Polymarket faced what many users interpreted as a possible hack on May 22 after public alerts described a rapid POL drain on the prediction market platform. Polymarket-linked accounts later said the incident was not a smart-contract exploit and did not affect user funds or market resolution.
The first wave of concern came from on-chain investigator ZachXBT and blockchain analytics firm Bubblemaps. ZachXBT said a Polymarket admin address appeared to have been compromised on Polygon, with more than $520,000 drained at the time of his Telegram alert.
Bubblemaps then warned that attackers were removing 5,000 POL roughly every 30 seconds and that about $600,000 had been stolen so far, while advising users to pause Polymarket activity.
Polymarket’s later explanation shifted the issue away from core-market failure and toward an internal operational security breach. Findings pointed to a private-key compromise of a wallet used for “internal top-up operations,” according to Polymarket Developers, rather than “contracts or core infrastructure.”
Polymarket software engineer Shantikiran Chanal similarly said, “User funds and market resolution are safe,” adding that the issue was linked to rewards payout reports.
That implies different risks. A contract or resolution failure would raise questions about whether markets could settle correctly or whether user positions were exposed. An internal funding-wallet compromise, while still serious, points instead to key management, refiller services, and operational controls around wallets that support the platform.
The public alert moved faster than the private key compromise explanation
The timeline moved quickly. ZachXBT’s Telegram post at 08:22 UTC described a Polymarket admin address as apparently compromised on Polygon and identified the attacker address as 0x8F98075db5d6C620e8D420A8c516E2F2059d9B91.
The same post listed related and drained addresses, giving on-chain analysts a trail to follow.
Bubblemaps amplified the warning at 08:51 UTC, describing the situation as a Polymarket contract exploit, the kind of Polymarket exploit alert that would raise immediate concern about core infrastructure, and saying the attacker was removing 5,000 POL every 30 seconds.
On-chain data show why the warning drew attention. A PolygonScan transaction at 09:01:19 UTC shows 5,000 POL moving into a Polymarket-labeled UMA CTF Adapter Admin address.
Seven seconds later, another PolygonScan transaction shows 4,999.994 POL moving from that labeled admin address to the labeled attacker address. The attacker address page is tagged by PolygonScan as “Polymarket Adapter Exploiter 1” and shows repeated transfers around the alert window.
That transaction pair supports the visible drain pattern that triggered the public alarm and gives a concrete example of the kind of transfer flow that Polymarket team members later described as involving an internal refiller, while leaving root cause to the team’s statements.
| Question | Initial alert | Polymarket-linked explanation |
|---|---|---|
| What was happening? | Bubblemaps warned that 5,000 POL was being removed roughly every 30 seconds. | Team statements linked the reports to rewards payout or internal top-up activity. |
| Was it a contract exploit? | Bubblemaps initially described it as a Polymarket contract exploit. | Polymarket-linked accounts said findings pointed away from contracts or core infrastructure. |
| Were user funds affected? | The first alert advised users to pause activity. | Shantikiran Chanal and Polymarket Developers said user funds and market resolution were safe. |
| What remains unresolved? | The live loss estimate was about $600,000 at Bubblemaps’ alert. | The final loss amount, full affected-address set, and remediation details were still unsettled. |
Team statements pointed to a Polymarket private key compromise
The clearest official wording came from the Polymarket Developers account, which framed the incident as a Polymarket private key compromise involving a wallet used for internal top-up operations.
That phrasing moves the incident out of the category of a direct smart-contract vulnerability and into a more operational question: who controlled the key, how it was exposed, and why the affected process kept sending POL into an address that could be drained.
Chanal’s statement used similar language, saying the reports were linked to rewards payout and that findings pointed to a private-key compromise of a wallet used for internal operations. In replies to users, Chanal said wallets were “completely safe” and said the team was investigating backend systems and secrets while rotating keys.
Mustafa, another Polymarket-linked source, gave the most direct explanation of the contract distinction. He said “The CTF contract is not exploited,” adding that the issue involved an internal ops address used by a service that checks and refills balances every few seconds.
He also said all user funds were safe and that the address was being rotated.
Polymarket’s own documentation helps explain the stakes behind that distinction. The platform says markets use UMA for resolution and that winning positions are redeemed after resolution through CTF-related mechanics.
Its CTF documentation describes outcome tokens for prediction markets and notes that Yes/No pairs are fully collateralized. Against that background, a direct failure in CTF or resolution infrastructure would raise different questions from a compromised wallet used for rewards or internal top-ups.
The known team statements place the issue outside the core market-resolution infrastructure. They leave the operational-security question open.
Private keys are the authority layer for blockchain wallets, and a compromised internal key can still move funds, trigger public panic, and expose weaknesses in monitoring or automated funding flows even when users’ trading balances and market settlement are not the target.
The next update needs to settle the loss and remediation details
For users right now, Polymarket’s team says the incident was limited to internal operations, meaning Polymarket user funds, core contracts, and market-resolution processes were outside the affected path.
The remaining question is how much was ultimately lost and what changed after the team discovered the compromised key.
ZachXBT’s first available figure was more than $520,000 drained. Bubblemaps later said about $600,000 had been stolen at the time of its alert.
On-chain pages show a representative transfer trail, but the current public record leaves the final audited loss amount, full set of affected addresses, and recovery status unsettled.
The operational follow-up is just as important. Polymarket-linked statements said the affected address was being rotated and that the team was investigating backend systems and secrets.
That leaves several live questions: whether rotation has been completed, whether any connected refiller-service credentials were exposed, whether the compromised wallet had permissions beyond the observed transfers, and whether the platform will publish an incident report explaining the failure.
For traders, the practical takeaway is that the initial public wording appears to have overstated the contract-exploit angle based on the later Polymarket team statements. A live drain of internal funds remains a security incident, especially for a platform whose users rely on clear separation between operational wallets, rewards systems, and market infrastructure.
Until Polymarket issues a final update, the team has told users their funds and market resolution are safe, while the public chain record shows a rapid POL drain from Polymarket-labeled infrastructure.
The next disclosure needs to state the final loss, confirm the address rotation, and explain what changed after a Polymarket private key compromise turned an internal wallet into the center of a live-drain alarm.