Polymarket came under attack earlier Friday after a contract exploit drained more than $600,000 of cryptocurrency. Despite the scale of the theft, many security analysts confirmed that user funds and market results were not affected.
One expert even said that the incident could have been much worse if additional controls had been used in the compromised contract.
Polymarket attack
According to on-chain investigator ZacXBT’s findings on the matter, he has reported a suspected exploit involving Polymarket’s UMA CTF contract on Polygon (POL). At the time of writing, the total amount associated with the exploitation has risen to nearly $700,000.
Details of how the exploit works were later detailed by security expert Oakes Abdul. In his country clarificationThe first key point was that the amount of USDC – more than $600,000 USD – appeared to be a one-time drain taken from a particular wallet on Polygon, identified as 0x8F98, UMA CTF Admin.
Ox Abd also described how Polymarket’s automation appears to have contributed to the exploitation mechanisms. He said the Polymarket top-up system was frequently sending 5,000 POL approximately every 30 seconds to keep the Oracle Gas Wallet funded.
Instead of stealing all at once, the attacker waited for each package and then ransacked it for approximately 120 cycles over the course of about 70 minutes. 600,000 urine.
More importantly, POL’s consistent losses, in this calculation, are attributable to how quickly Polymarket detected and responded. The exploit was eventually stopped after turning the keys.
How could the exploitation have been worse?
After draining the packets, Ox Abdul said the exploiter then exited via 16 subheaders using ChangeNOW. Even with limited damage, he warned, the situation has potential red flags beyond the theft itself.
In his view, the compromised management wallet contained not only USDC and POL; It also holds “Manually Resolve Rights” on the UMA adapter. Those Manual resolution permissionsHe explained that he could bypass the oracle and allow the attacker to force any market outcome on Polymarket.
Oakes Abdul explained what “the worst” could look like in practice. He said the attacker could have taken large positions in specific markets, then marked those markets for manual resolution, waited for the safety window to expire for about an hour, and finally used ResolveManually to settle the markets in favor of his positions.
Following the incident, Josh Stevens, one of Polymarket’s lead developers, later provided additional context via social media. Stevens attributed The issue concerns a 6-year-old private key that was compromised, explaining that it was involved in an internal top-up configuration – so funds were sent to the key while it remained active.
He added that the key has been rotated, all production permissions have been revoked, and the company is moving all private keys to keys managed by KMS from now on.
A federal investigation began
While the technical incident was unfolding, Polymarket was also dealing with regulatory scrutiny on Friday. As Bitcoin I mentionedRep. James Comer, chairman of the House Oversight and Government Reform Committee, announced a formal investigation into prediction market platforms Polymarket and Kalshi.
Comer said the committee is seeking information from executives of both companies regarding their efforts to prevent insider trading on their platforms.
In his letter, he requested documentation and details on how both platforms implement identity verification for local and international account holders, enforce geo-restrictions, and detect anomalous trading activity to help prevent… Insider trading Through their global platforms.
In a separate development, Bloomberg I mentioned Polymarket has appointed a representative in Japan as it prepares to push for a prediction markets license in the country. According to the sources cited in the report, Polymarket’s goal is to gain government approval in Japan by 2030.
Featured image created with OpenArt, chart from TradingView.com
Editing process Bitcoinist focuses on providing well-researched, accurate, and unbiased content. We adhere to strict sourcing standards, and every page is carefully reviewed by our team of senior technology experts and experienced editors. This process ensures the integrity, relevance, and value of our content to our readers.
