User Assets Remain Secure Despite $600K+ Security Breach at Polymarket, Team Confirms
Following a security incident believed to involve compromised private keys linked to internal top-up processes, Polymarket has assured users that their assets and market outcomes remain unaffected.
The Polymarket team has acknowledged a security breach impacting a portion of its technical infrastructure, indicating that the incident likely stems from compromised private keys associated with a wallet designated for top-up operations, while maintaining that customer assets and market outcome determinations remain completely secure.
Through a Friday statement posted on X, the development team at Polymarket clarified that their smart contracts and essential infrastructure components remained untouched by the attack. Product lead Akanshu Jain at Polymarket, along with several other team members from the platform, reinforced assurances that customer deposits and the integrity of market resolutions are intact and protected.
The security incident was initially brought to light by blockchain investigator ZachXBT, who identified the breach as a compromise affecting the UMA Conditional Tokens Framework (CTF) Adapter contract associated with Polymarket on the Polygon network, with the malicious actor successfully extracting a minimum of $520,000 in assets.
Nevertheless, according to Josh Stevens, who serves as Polymarket's vice president of engineering, the smart contracts themselves remained secure, and the vulnerability was confined to an antiquated private key that was six years old and utilized exclusively for internal top-up procedures. He confirmed that all authorization permissions connected to the compromised key have since been completely revoked.
The UMA CTF adapter functions as an oracle-based contract designed to facilitate the settlement of Polymarket's prediction markets through the utilization of UMA's Optimistic Oracle technology. As the globe's second-largest prediction market platform, Polymarket processes $3.7 billion in trading volume on a monthly basis, based on statistics from DefiLlama.
Analysis of Polyscan data conducted by Cointelegraph revealed in excess of 100 individual small-value transfers flowing into the wallet believed to belong to the attacker. The majority of these transactions contained values reaching up to 5,000 Polygon (POL) tokens per transfer.
Financial damage from exploit surpasses $600,000 threshold
Several blockchain data analytics platforms documented comparable onchain transaction patterns connected to the suspected security exploit.
In a Friday post on X, Bubblemaps, a platform specializing in blockchain data visualization, reported that the attacker was continuing to withdraw approximately 5,000 POL tokens at 30-second intervals, accumulating roughly $600,000 in illicitly obtained funds up to that point.
According to estimates from Lookonchain, a blockchain data analysis platform, approximately $660,000 had been siphoned from the contract linked to Polymarket as of 9:01 am UTC on Friday morning.
The integration of UMA's optimistic oracle technology into Polymarket's platform occurred on Feb. 3, 2022, providing automated and decentralized settlement capabilities for the platform's prediction market smart contracts.
Attempts by Cointelegraph to reach both Polymarket and UMA for additional commentary were unsuccessful, with neither organization providing a response prior to the time of publication.