A contract exploit on Polymarket's UMA CTF Adapter on Polygon cost the platform nearly $700,000 this week. On-chain investigator ZacXBT first flagged the breach, and security analyst Ox Abdul later detailed the attack. The incident did not affect user funds or market outcomes, but it exposed a lingering vulnerability tied to a six-year-old private key.
What the attacker did
The attacker drained over $600,000 USDC from a wallet identified as 0x8F98, which served as the UMA CTF Adapter Admin. Then, over roughly 70 minutes, they repeatedly stole 5,000 POL every 30 seconds for about 120 cycles, netting approximately 600,000 POL. The exploit stopped only after Polymarket rotated its keys and revoked the compromised permissions.
Why the exploit happened
The compromised admin wallet carried 'resolveManually rights' on the UMA Adapter. In theory, that could have let an attacker force any market outcome, though that power wasn't used. Polymarket developer Josh Stevens blamed the incident on a six-year-old private key that remained in an internal top-up configuration. The key has been rotated, permissions revoked, and the company is moving to KMS-managed keys to prevent a repeat.
Congressional scrutiny
Separately, Rep. James Comer, chairman of the House Oversight Committee, launched a formal investigation into Polymarket and rival prediction market Kalshi. The inquiry focuses on whether the platforms have adequate measures to prevent insider trading. No specific allegations have been made public, but the probe adds a regulatory dimension to an already tense week for the sector.
Japan expansion in the works
In a move that predates the exploit, Polymarket appointed a representative in Japan and stated its intention to secure government approval for prediction markets there by 2030. The timeline suggests a long-term bet on regulated growth, even as the platform deals with immediate security and political headaches.
