A dormant operational wallet tied to Polymarket's resolution infrastructure on Polygon was drained on May 22 after an attacker obtained its six-year-old private key. The incident, initially flagged by on-chain investigator ZachXBT, cost the prediction market platform an estimated $600,000 to $700,000 — mostly in POL, Polygon's native token. But the company stressed that user funds were never at risk and no smart contracts were exploited.
What happened — and what didn't
The compromised wallet was an externally owned account used by a backend “refiller” service that had been dormant. The attacker gained control of the private key and began siphoning funds. Automated transfers of roughly 5,000 POL every 30 seconds flowed from the compromised internal addresses to the attacker's wallet (0x8F98075db5d6C620e8D420A8c516E2F2059d9B91), which then routed the stolen tokens to exchanges and mixing services, including ChangeNOW.
Early reports called the incident an “exploit,” but Polymarket product lead Mustafa Aljadery and others corrected the record: the code was never broken. The UMA CTF Adapter — an audited piece of the resolution stack — was not touched. Polygon CTO Mudit Gupta confirmed that the compromised component was Polymarket's market initializer, and that there was no impact to users or contracts.
Why the old key mattered
The private key was roughly six years old and had been sitting dormant. Polymarket uses Gnosis Conditional Tokens and UMA’s optimistic oracle; the UMA CTF Adapter has undergone OpenZeppelin audits and was not compromised. The drained wallets were operationally adjacent to the resolution stack but the adapter itself remained untouched.
“The CTF contract was not exploited,” Aljadery stated. “The drained address was an internal ops wallet.”
What Polymarket did next
Once the breach was detected, the platform rotated the leaked key, revoked permissions, and migrated the affected service to key management through AWS KMS. Active markets, share-redemption logic, and core Polymarket contracts continued working normally throughout the incident. The loss was entirely on Polymarket’s own operational treasury — no user funds were ever in danger.
Gupta explained that the compromised component was the market initializer, and that the fix was straightforward: replace the old key with proper key management.
Unresolved questions
Polymarket has not disclosed how the attacker obtained the six-year-old private key. The platform said it has rotated the key and migrated to KMS, but the investigation into the initial compromise is ongoing. The attacker's wallet remains active, and funds have been moving through mixing services, making recovery unlikely.
