Back

Polymarket Exploit Results in $600K Loss on Polygon

Severity: High (Score: 66.0)

Sources: Cryptorank, Cryptopolitan, Coinspeaker

Published: 2026-05-22 · Updated: 2026-05-22

Keywords: polymarket, incident, polygon, security, contract, zachxbt, adapter

Severity indicators: apt, breach

Summary

On May 22, 2026, an exploit of Polymarket’s UMA CTF Adapter contract on the Polygon network resulted in over $600,000 being drained. The attack was flagged by on-chain investigator ZachXBT, who indicated that the exploit occurred due to a compromised deployer address. The attacker drained approximately 5,000 POL tokens every 30 seconds, with confirmed losses reaching at least $520,000 initially. The exploit targeted the admin contract, allowing the attacker to withdraw collateral without needing custom exploits. This incident has raised concerns about the security of Polygon as a DeFi settlement layer, especially following a series of other DeFi hacks in May 2026. The attacker has dispersed the stolen funds across multiple wallets, indicating potential laundering efforts. Polymarket has not yet issued an official statement regarding the incident. Key Points: • Over $600,000 was drained from Polymarket's UMA CTF Adapter contract on Polygon. • The exploit was facilitated by a compromised deployer address, allowing admin-level access. • This incident is part of a broader trend of DeFi hacks, with 19 incidents reported in May 2026 alone.

Detailed Analysis

**Impact** The exploit resulted in the theft of over $600,000 in Polygon (POL) tokens from Polymarket’s UMA CTF Adapter contract, affecting the prediction market platform’s collateral on the Polygon network. The attacker drained approximately 5,000 POL every 30 seconds, with confirmed losses exceeding $520,000 at the time of reporting. This incident impacts DeFi users relying on Polymarket’s Polygon-based services and contributes to the broader May 2026 DeFi sector losses, which total around $38.2 million from 19 hacks. The breach also risks reputational damage to Polygon as a settlement layer for high-profile DeFi applications. **Technical Details** The attack exploited an uninitialized or compromised upgradeable proxy admin contract for the UMA CTF Adapter on Polygon, allowing the attacker to perform admin-only calls and withdraw the entire collateral balance without exploiting the UMA optimistic oracle logic. The attacker’s address (0x8F98075db5d6C620e8D420A8c516E2F2059d9B91) received stolen POL tokens and dispersed them across multiple wallets, indicating early-stage laundering. The breach likely involved key compromise or proxy initialization flaws rather than software vulnerabilities, consistent with prior 2026 DeFi hacks involving admin key theft and social engineering. Key IOCs include the attacker address and intermediary address 0x65070BE9. **Recommended Response** Immediate actions include auditing and securing upgradeable proxy contracts to ensure proper initialization and access control, and reviewing admin key management practices to prevent compromise. Deploy monitoring for transactions involving the attacker and intermediary addresses, and watch for cross-chain bridging or mixing activities linked to stolen funds. Polymarket and similar DeFi platforms should expedite bug bounty investigations and patch any identified vulnerabilities in the UMA CTF Adapter. No specific CVE patches are noted; focus should be on access control hardening and anomaly detection.

Source articles (3)

  • Polymarket Smart Contract Breached: Will POL USD Crash? — Coinspeaker · 2026-05-22
    ZachXBT flags a $600K exploit of Polymarket’s UMA CTF Adapter on Polygon. Analysis of POL price implications, ecosystem risk, and what the incident means for DeFi security in May 2025. Polygon’s reput…
  • Polymarket security incident drains $520K in Polygon tokens — Cryptopolitan · 2026-05-22
    A Polymarket security incident drained more than $520,000 in collateral from the platform’s UMA CTF Adapter contract on Polygon on May 22, 2026. On-chain investigator ZachXBT flagged the incident in a…
  • Polymarket Confirms User Funds Safe After Exploit, Core Infrastructure Unaffected — Cryptorank · 2026-05-22
    Polymarket confirmed a breach limited to an internal operations wallet after a private key exposure, with an attacker draining 5,000 POL every 30 seconds for a total of roughly $520,000 in stolen POL…

Timeline

  • 2026-05-22 — Polymarket exploit flagged: ZachXBT reported an exploit of Polymarket’s UMA CTF Adapter, draining over $600K.
  • 2026-05-22 — Initial losses confirmed: Confirmed losses reached at least $520,000, with the attacker draining funds rapidly.
  • 2026-05-22 — Funds dispersed across wallets: The attacker began dispersing stolen funds across 15 wallets, indicating laundering efforts.

Related entities

  • Data Breach (Attack Type)
  • Magic Labs (Tool)
  • Polymarket (Company)
  • UMA (Company)
  • Ethereum (Company)
  • Polygon (Company)
  • CWE-862 - Missing Authorization (Cwe)
  • cryptopolitan.com (Domain)
  • 0x8F98075db5d6C620e8D420A8c516E2F2059d9B91 (Eth)
  • Bitcoin Hyper (Platform)
  • Bitcoin Layer 2 (Platform)
  • Solana Virtual Machine (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed