Polymarket became the focus of a fast-moving security scare after early onchain alerts described attackers removing 5,000 POL roughly every 30 seconds from infrastructure linked to the platform’s Polygon operations.
The first public warnings framed the issue as a possible contract exploit, with Bubblemaps warning that about $600,000 had been stolen and urging users to pause Polymarket activity while the drain was active. A later Bubblemaps update placed the exploited amount near $700,000, said suspected withdrawals had stopped, and noted that Polymarket had narrowed the incident to internal operations rather than user balances.
The affected token was POL, the Polygon ecosystem token formerly known as MATIC. POL is trading near $0.0915, which puts the early 5,000 POL withdrawals at roughly $460 per transfer and helps explain how repeated transfers could climb into a six-figure loss within a short window.
The first security reports centered on Polymarket’s UMA CTF Adapter area on Polygon, a part of the broader infrastructure used around prediction-market settlement. Onchain investigators tied the activity to attacker address 0x8F98075db5d6C620e8D420A8c516E2F2059d9B91, while two drained addresses were identified in later security coverage. Some funds were reportedly split across multiple wallets and partially routed through ChangeNOW, which can make recovery and tracing harder.
The incident lands during a period of heavy attention on Polymarket’s market structure. The platform has been expanding beyond political and crypto-native event markets, including private-company prediction markets tied to Nasdaq Private Market data, while also facing closer scrutiny around market integrity, oracle design and user protection.
Polymarket Narrows Scope To Internal Wallet Key
The latest available clarification makes the incident materially different from the first alarm. The affected activity was tied to rewards payout operations, while user funds and market resolution remain safe. Early findings point to a private-key compromise of a wallet used for internal operations, not a vulnerability in Polymarket’s contracts or core infrastructure.
That distinction matters. A private-key compromise means an attacker obtained signing control over an operational wallet. A smart contract exploit would mean the contract logic itself failed. The first outcome is still serious because operational wallets can hold real funds and permissions, but it does not automatically mean user deposits, open positions or settlement contracts were drained.
UMA also amplified the same clarification, reinforcing that the issue was being treated as an internal-wallet problem rather than a protocol-wide failure. Polygon Labs CTO Mudit Gupta separately wrote that Polymarket contracts and user funds were safe, with the incident appearing to involve a compromised market initializer rather than an attack that affected users or contracts.
The remaining unknowns are still important. Polymarket has not yet provided a full incident report explaining how the private key was compromised, which permissions the wallet controlled, whether all affected services have been rotated, whether any funds can be recovered, and whether additional monitoring or reimbursement steps will follow.
Users do not need to treat the latest update as proof that every risk has disappeared. The sharper reading is that the incident has narrowed from a feared platform-wide exploit into an internal operations-wallet breach. Until the final postmortem is public, traders should watch for revoked permissions, rotated addresses, recovery updates, confirmation that the reward system is fully patched, and any follow-up disclosure on the final POL loss figure.
Polymarket’s first containment message has reduced the worst-case scenario, but the operational questions remain concrete: the final drained amount, the attacker’s wallet trail, any exchange or swap-service freezes, the source of the private-key exposure, and the control changes made before normal reward activity resumes.
Be the first to comment