ZachXBT Semnalează Exploatarea Suspectă a Polymarket-ului, cu 658K Drenați din Adaptorul UMA CTF

CoinsProbe · 2026-05-22T10:04:56.000Z
Puncte Cheie Investigatorul on-chain ZachXBT a semnalat un atac suspect asupra contractului adaptor UMA CTF de la Polymarket pe Polygon — cu pierderi estimate în prezent la 520.000 USD+, unele rapoarte din comunitate ridicând cifra la aproximativ 658K. Adresa atacatorului 0x8F98...9B91 a fost observată că drena repetat aproximativ 5.000 POL la fiecare 30 de secunde din sistemul adaptor — cu fonduri furate împărțite în peste 15 portofele și dirijate prin mixere și servicii de swap, inclusiv ChangeNOW. Surse din comunitate sugerează că atacul ar fi putut implica o cheie privată veche compromisă, mai degrabă decât o vulnerabilitate proaspătă a contractului inteligent.
Key Highlights
On-chain investigator ZachXBT has flagged a suspected attack on Polymarket's UMA CTF Adapter contract on Polygon — with losses currently estimated at $520,000+, with some community reports pushing the figure to approximately $658K.
The attacker address 0x8F98...9B91 was observed repeatedly draining approximately 5,000 POL every 30 seconds from the adapter system — with stolen funds split across 15+ wallets and routed through mixers and swap services including ChangeNOW.
Community sources suggest the attack may have involved a compromised old private key rather than a fresh smart contract vulnerability.
Polymarket has not yet issued an official statement — but community sources indicate main user deposits and active market liquidity remain unaffected. The exploited contracts are part of the backend resolution infrastructure, not primary user-facing vaults.
Polymarket — the world’s largest decentralised prediction market — is dealing with a significant security incident. On May 22, 2026, on-chain investigator ZachXBT raised the alarm about a suspected attack targeting Polymarket’s UMA CTF Adapter contract deployed on the Polygon chain — an exploit that has drained an estimated $520,000 to $658,000 from the platform’s backend resolution infrastructure.
The incident is developing rapidly. ZachXBT and on-chain analysts are actively tracking the attacker’s movements, Polymarket’s team is reportedly investigating, and the community is monitoring whether the draining activity — which appeared to have slowed or stopped in the 20–30 minutes prior to publication — has fully ceased or may resume.
ZachXBT on Polymarket Hack
What Happened — The Attack BreakdownAccording to ZachXBT’s community alert and on-chain data, the attacker systematically drained funds from contracts associated with Polymarket’s resolution infrastructure:
Attacker address: 0x8F98075db5d6C620e8D420A8c516E2F2059d9B91
Affected and drained contracts:
0x871D7c0f9E19001fC01E04e6cdFa7fA20f929082
0x91430CaD2d3975766499717fA0D66A78D814E5c5
0xf61e39C7EB1E2Ff5af3A24bCA88D40fD11594805
Stolen funds breakdown (community estimates):
~$458,000 in USDC
~$199,700 in POL
Total: approximately $658K
The attack pattern — On-chain observers reported the attacker pulling approximately 5,000 POL every 30 seconds from the adapter system in a systematic and automated fashion — suggesting a scripted exploitation rather than a manual operation.
Polymarket Hack/arkm
Fund dispersal — Stolen funds were subsequently split across 15+ wallet addresses — a classic dispersion technique designed to complicate tracking. Portions were routed through mixers and swap services including ChangeNOW in an apparent attempt to obscure the trail and complicate asset recovery.
Suspected vector — Community updates suggest the attack may have involved a compromised old private key associated with the adapter contracts — rather than a newly discovered smart contract vulnerability in the current codebase. If confirmed, this would point to a key management failure rather than a protocol bug — a distinction that matters for how the incident is assessed and remediated.
What Is the UMA CTF Adapter — Why It Was TargetedTo understand the significance of this exploit, it helps to understand what the UMA CTF Adapter actually does within Polymarket’s infrastructure.
