Polymarket, the world’s second-largest prediction market platform, suffered a security breach affecting its UMA Conditional Tokens Framework Adapter contract on Polygon, with attackers draining over $600,000 in funds. Blockchain investigators flagged the exploit on Friday, May 22, 2026, as ongoing token transfers continued to an attacker-controlled wallet at a rate of approximately 5,000 POL every 30 seconds. Polymarket’s engineering team attributed the breach to a compromised six-year-old private key used for internal top-up operations, not user-facing functions.
How a Legacy Key Exposed Oracle Infrastructure
The exploit targeted Polymarket’s integration with UMA’s optimistic oracle solution, which the platform adopted in February 2022 to resolve prediction markets. The compromised private key, dormant for six years, retained permissions on the UMA CTF Adapter contract despite being no longer in active use. Josh Stevens, VP of Engineering at Polymarket, confirmed that all permissions tied to the key have been revoked. The breach did not affect user funds or core market resolution mechanisms, according to the platform’s statement. This separation—between administrative infrastructure and user-facing systems—likely prevented larger losses.
Drainage Continues as Investigators Track Flow
ZachXBT initially flagged $520,000 in stolen funds on Friday morning. By 9:01 am UTC, Lookonchain estimated the total drained amount at $660,000, while Bubblemaps reported ongoing token transfers to the attacker wallet. The discrepancy between estimates reflects real-time drainage rather than measurement error. Polymarket processes $3.7 billion in monthly trading volume, making the $600,000+ loss material but contained relative to platform scale. No official statement has been issued by UMA, and the attacker’s identity remains unconfirmed. Recovery prospects for stolen funds have not been disclosed.
Oracle Compromise Signals Broader Infrastructure Risk
The exploit highlights a critical vulnerability in prediction market infrastructure: legacy credentials embedded in oracle adapters. UMA’s optimistic oracle model relies on off-chain data and on-chain verification, creating multiple permission layers that must be actively maintained. A six-year-old dormant key suggests that Polymarket’s administrative hygiene did not include systematic key rotation or permission audits. This pattern—where old infrastructure persists alongside new systems—is common in mature protocols but creates outsized risk when oracle contracts control market resolution logic.
Next Steps and Unresolved Questions
Polymarket has revoked the compromised key’s permissions, but no timeline for full remediation has been announced. The platform must now conduct a full audit of other legacy credentials tied to its oracle infrastructure. Whether the stolen funds can be recovered through Polygon’s ecosystem or law enforcement remains unclear. UMA has not publicly commented on the breach or whether it plans changes to its adapter framework.
