TL;DR:
- Polymarket suffered an exploit linked to a compromised private key used in internal operations. Losses exceeded $600,000.
- Researcher ZachXBT identified the attack on the Polygon blockchain. Funds were drained from two smart contracts to an external address.
- The Polymarket team confirmed that user funds and market resolution remain safe, and that all permissions tied to the compromised key were revoked.
Polymarket confirmed it suffered a security exploit that affected part of its infrastructure on Polygon. According to statements from the development team published on X, the incident originated in the compromise of a six-year-old private key linked to internal fund top-up operations. The main contracts and core infrastructure were not affected.
Blockchain researcher ZachXBT was the first to identify the exploit, flagging suspicious activity in the UMA Conditional Tokens Framework (CTF) Adapter contract on Polygon. According to on-chain data shared by ZachXBT, more than $520,000 were drained from two smart contracts to an address attributed to the attacker.
We’re aware of the security reports linked to rewards payout. User funds and market resolution are safe.
Findings point to a private key compromise of a wallet used for internal top-up operations, not contracts or core infrastructure.
More updates to follow.
— Polymarket Developers (@PolymarketDevs) May 22, 2026
Josh Stevens, vice president of engineering at the platform, specified that the exploit was limited exclusively to that old private key used for internal top-up operations. Stevens indicated that all permissions associated with that key were revoked immediately.
Estimates on Polymarket’s Losses
Loss estimates were updated rapidly during the hours following the discovery. Blockchain data visualization platform Bubblemaps reported that the attacker was extracting approximately 5,000 POL tokens every 30 seconds. The platform Lookonchain estimated that the total amount stolen reached $660,000.
The UMA CTF Adapter contract functions as an oracle for the resolution of prediction markets on Polymarket through UMA’s Optimistic Oracle, a solution the platform integrated on February 3, 2022. Mudit Gupta, chief technology officer at Polygon Labs, confirmed that the contracts and user funds are safe, and described the incident as a market initializer issue with no impact on users.
Polymarket is the second-largest decentralized prediction market in the world, with a monthly trading volume of $3.7 billion according to DefiLlama.
