Polymarket Hit By $700K Exploit: What We Know And Why Experts Say It Could Have Been Worse

Polymarket came under attack earlier on Friday after a contract exploit drained more than $600,000 in crypto. Despite the size of the theft, multiple security analysts emphasized that user funds and market outcomes were not impacted. 

One expert even argued that the incident could have been significantly worse if additional controls in the compromised contract had been used.

The Polymarket Attack

According to on-chain sleuth ZacXBT’s findings on the matter, he flagged a suspected exploit involving Polymarket’s UMA CTF Adapter contract on Polygon (POL). At the time of reporting, the total figure associated with the exploit had climbed to nearly $700,000. 

The breakdown of how the exploit functioned was later detailed by security expert Ox Abdul. In his explanation, the first key point was that the USDC amount—over $600,000—appeared to be a one-time drain taken from a specific wallet on Polygon, identified as 0x8F98, the UMA CTF Adapter Admin.

Ox Abdul also described how Polymarket’s automation appears to have contributed to the exploit mechanics. He said Polymarket’s top-up system was repeatedly sending 5,000 POL about every 30 seconds to keep an oracle gas wallet funded. 

Rather than stealing once, the attacker waited for each refill and then swept it for roughly 120 cycles over the course of about 70 minutes, which he estimated as around 600,000 POL. 

Importantly, the continued POL losses, in this account, were attributed to how quickly Polymarket’s detection and response happened. The exploit was ultimately stopped after the keys were rotated.

How The Exploit Could Have Been Worse

After draining the refills, Ox Abdul said the exploiter then exited via 16 sub-addresses using ChangeNOW. Even with the damage limited, he warned that the situation had potential red flags beyond the theft itself. 

In his view, the compromised admin wallet was not only holding USDC and POL; it also carried “resolveManually rights” on the UMA Adapter. Those manual resolution permissions, he explained, could bypass the oracle and allow an attacker to force any market outcome on Polymarket.

Ox Abdul laid out what “worse” could have looked like in practical terms. He said the attacker could have taken large positions in specific markets, then flagged those markets for manual resolution, waited out the roughly one-hour safety window, and finally used resolveManually to resolve markets in favor of their positions. 

Following the incident, Josh Stevens, a leading developer at Polymarket, later provided additional context via social media. Stevens attributed the issue to a compromised 6-year-old private key, explaining that it was included in an internal top-up configuration—so funds were being sent to the key while it remained active. 

He added that the key has been rotated, all production permissions have been revoked, and the company is moving all private keys to KMS-managed keys going forward.

While the technical incident was unfolding, Polymarket was also dealing with regulatory scrutiny on Friday. As Bitcoinist reported, Rep. James Comer, chairman of the House Oversight and Government Reform Committee, announced a formal investigation into prediction market platforms Polymarket and Kalshi. 

Comer said the committee is seeking information from the CEOs of both companies regarding their efforts to prevent insider trading on their platforms. 

In his letter, he requested documents and details on how both platforms implement identity verification for domestic and international account holders, enforces geographic restrictions, and detect anomalous trading activity to help prevent insider trading across their global platforms. 

In a separate development, Bloomberg reported that Polymarket has appointed a representative in Japan while preparing to lobby for authorization of prediction markets in the country. According to sources cited in the report, Polymarket’s goal is to obtain government approval in Japan by 2030.

Featured image created with OpenArt, chart from TradingView.com