An attacker drained over $600,000 from Polymarket, attacking its UMA CTF Adapter sensible contract on Polygon, with on-chain investigator ZachXBT flagging the exploit and figuring out the attacker’s pockets as 0x8F98075db5d6C620e8D420A8c516E2F2059d9B91.
ZachXBT issued an emergency alert first on his Telegram channel, adopted by Bubblemaps warning customers to pause all Polymarket exercise because the platform’s losses climbed towards $600,000.
The focused contract, the UMA CTF Adapter, is the customized integration layer that enables Polymarket’s prediction markets to settle through UMA’s Optimistic Oracle. It’s not a part of UMA’s audited core protocol.
Uncover: The Finest Crypto to Diversify Your Portfolio
How the Polymarket Exploit Labored: The Good Contract Vulnerability
The UMA CTF Adapter is customized integration code written and deployed by Polymarket, not a canonical UMA contract. As UMA’s personal documentation makes clear, protocol integrators construct their very own adapter contracts on high of the Optimistic Oracle, and people adapters carry project-specific logic and belief assumptions that fall solely exterior UMA’s safety mannequin.
This structural hole is the place the Polymarket exploit discovered its floor. The CTF Adapter encodes the customized economics and entry management that decide how prediction market positions settle and the way funds circulate.
ALERT: Polymarket UMA CTF Adapter Exploited
The Adapter acts as a bridge between the platform and the UMA oracle.
It was through this bridge that the hacker managed to govern the system.
Over $500K has been stolen.
The hacker is presently laundering the stolen funds on… pic.twitter.com/K8EcR1SqmW— ProMint (@ProMint_X) Might 22, 2026
Polymarket’s core change contracts underwent a proper safety audit by ChainSecurity in 2021–2022, which reported that every one crucial points recognized have been addressed earlier than mainnet deployment. That audit didn’t cowl the UMA CTF Adapter. The exploit did.
It is a recurring sample in DeFi platform failures: audits cowl solely the parts submitted for assessment, not the mixing layers bolted on afterward.
Polymarket’s historical past with oracle-adjacent threat is just not new. A previous incident involving misguided off-chain information fed into Polymarket’s oracle stack, the so-called Paris case, demonstrated that adapter and oracle design signify a systemic weak level for prediction markets, impartial of whether or not the bottom contracts perform accurately.
On-Chain Footprint and What The Information Reveals
Onchain information tracked the attacker eradicating 5,000 $POL tokens each 30 seconds throughout the lively drain part, a withdrawal cadence that factors to an automatic script executing repeated contract calls. By the point the alert was issued, the attacker had extracted roughly $600,000 in line with Bubblemaps, with ZachXBT’s determine inserting confirmed losses at over $520,000.
The post-exploit habits is in keeping with early-stage on-chain laundering. The attacker dispersed the stolen proceeds throughout 15 separate pockets addresses in a fragmentation sample designed to complicate chain-of-custody tracing and gradual any freeze or restoration try.
As of the time of reporting, the dispersed funds stay distributed throughout these 15 addresses with no confirmed motion to a mixer or cross-chain bridge. ZachXBT’s public identification of the originating pockets provides investigators a transparent on-chain start line, although the 15-address dispersal complicates any downstream restoration with out change cooperation.
Uncover: The Finest Token Presales
The publish Polymarket Exploit: 5,000 POL Drained each 30 Seconds appeared first on Cryptonews.