Polymarket suffered a $700,000 exploit on Friday when attackers compromised a six-year-old private key controlling the UMA CTF Adapter contract on Polygon. The attacker repeatedly drained an admin wallet over 70 minutes by exploiting automated top-up mechanics that refilled the account every 30 seconds. Security analysts confirmed user funds and prediction market outcomes remained unaffected, but warned the compromised wallet held additional permissions that could have enabled manual market resolution and potential manipulation.
How the UMA Adapter Attack Unfolded
The exploit targeted an admin wallet responsible for funding oracle gas operations on the prediction market platform. Attackers used a compromised private key—created six years ago and embedded in an internal top-up configuration—to repeatedly sweep refills from the system. The attacker executed 120 cycles of POL transfers at roughly 30-second intervals, draining approximately 600,000 POL tokens alongside $600,000+ in USDC from wallet 0x8F98. Josh Stevens, a Polymarket developer, confirmed the key had been “compromised” and was part of legacy infrastructure. The assault lasted 70 minutes before automated controls prevented further drainage.
Market Impact and Severity Assessment
Security experts including Ox Abdul and ZacXBT confirmed that core platform integrity survived intact. Prediction markets continued functioning normally, and no user balances were affected. However, analysts identified a critical second vector that remained unexploited: the compromised wallet held “resolveManually rights” on the UMA Adapter, which could have permitted attackers to manually override market outcomes. Such access would have exposed Polymarket to oracle manipulation and false settlement. The attacker’s decision not to exploit this secondary permission suggests either operational constraints or incomplete reconnaissance of the wallet’s full capabilities.
Regulatory Scrutiny and Infrastructure Overhaul
Hours after the Friday exploit, Rep. James Comer, chairman of the House Oversight Committee, announced a federal investigation into Polymarket’s insider trading prevention measures and identity verification protocols. Separately, Stevens disclosed that Polymarket is rotating all compromised keys, revoking production permissions from legacy systems, and migrating private key management to KMS-managed (key management service) infrastructure. The shift reflects broader industry acknowledgment that aging keys embedded in configuration files represent a critical attack surface. No timeline was provided for the infrastructure migration or key rotation completion.
Next Steps and Unresolved Questions
The attacker channeled stolen tokens through 16 sub-addresses before exiting via ChangeNOW, a cryptocurrency exchange service, making fund recovery unlikely. Polymarket has not disclosed whether any assets were recovered or confirmed the attacker’s identity. The platform faces dual pressure: regulatory investigation into compliance procedures and technical remediation of legacy infrastructure. Stolen funds totaling $700,000 remain unrecovered as of Friday evening.
