On-chain investigator ZachXBT has raised concerns about an attack on the Polymarket-related UMA CTF Adapter contract on the Polygon network. The platform's team confirmed that they are aware of the incident.
According to them, the investigation suggests a possible leak of the private key for a wallet used for internal account funding operations, rather than a breach of contracts or vulnerabilities in the core infrastructure.
Experts from PeckShield confirmed that funds were withdrawn from two addresses. Some of the stolen assets were sent through the non-custodial exchange ChangeNOW.
#PeckShieldAlert #ZachXBT reports that the Polymarket UMA CTF Adapter contract on #Polygon has potentially been exploited.
Two addresses (0x871D...9082 and 0xf61e...4805) have been drained of approximately $520K.
The attacker has already deposited a portion of the stolen funds… pic.twitter.com/ogne5K58mC
— PeckShieldAlert (@PeckShieldAlert) May 22, 2026
Experts from Bubblemaps noted that hackers were withdrawing about 5000 POL every 30 seconds. According to their data, the total damage amounted to around $700,000.
UPDATE: ~$700k exploited
• Suspected withdrawals have stopped
• Polymarket stated that the incident was isolated and user funds are safeThe stolen funds were split across 16 addresses and routed through CEXs and other services
Exploiter addresses:… https://t.co/gSXWv7UywX
— Bubblemaps (@bubblemaps) May 22, 2026
A representative from Polymarket, Shantikiran Chanal, clarified that the incident is related to reward payouts.
We’re aware of the security reports linked to rewards payout. User funds and market resolution are safe.
Findings point to a private key compromise of a wallet used for internal operations, not contracts or core infrastructure.
More updates to follow.
— Shantikiran Chanal (@ShantikiranC) May 22, 2026
The UMA CTF Adapter contract is used for market resolution via UMA's Optimistic Oracle. On GitHub, the project is described as an adapter for obtaining resolution data and fulfilling market conditions.
It is worth noting that in May, several platforms including Ekubo, TrustedVolumes, THORChain, Verus, Echo, and Map Protocol were also targeted by hacking attacks.