Attackers drain more than $520,000 from Polymarket contract

A Polymarket security incident drained more than $520,000 in collateral from the platform’s UMA CTF Adapter contract on Polygon on May 22, 2026.

On-chain investigator ZachXBT flagged the incident in a community alert and pointed to a compromised deployer address as the likely entry point for the attack. The drain played out across a short window around 09:00 UTC.

No official notice from Polymarket or UMA had been posted at the time of reporting.

How the Polymarket drain played out?

The hack targeted the Polymarket UMA CTF Adapter Admin Contract at address 0x91430C…E5c5, which is an upgradeable proxy that manages the main adapter that holds the market collateral. The blockchain reveals the initial events recorded on the Admin Contract at around 09:00:30 UTC. That should raise an alarm about a proxy pattern exploit.

The initial events were quickly followed by transfer events for Polygon’s native currency, POL. At 09:00:49, the adapter admin received 5,000 POL from a Polymarket address. Five seconds later, it sent close to 9,994 POL out to the attacker-controlled account. The pattern repeated at 09:01:19 with another 5,000 POL inflow, followed by a transfer of close to 5,000 POL to the same attacker address at 09:01:26.

The two-step transfer moved more than 10,000 POL out of the adapter in under a minute. The drained addresses listed by ZachXBT, 0x871D7c0f and 0xf61e39C7, had sent collateral into the adapter that the attacker then withdrew through the admin contract. The primary attacker address received the POL transfers and began consolidating the funds shortly afterward.

A compromised key, not a smart contract bug

In this way, the chain of initializing calls to the admin contract shows the risk of key theft and initialization vulnerability rather than any issue with the UMA optimistic oracle logic. The contract was based on the UMA oracle, but the breach occurred in the access control level, and the hacker received the ability to perform admin-only calls.

It can be assumed that either the deployment process happened with the help of a key compromised by attackers or an uninitialized contract proxy was available for exploitation. After receiving administrator powers, the hacker could withdraw the whole collateral balance without any need for custom exploits.

The Polymarket hack resembles similar events reported earlier in 2026. For instance, the Step Finance hack of about $27.3 million happened due to a breach of the executive key and the multi-sig mechanism at the beginning of 2026.

A similar case is the Drift Protocol hack of about $285 million; it happened in April 2026 as a result of a socially engineered admin key, which enabled whitelisting worthless collateral. There were no software vulnerabilities in those smart contracts.

Attacker wallet activity and tracing

The address 0x8F98075d should be flagged as highly suspicious because it was the destination for both POL collateral transfers and is the greatest opportunity for movement of stolen value out of or into the Polygon network.

Similarly, the intermediary address involved in initializing calls 0x65070BE9 can be assumed to be controlled by attackers and deserves similar monitoring.

Based on past experiences, there is a possibility that the next step will involve cross-chain bridges and mixing. In the case of Drift, the stolen funds were partially bridged to Ethereum via the cross-chain protocol belonging to Circle prior to laundering. There were no reports as of reporting of large outgoing bridges from the suspect addresses.

If you're reading this, you’re already ahead. Stay there with our newsletter.