An attacker drained over $600,000 from Polymarket, attacking its UMA CTF Adapter good contract on Polygon, with on-chain investigator ZachXBT flagging the exploit and figuring out the attacker’s pockets as 0x8F98075db5d6C620e8D420A8c516E2F2059d9B91.
ZachXBT issued an emergency alert first on his Telegram channel, adopted by Bubblemaps warning customers to pause all Polymarket exercise because the platform’s losses climbed towards $600,000.
The focused contract, the UMA CTF Adapter, is the customized integration layer that enables Polymarket’s prediction markets to settle by way of UMA’s Optimistic Oracle. It isn’t a part of UMA’s audited core protocol.
Uncover: The Finest Crypto to Diversify Your Portfolio
How the Polymarket Exploit Labored: The Sensible Contract Vulnerability
The UMA CTF Adapter is customized integration code written and deployed by Polymarket, not a canonical UMA contract. As UMA’s personal documentation makes clear, protocol integrators construct their very own adapter contracts on high of the Optimistic Oracle, and people adapters carry project-specific logic and belief assumptions that fall totally outdoors UMA’s safety mannequin.
This structural hole is the place the Polymarket exploit discovered its floor. The CTF Adapter encodes the customized economics and entry management that decide how prediction market positions settle and the way funds move.
ALERT: Polymarket UMA CTF Adapter Exploited
The Adapter acts as a bridge between the platform and the UMA oracle.
It was by way of this bridge that the hacker managed to control the system.
Over $500K has been stolen.
The hacker is at present laundering the stolen funds on… pic.twitter.com/K8EcR1SqmW— ProMint (@ProMint_X) Might 22, 2026
Polymarket’s core change contracts underwent a proper safety audit by ChainSecurity in 2021–2022, which reported that every one important points recognized had been addressed earlier than mainnet deployment. That audit didn’t cowl the UMA CTF Adapter. The exploit did.
This can be a recurring sample in DeFi platform failures: audits cowl solely the elements submitted for overview, not the mixing layers bolted on afterward.
Polymarket’s historical past with oracle-adjacent threat shouldn’t be new. A previous incident involving misguided off-chain information fed into Polymarket’s oracle stack, the so-called Paris case, demonstrated that adapter and oracle design symbolize a systemic weak level for prediction markets, unbiased of whether or not the bottom contracts operate accurately.
On-Chain Footprint and What The Information Reveals
Onchain information tracked the attacker eradicating 5,000 $POL tokens each 30 seconds throughout the lively drain part, a withdrawal cadence that factors to an automatic script executing repeated contract calls. By the point the alert was issued, the attacker had extracted roughly $600,000 in keeping with Bubblemaps, with ZachXBT’s determine putting confirmed losses at over $520,000.
The post-exploit habits is in line with early-stage on-chain laundering. The attacker dispersed the stolen proceeds throughout 15 separate pockets addresses in a fragmentation sample designed to complicate chain-of-custody tracing and gradual any freeze or restoration try.
As of the time of reporting, the dispersed funds stay distributed throughout these 15 addresses with no confirmed motion to a mixer or cross-chain bridge. ZachXBT’s public identification of the originating pockets provides investigators a transparent on-chain start line, although the 15-address dispersal complicates any downstream restoration with out change cooperation.
Uncover: The Finest Token Presales
The submit Polymarket Exploit: 5,000 POL Drained each 30 Seconds appeared first on Cryptonews.