Polymarket’s UMA CTF Adapter Contract on Polygon Exploited Over $520K

• ZachXBT said Polymarket’s UMA CTF contract on Polygon was exploited for over $520K.
• The attacker compromised an old private key belonging to an internal Polymarket operations wallet.
• This incident raises fresh prediction market security concerns and may impact user trust in Polymarket.

On May 22, 2026, prominent on-chain investigator ZachXBT warned that Polymarket’s Universal Market Access (UMA) Conditional Token Framework (CTF) Adapter contract on Polygon was likely exploited in a major security breach, with attackers draining more than $520,000 from the linked addresses so far, primarily POL tokens and USDC.e.

ZachXBT Flags Over $520K Suspected Polymarket UMA Contract Exploit

ZachXBT flagged suspicious activity involving Polymarket’s UMA CTF Adapter contract deployed on Polygon. Community reports and on-chain data indicated that more than $520,000, primarily in POL tokens and USDC.e, has been drained from the adapter, with some trackers later reporting totals exceeding $600,000. 

The draining activity involved repeated transfers, including approximately 5,000 POL every 30 seconds from affected contract addresses, notably 0x871D7…082 and 0xf61e3…805. The stolen funds were then rapidly funneled through a chain of intermediary wallets, likely to obfuscate the transaction trail and complicate tracking efforts.

What Caused the Polymarket UMA Adapter Exploit

The incident was not the result of a vulnerability or bug in the live UMA CTF Adapter smart contract code. Instead, it stemmed from the compromise of an old private key belonging to an internal Polymarket operations wallet.

This wallet had administrative privileges tied to the UMA CTF Adapter initializer on Polygon. It was previously used for internal operations such as rewards distribution, liquidity top-ups, or related maintenance tasks. The attacker, address 0x8F980…B91, controlling the compromised key, signed in and executed legitimate transactions that drained funds directly from the adapter contract addresses, with portions already deposited into services like ChangeNOW, a non-custodian crypto exchange platform.

Polymarket’s engineering team confirmed the incident shortly after ZachXBT’s alert. The team also stated that user balances and positions on the core Polymarket platform remain unaffected, as the adapter’s role is limited to oracle-related functions.

What’s the Impact on Polymarket and Prediction Market Security?

The incident has renewed concerns over infrastructure security across decentralized prediction markets, particularly protocols that depend on oracle adapters and complex cross-contract integrations. Security experts expect the breach to accelerate demands for stricter smart contract audits, expanded bug bounty programs, stronger wallet controls, and continuous on-chain monitoring for Polymarket and similar platforms.

Despite the exploit, market resolution and settlement operations have continued without disruption because the compromise was linked to a legacy administrative private key on the Polygon deployment rather than a vulnerability in the live contract logic or core trading infrastructure. 

However, the exploit underscores a broader risk facing the prediction market sector, as even non-custodial infrastructure components such as oracle adapters can become critical attack surfaces if privileged keys are poorly managed, insufficiently rotated, or left active after operational use. 

As a result, the incident reinforces the need for stronger operational security standards, including multi-signature authorization, hardware security modules, time-lock protections, regular credential rotation, and continuous security audits across DeFi oracle systems.

Related: Polymarket Rejects Claims of 300K Data Breach