Polymarket, a decentralized prediction market platform, lost $700,000 after an exploit targeted an internal wallet the company uses to top up user accounts. The company said user funds are safe and that its core contracts and infrastructure were not touched.
The 'Internal Top-Up' wallet
The drained wallet wasn't part of Polymarket's main smart contracts — it was an internal account used to quickly add funds to users' balances. That distinction matters. While $700,000 disappeared from that wallet, the platform's underlying code and user-held assets were never at risk, according to Polymarket.
The exploit didn't break any of the core prediction-market logic. Instead, it took advantage of a specific operational wallet. That means no user lost money from their own accounts, and the platform's market resolution system stayed intact.
User funds confirmed safe
Polymarket publicly confirmed that customer funds were not affected. The company's statement didn't detail how the attacker got access or whether any stolen funds have been recovered. But the message was clear: the core product kept running and users' money stayed put.
The timing matters. Polymarket has grown rapidly over the past year, handling large volumes of bets on events like U.S. elections. A breach that hit user funds would have damaged trust. This one didn't — but it still exposed a vulnerability in the platform's operational setup.
Polymarket hasn't announced specific changes to its wallet security or whether it plans to pursue recovery of the stolen funds. The exploit raises a question the company hasn't answered: how did an attacker access an internal wallet in the first place? For now, the platform is operating as usual, and users can keep trading on prediction markets without worrying about their own balances. But the underlying security gap remains unresolved.
