Polymarket lost $660K in a private key compromise affecting its UMA CTF Adapter, while user funds and active positions remain safe.
Author: Akshat Thakur
22nd May 2026 – Attackers drained an estimated $660,000 in $POL from a Polymarket UMA CTF Adapter contract on Polygon after compromising an old private key.
High Signal Summary For A Quick Glance
Whale Insider
@WhaleInsider
JUST IN: Polymarket contract appears to be exploited and attacker is stealing funds. More than $660,000 has already been stolen - ZachXBT. https://t.co/L0DQTwfVm3
09:04 AM·May 22, 2026
Lookonchain
@lookonchain
Warning: #Polymarket's contract appears to be exploited, and the attacker is stealing funds. So far, more than $660K has already been stolen. Source: @zachxbt https://t.co/WXvRwtWEFs https://t.co/sIa0FWEEzo
09:01 AM·May 22, 2026
Bubblemaps
@bubblemaps
ALERT: 🚨 Polymarket contract exploited Attackers are removing 5,000 $POL every 30 seconds – $600k stolen so far Pause all Polymarket activity for now https://t.co/DpqOp5ggVj
08:51 AM·May 22, 2026
High attention and emotional sentiment detected.
On-chain investigator ZachXBT first flagged the suspicious activity around 08:30 GMT on May 22. Within minutes, analytics firm Bubblemaps confirmed the drain and identified the attacker’s wallet. Polymarket VP of Engineering Josh Stevens responded publicly around 09:01 GMT, confirming the team was investigating.
The attacker used a compromised private key linked to the UMA CTF Adapter Admin contract. This is the contract that handles oracle resolution and dispute functions for Polymarket’s prediction markets.
Using the key, the attacker signed legitimate-looking withdrawal transactions. Each transaction pulled roughly 5,000 $POL at intervals of about 30 seconds. The pattern suggests the process was automated or batched.
According to Bubblemaps’ on-chain analysis, the attacker’s primary address is 0x8F98075db5d6C620e8D420A8c516E2F2059d9B91. Polygonscan labeled it “Polymarket Adapter Exploiter 1.” The attacker split funds across roughly 15 addresses. Some were routed toward mixers and swap services like ChangeNOW.
Stevens was quick to clarify that this was not a smart-contract exploit. “We are investigating this but is not a contract hack this looks like a very old PK which has been compromise – we working on it,” he wrote on X.
That distinction matters. The Polymarket adapter drained because of a key management failure, not a code vulnerability like reentrancy or access-control bugs. The attacker simply had the authority to call the contract’s withdrawal functions with a valid key.
The adapter contract (0x91430CaD2d3975766499717fA0D66A78D814E5c5) dropped to near zero, with roughly 1 $POL remaining. A related funding source contract (0x871D7c0f9E19001fC01E04e6cdFa7fA20f929082) had repeatedly sent ~5,000 $POL batches that the attacker immediately swept.
The UMA CTF Adapter is isolated from Polymarket’s core platform. It handles oracle resolutions and disputes for prediction markets built on the Conditional Tokens Framework. User deposits, active bets, and collateral sit in separate contracts.
According to community analysis and Stevens’ statement, the incident did not affect user betting positions. The core Polymarket platform continued operating throughout.
Bubblemaps still recommended caution. “Pause all Polymarket activity for now,” the firm tweeted at 08:51 GMT, citing $600,000 stolen at that point. The precautionary advice aimed to limit secondary risk until the team fully secured its infrastructure.
The incident unfolded rapidly on the morning of May 22, 2026 (all times GMT). ZachXBT flagged suspicious repeated withdrawals between 08:30 and 08:40. Bubblemaps issued a public alert with the attacker’s address at 08:51. Stevens confirmed the old private-key compromise around 09:01.
By approximately 09:20 to 09:26, multiple reports indicated the drain had slowed or stopped entirely. The adapter’s balance sat near zero.
As of the latest data, no full articles from CoinDesk, The Block, Bloomberg, or Decrypt had been published. Coverage came primarily from on-chain analysts and real-time X posts.
Timeline of the Polymarket rewards-wallet compromise and investigation (May 22, 2026)
Repeated 5,000 POL outflows are observed from infrastructure linked to Polymarket’s UMA CTF Adapter ecosystem. Early estimates place losses above $500K.
Security researchers warn that attackers are draining POL at regular intervals, prompting calls to avoid Polymarket activity until more details emerge.
Observers report assets splitting into multiple addresses, with some movement toward swap services and laundering infrastructure. Estimated losses climb above $600K.
A senior engineering response suggests the incident stems from compromise of an old private key rather than a vulnerability in contracts or core protocol infrastructure.
Major outflows diminish as affected balances near depletion. Community members continue advising caution despite no formal platform pause.
Polymarket states user collateral, markets, and resolution systems remain unaffected. Findings point toward compromise of an internal rewards top-up wallet.
No protocol-wide pause is announced. Teams continue securing infrastructure while preparing further details, including final loss estimates and a postmortem.
Polymarket has faced prior security challenges. In February 2026, the platform dealt with an off-chain/on-chain synchronization flaw. Third-party authentication vulnerabilities also compromised some user accounts in earlier incidents.
Private key compromises remain among the most common attack vectors in crypto. A leaked key gives an attacker the same authority as the legitimate holder, unlike smart-contract exploits that teams can sometimes patch. Old keys without active monitoring pose a particular danger.
The incident also raises questions about key rotation and operational security at major DeFi platforms. A drained infrastructure component erodes trust, even when user funds sit in isolated contracts.
Several questions remain open. Analysts are still tallying the exact final amount as they track fund movements across 15+ receiving addresses. Identifying the attacker or recovering the funds remains difficult, especially with some routed through mixers.
Polymarket has not disclosed the root cause of the key compromise. It could stem from an old wallet exposure, a leak, or outright theft. The team has not confirmed whether other contracts or keys face similar risks.
The team has not announced any compensation plans, though the drained funds came from the adapter’s operational balance rather than user-deposited collateral.
The Polymarket team is actively working on remediation, according to Stevens. Key rotation, contract migration, and a full post-mortem are the likely next steps.
For now, community sentiment reflects relief that user positions appear safe, mixed with concern over the operational lapse. Users should avoid new trades or interactions until Polymarket confirms full security restoration.
The adapter is drained. The platform is standing. The next critical step is a full post-mortem explaining how the key leaked and what Polymarket will change to prevent a repeat.
Our Crypto Talk is committed to unbiased, transparent, and true reporting to the best of our knowledge. This news article aims to provide accurate information in a timely manner. However, we advise the readers to verify facts independently and consult a professional before making any decisions based on the content since our sources could be wrong too. Check our Terms and conditions for more info.
Bags Hackathon Winner GSD Cloud Rugs for $500K
Polymarket Adapter Drained of $660K via Old Key Compromise
Butter Bridge Exploit Mints 1 Quadrillion MAPO Tokens
Parents Love Funeral Firm Loses $33M on Leveraged ETF Bet
Bags Hackathon Winner GSD Cloud Rugs for $500K
Polymarket Adapter Drained of $660K via Old Key Compromise
Butter Bridge Exploit Mints 1 Quadrillion MAPO Tokens
Parents Love Funeral Firm Loses $33M on Leveraged ETF Bet
