Polymarket said a compromised private key in a wallet used for internal top-ups caused Wednesday's rapid drain of POL tokens, not a breach of its smart contracts or core infrastructure. The incident, initially flagged as a possible hack by on-chain sleuths, saw roughly $600,000 leave the platform in under an hour.
Alarms from on-chain investigators
At 08:22 UTC, blockchain investigator ZachXBT warned that a Polymarket admin address on Polygon appeared compromised, with over $520,000 already drained. Less than half an hour later, analytics firm Bubblemaps reported that attackers were pulling about 5,000 POL every 30 seconds and advised users to pause activity on the prediction-market site. Bubblemaps initially described the event as a contract exploit.
On-chain data shows a transaction at 09:01:19 UTC that moved 5,000 POL into a Polymarket-labeled UMA CTF Adapter Admin address, followed by a transfer of 4,999.994 POL to an address later tagged by PolygonScan as 'Polymarket Adapter Exploiter 1' — 0x8F98075db5d6C620e8D420A8c516E2F2059d9B91.
What actually happened
Polymarket later clarified that the incident was an operational security failure, not a flaw in its contracts. The company said a private key for a wallet used to handle reward-payout reports was compromised. Software engineer Shantikiran Chanal stated that user funds and market resolution are safe, and the issue was tied to the rewards payout system, not the core platform.
The distinction matters: a contract exploit would imply a vulnerability in the code that anyone could exploit, while a private-key compromise is a narrower breach limited to one internal account. Polymarket's explanation contradicted Bubblemaps' initial 'contract exploit' framing.
What remains unsettled
As of Wednesday evening, the final loss amount, the full list of affected addresses, and any remediation steps had not been fully disclosed. Bubblemaps' estimate of $600,000 and ZachXBT's $520,000 figure both track the same event, but the exact tally depends on how much the attacker managed to convert or move before the wallet was locked down.
The attacker address remains active on Polygon, and no arrests or additional warnings from Polymarket have been issued. Users who held POL in connected wallets — or who relied on the top-up service — are waiting for a complete accounting of what was taken and whether any of it can be recovered.
