user-facing market intelligence.
Confidence
Confirmed — the route’s 12-query parallel fetch pattern is explicit in source.
Summary
The public predictions-markets endpoint executes 12 Polymarket search queries on every request, aggregates them, and returns up to 60 markets without authentication, request shaping, or provider-failure controls.
Evidence
https://github.com/Juliusolsson05/pharos-ai/blob/main/src/app/api/v1/predictions/markets/route.ts#L6-L10hardcodes 12 search terms.https://github.com/Juliusolsson05/pharos-ai/blob/main/src/app/api/v1/predictions/markets/route.ts#L50-L57runs all 12 requests in parallel viaPromise.allSettled.https://github.com/Juliusolsson05/pharos-ai/blob/main/src/app/api/v1/predictions/markets/route.ts#L74-L98sorts and returns up to 60 aggregated markets in the public response.Why this matters
Attack or failure scenario
A client polls the endpoint aggressively or a link is embedded in a high-traffic page. Each hit launches 12 external searches and full aggregation work. Upstream responses slow, application latency spikes, and the route becomes a recurring cost and reliability hotspot.
Root cause
A convenience aggregation route was exposed publicly as if it were a cheap cache read, even though it is implemented as a fixed high-fan-out fetch pipeline.
Recommended fix
Acceptance criteria
Suggested labels
Priority
P1 (High)
Severity
High — the route exposes a public, fixed-cost fan-out pipeline that scales poorly and can silently degrade user-facing market intelligence.
Confidence
Confirmed — the route’s 12-query parallel fetch pattern is explicit in source.