An attack uncovered by on-chain investigator ZachXBT led to the theft of more than $700,000 worth of POL tokens from an operational wallet linked to Polymarket’s UMA CTF Adapter contract on the Polygon network. The attack remained active for hours.
How the attack unfolded
ZachXBT detected that 5,000 POL tokens were being withdrawn every 30 seconds from a wallet connected to Polymarket’s UMA CTF Adapter infrastructure. The loss was initially reported at $520,000, but quickly rose above $660,000. In the following hours, the figure was confirmed to have exceeded $700,000.
According to PeckShield, which identified two drained addresses, the attacker transferred part of the stolen funds to a crypto swap service called ChangeNOW. The attacker’s wallet was labeled “Polymarket Adapter Exploiter 1” on PolygonScan.
The stolen funds were later distributed across at least 15 separate wallet addresses. The main attacker address was recorded as 0x8F98075db5d6C620e8D420A8c516E2F2059d9B91, while the other two drained addresses were identified as 0x871D…9082 and 0xf61e…4805.
Not a smart contract exploit, but a private key compromise
In the first hours after the incident, there were claims that a smart contract vulnerability may have been involved. However, Polymarket’s engineering team clarified the situation in a Discord statement. The company said its findings pointed not to a contract issue, but to the compromise of a private key belonging to an internal operations wallet. In other words, the problem was not in the platform’s core infrastructure, but in access control.
Polymarket’s UMA CTF Adapter is used to connect prediction markets to UMA’s Optimistic Oracle. The adapter enables the resolution of markets built on the Conditional Tokens Framework. From a technical standpoint, the attack did not target this integration layer itself, but the credentials of the wallet managing it.
Market reaction
During the attack, the UMA token price fell from $0.477 to $0.462, marking a decline of around 3.3%. POL, meanwhile, saw a more limited impact. This divergence suggests that market participants were able to interpret the scope of the attack correctly: the main risk was related to UMA’s oracle infrastructure, while Polygon’s base layer continued to operate without issues.
Polymarket was reported to have closed a $400 million funding round in April 2026 at a valuation of roughly $15 billion. The company was also known to have received a $600 million strategic investment from Intercontinental Exchange, the parent company of the New York Stock Exchange, in recent months. This made the timing of the attack particularly notable.
Independent confirmations
After ZachXBT’s initial warning, Bubblemaps, Lookonchain and PeckShield independently confirmed the attack. Bubblemaps urged users to suspend all Polymarket-related transactions. Santiment also tracked on-chain data in real time and updated the estimated losses.
Are user funds safe?
Polymarket emphasized that the attack affected an operational wallet, not the platform’s main infrastructure. User funds were said to be safe. However, the company had not issued a formal written statement, and communication appeared to be limited to Discord channels.
On-chain security analysts are advising users not to deposit new funds into the platform until Polymarket releases a comprehensive explanation. They also recommend closely monitoring positions linked to the UMA CTF Adapter.
