Polymarket Exploit Drains $700K, Raising Fears of Market Manipulation
LTB Polymarket got hit by a contract exploit that drained more than $600,000 in crypto, with losses climbing close to $700,000, but the real scare was what could have happened if the attacker had twisted market resolution permissions.
- Losses: more than $600K drained, nearly $700K total
- Target: Polymarket’s UMA CTF Adapter on Polygon
- Main risk: compromised resolution rights could have manipulated outcomes
- Response: keys rotated, permissions revoked, KMS migration planned
- Pressure: fresh U.S. scrutiny over prediction market controls
The incident hit on Friday and was flagged on-chain by investigator ZacXBT. Security analyst Ox Abdul later broke down the mechanics, saying the attacker did not pull off a flashy one-and-done theft. Instead, the exploit focused on Polymarket’s automation setup, repeatedly stealing wallet refills over and over again.
According to Abdul, Polymarket’s system was sending 5,000 POL roughly every 30 seconds to fund an oracle gas wallet. The attacker then swept those refills for about 120 cycles over roughly 70 minutes, draining around 600,000 POL. That is less “elite hacker movie” and more “someone found an open tap and let it run while the kitchen flooded.” Ugly, repetitive, and preventable.
The attack centered on Polymarket’s UMA CTF Adapter contract on Polygon (POL). For readers who don’t live and breathe smart contracts: an adapter like this is part of the plumbing that helps prediction markets settle outcomes using oracle data. An oracle is the system that brings outside information on-chain so the contract can decide who wins and who loses. If that plumbing gets compromised, the whole setup starts looking a lot less like decentralized finance and a lot more like expensive trust theater.
The damage was serious, but it was contained after keys were rotated and the attack was stopped. That containment matters. User funds and market outcomes were reportedly not directly affected. In crypto, “it could have been worse” gets thrown around like confetti, but here it actually applies.
The reason this incident set off alarms was not just the drain itself. The real danger was that the compromised wallet reportedly had “resolveManually rights”, meaning it may have had permission to manually resolve markets. In plain English: someone with that access could potentially bypass the oracle and force a market outcome.
That is the line prediction markets cannot afford to cross. Theft hurts. But manipulated settlement destroys confidence at the core. If traders think outcomes can be forced by a compromised admin path, the market stops being a credible market and starts becoming a rigged casino with prettier graphs.
“could have been significantly worse”
Ox Abdul said exactly that, and he wasn’t exaggerating. A few hundred thousand dollars stolen is bad enough. A compromise of market resolution logic would be a trust-killer. For a prediction market, trust is the product. Lose that, and the rest is just UI decoration.
Polymarket developer Josh Stevens later explained that the issue involved a compromised 6-year-old private key used in an internal top-up configuration. That detail is depressingly familiar across crypto security failures. It is often not some genius zero-day that sinks a project. It is old credentials, sloppy access control, and automation that was given too much rope. The most dangerous hack is sometimes just bad housekeeping with a blockchain logo.
“a compromised 6-year-old private key”
Stevens said the key was rotated, production permissions were revoked, and Polymarket plans to move all private keys to KMS-managed keys going forward. KMS stands for Key Management Service, a more secure way to store and manage private keys than leaving them scattered through fragile internal systems. It is not a cure-all, but it is a lot better than the crypto version of hiding the spare key under the doormat.
“all production permissions have been revoked”
“moving all private keys to KMS-managed keys going forward”
Reports also say the attacker routed funds through ChangeNOW using 16 sub-addresses, which looks like a standard attempt to split and blur the trail. That’s a common laundering tactic after crypto thefts: break the funds into smaller pieces, scatter them across addresses, and hope chain analysts get bored. They usually do not.
The timing could hardly be more awkward for Polymarket. The platform is now facing fresh regulatory heat, with Rep. James Comer announcing a formal investigation into Polymarket and Kalshi. The House Oversight and Government Reform Committee wants answers on insider trading prevention, identity verification, geographic restrictions, and anomalous trading detection.
That is regulators’ way of asking whether prediction markets are serious financial infrastructure or just gambling rails wearing a compliance costume. There is a real case for prediction markets as useful tools for price discovery and crowd intelligence. They can surface probabilities more honestly than cable news pundits and their sacred “gut feelings.” But that only works if the system is fair, secure, and hard to game.
Now the stakes are bigger than one exploit. If prediction markets are going to be treated like legitimate financial venues, they need cleaner controls than the average DeFi project running on duct tape and optimism. Congress noticing is a sign that these platforms are no longer fringe experiments. That also means the usual crypto sloppiness gets punished harder.
Bloomberg also reported that Polymarket has appointed a representative in Japan and is seeking approval for prediction markets there by 2030. So even while dealing with a security incident and political scrutiny, the company is still pushing for expansion. That is either confidence or stubbornness, depending on your mood and your tolerance for risk.
There is a broader lesson here for crypto infrastructure: the easiest way to get wrecked is to give old keys and internal wallets more power than they should ever have. Over-permissioned systems are the silent killers of Web3. They do not usually look dramatic until the money is gone or, worse, the market itself is bent out of shape.
And that is what makes this Polymarket exploit more important than a simple six-figure drain. The theft was bad. The possibility of forced market resolution was the real red flag. In prediction markets, credibility is everything. Once users stop believing outcomes are clean, the whole machine starts to rot from the inside.
- What happened in the Polymarket hack?
A contract exploit drained more than $600,000 in crypto, with total losses nearing $700,000. The attack targeted Polymarket’s UMA CTF Adapter on Polygon. - Were user funds affected?
Security analysts said user funds and market outcomes were not directly affected. The problem was contained after keys were rotated. - How did the exploit work?
The attacker repeatedly drained automatic wallet top-ups, sweeping about 5,000 POL every 30 seconds across roughly 120 cycles. - Why was this more dangerous than a normal theft?
The compromised wallet reportedly had “resolveManually rights,” which could have allowed an attacker to force market outcomes and undermine trust in prediction market resolution. - What is a KMS-managed key?
A KMS-managed key is stored and handled through a secure Key Management Service, reducing the chance of private key compromise. - How did Polymarket respond?
The team rotated keys, revoked production permissions, and said it will move all private keys to KMS-managed keys going forward. - Why are regulators watching Polymarket and Kalshi?
U.S. lawmakers want answers on insider trading prevention, identity verification, geographic restrictions, and systems for detecting suspicious trading. - Is Polymarket still expanding?
Yes. Bloomberg reported that the company has appointed a representative in Japan and is seeking approval there by 2030.