Polymarket is a blockchain-based prediction market where users trade on the outcomes of real-world events — elections, crypto prices, sports results, news events — using USDC as the base currency. The platform relies on the Conditional Tokens Framework (CTF) for market mechanics and integrates UMA’s Optimistic Oracle for dispute resolution and final settlement.
The UMA CTF Adapter is the critical bridge between these two systems — fetching resolution data from UMA’s Optimistic Oracle and using it to resolve the CTF conditions that determine how markets settle and how winnings are distributed. It is deployed on Polygon and has been open-sourced by the Polymarket team.
In short: the adapter is not where user trading funds sit — but it is the infrastructure layer that determines how markets resolve. Exploiting it represents an attack on the integrity of Polymarket’s resolution mechanism rather than a direct theft from user deposits — which is why community sources are indicating that main user funds remain unaffected while the backend system has been compromised.
Is This the First Polymarket Security Incident?This is not the first time Polymarket’s resolution infrastructure has come under scrutiny — though today’s incident appears operationally distinct from prior events.
In early 2025, Polymarket faced a high-profile UMA governance attack orchestrated by a large token holder known as “BornTooLate.eth” — who accumulated sufficient UMA governance power to influence the outcome resolution of a politically sensitive prediction market. That incident was a governance manipulation attack — exploiting the economics of UMA’s optimistic oracle rather than directly draining funds.
Today’s incident is categorically different — it is a direct fund drainage from adapter contracts, not a governance manipulation play. The attacker’s goal appears to have been financial extraction rather than outcome manipulation — making it a more traditional DeFi exploit than the 2025 governance attack.
Current Status — What Is KnownThe draining activity appears to have slowed, while community sources indicate that user deposits and active market liquidity remain unaffected. The attacker reportedly split the stolen funds across more than 15 wallet addresses, with movements currently being tracked by ZachXBT and other on-chain analysts. At the time of reporting, Polymarket had not yet issued an official statement regarding the incident.
The situation remains fluid. Polymarket has not issued an official statement as of publication — and the full scope of the exploit, the confirmed attack vector, and whether any additional contracts are at risk will not be known until the team completes its investigation.
Why This Matters Beyond PolymarketThis incident carries implications that extend well beyond Polymarket itself — for prediction markets as a sector and for DeFi infrastructure security broadly.
Prediction markets are at peak visibility — 2025–2026 has seen explosive growth in prediction market usage, particularly around major global events. Polymarket’s dominance makes any security incident involving its infrastructure a sector-wide news event. As we covered in our HIP-4 prediction markets launch, Hyperliquid’s binary prediction market launch specifically targeted Polymarket’s user base — and incidents like this will only accelerate the competitive pressure.
Oracle and adapter security is underappreciated — The exploit targets the resolution layer rather than the trading layer — a category of infrastructure risk that receives significantly less security attention than primary smart contracts despite being equally critical to platform integrity.
Legacy key management — If the compromised private key vector is confirmed, it highlights one of the most persistent and underaddressed risks in DeFi: old keys associated with contracts that remain active and hold or control value long after the original deployment context has changed.
The irony — Prediction markets are already seeing bets placed around this incident’s fallout — which is either a testament to the sector’s resilience or a commentary on the ecosystem’s relationship with risk.
Bottom LinePolymarket’s UMA CTF Adapter exploit on May 22, 2026 — draining an estimated $520K–$658K from backend resolution infrastructure — is a significant security incident for one of DeFi’s most prominent and valuable platforms. The attack appears contained to backend adapter contracts with user deposits and active market liquidity reported as unaffected — but the full picture will not be clear until Polymarket issues an official statement and the investigation reaches conclusions about the attack vector.
ZachXBT and on-chain analysts are tracking the attacker’s movements in real time. We will update this article as official information from Polymarket becomes available.
Disclaimer: The views and analysis presented in this article are for informational purposes only and reflect the author’s perspective, not financial advice. Technical patterns and indicators discussed are subject to market volatility and may or may not yield the anticipated results. Investors are advised to exercise caution, conduct independent research, and make decisions aligned with their individual risk tolerance.