Another day, another crypto exploit.
Crypto hacks have accelerated in 2026, and someone targeted Polymarket on the 22nd of May. Here is how the exploit happened on the world’s largest prediction markets:
Explaining Polymarket’s exploit
According to ZachXBT, Polymarket’s UMA CTF Adapter was exploited on the Polygon [POL] network, and more than $700K has been laundered. The hacker drained roughly $458K USDC and more than $200K POL on the UMA CTF Adapter contract.
The attacker looks to have compromised a private key tied to the rewards payout system. The hack came after a new rebate program was introduced. Shantikiran Chanal said,
We’re aware of the security reports linked to rewards payout.
Looking into the details, the hacker then siphoned 5,000 POL every thirty seconds to a single address. The funds have since been distributed to 16 addresses and then moved to centralized exchanges (CEXs) and other services like mixers.
ZachXBT has previously called out some of these CEXs used to launder money for failing to freeze stolen funds. These exchanges include KuCoin and HTX, among others.
ZachXBT and Bubblemaps have asked traders to pause Polymarket activities for now. However, Polymarket’s staff assured users of safety for their funds.
Polymarket statement as community reacts
A software engineer at Polymarket, Shantikiran Chanal, released a statement concerning the ordeal. He said user funds were safe and the compromise involved internal operations.
Chanal wrote on X,
…User funds and market resolution are safe. Findings point to a private key compromise of a wallet used for internal operations, not contracts or core infrastructure.
Chanal added that they are rotating keys in their backend services while they investigate any other internal secrets that might have affected them. He further assured users that their wallets were safe.
This statement meant that Polymarket had not halted its market operation. The team indicated more information would be released thereafter.
Some community members pointed out the irony of the largest prediction market failing to predict its security incident.
The incident showed that private key hygiene is still a major vulnerability in crypto security.
Price reactions of UMA and POL
Meanwhile, the UMA token declined by about 3.3%, from $0.477 to $0.462. This decline was small compared to other exploits. For instance, THORChain’s hack sparked a 15% crash in the RUNE token.
Conversely, the POL price held steady at approximately $0.092. It showed the market was pricing the right risk, as it was the UMA CTF Adapter that was exploited.
All in all, the draining of tokens has stopped with Polymarket advancing investigations.
Final Summary
- Polymarket exploited about $700K in USDC and POL from its rewards payment system.
- The market has priced in the right risk, with UMA’s price crashing while POL remained flat.
