An attacker drained over $600,000 from Polymarket, attacking its UMA CTF Adapter smart contract on Polygon, with on-chain investigator ZachXBT flagging the exploit and identifying the attacker’s wallet as 0x8F98075db5d6C620e8D420A8c516E2F2059d9B91.
ZachXBT issued an emergency alert first on his Telegram channel, followed by Bubblemaps warning users to pause all Polymarket activity as the platform’s losses climbed toward $600,000.
The targeted contract, the UMA CTF Adapter, is the custom integration layer that allows Polymarket’s prediction markets to settle via UMA’s Optimistic Oracle. It is not part of UMA’s audited core protocol.
Discover: The Best Crypto to Diversify Your Portfolio
How the Polymarket Exploit Worked: The Smart Contract Vulnerability
The UMA CTF Adapter is custom integration code written and deployed by Polymarket, not a canonical UMA contract. As UMA’s own documentation makes clear, protocol integrators build their own adapter contracts on top of the Optimistic Oracle, and those adapters carry project-specific logic and trust assumptions that fall entirely outside UMA’s security model.
This structural gap is where the Polymarket exploit found its surface. The CTF Adapter encodes the custom economics and access control that determine how prediction market positions settle and how funds flow.
ALERT: Polymarket UMA CTF Adapter Exploited
The Adapter acts as a bridge between the platform and the UMA oracle.
It was via this bridge that the hacker managed to manipulate the system.
Over $500K has been stolen.
The hacker is currently laundering the stolen funds on… pic.twitter.com/K8EcR1SqmW
— ProMint (@ProMint_X) May 22, 2026
Polymarket’s core exchange contracts underwent a formal security audit by ChainSecurity in 2021–2022, which reported that all critical issues identified were addressed before mainnet deployment. That audit did not cover the UMA CTF Adapter. The exploit did.
This is a recurring pattern in DeFi platform failures: audits cover only the components submitted for review, not the integration layers bolted on afterward.
Polymarket’s history with oracle-adjacent risk is not new. A prior incident involving erroneous off-chain data fed into Polymarket’s oracle stack, the so-called Paris case, demonstrated that adapter and oracle design represent a systemic weak point for prediction markets, independent of whether the base contracts function correctly.
On-Chain Footprint and What The Data Reveals
Onchain data tracked the attacker removing 5,000 $POL tokens every 30 seconds during the active drain phase, a withdrawal cadence that points to an automated script executing repeated contract calls. By the time the alert was issued, the attacker had extracted approximately $600,000 according to Bubblemaps, with ZachXBT’s figure placing confirmed losses at over $520,000.
The post-exploit behavior is consistent with early-stage on-chain laundering. The attacker dispersed the stolen proceeds across 15 separate wallet addresses in a fragmentation pattern designed to complicate chain-of-custody tracing and slow any freeze or recovery attempt.
As of the time of reporting, the dispersed funds remain distributed across those 15 addresses with no confirmed movement to a mixer or cross-chain bridge. ZachXBT’s public identification of the originating wallet gives investigators a clear on-chain starting point, though the 15-address dispersal complicates any downstream recovery without exchange cooperation.
Discover: The Best Token Presales
The post Polymarket Exploit: 5,000 POL Drained every 30 Seconds appeared first on Cryptonews.
