Polymarket's UMA CTF Adapter was exploited on Polygon when a 6-year-old internal top-up operations private key was compromised, allowing the attacker to drain ~5,000 POL every 30 seconds for ~$520K-$700K, with funds split across 16 wallets and routed through ChangeNOW and other CEXs.
On May 22, 2026, Polymarket's UMA CTF (Conditional Token Framework) Adapter was exploited on Polygon when an attacker compromised a 6-year-old internal operations private key used for top-up operations. The key had been in continuous operational use since approximately 2020 and held authorization rights to perform automated top-up transactions on the UMA CTF Adapter contracts that underpin Polymarket's conditional token infrastructure.\n\nWith control of the top-up operations key, the attacker was able to repeatedly trigger authorized withdrawal-style operations against the UMA CTF Adapter, draining approximately 5,000 POL every 30 seconds in an automated loop. The high frequency and small per-transaction size were designed to maximize extraction while staying below thresholds that might trigger automated circuit breakers or manual intervention. Over the duration of the attack, the cumulative drain totaled approximately $520K to $700K in POL, depending on the exact POL price used at the time of valuation.\n\nThis incident is the same event as the previously reported 'Polymarket employee wallet' compromise — both descriptions refer to the same compromised internal operations private key and the same automated draining mechanism against the UMA CTF Adapter. The two reports have been merged into this single entry to avoid double-counting. The long-lived nature of the compromised key (6 years in continuous use) highlighted the operational risk of retaining aging internal keys with privileged on-chain access without rotation or scope reduction.
The drained POL was split across 16 attacker-controlled wallets on Polygon to fragment tracking. From those wallets, the funds were routed through ChangeNOW and other centralized exchanges (CEXs) for off-chain disposal and cross-chain movement. The 16-wallet split and CEX routing pattern is consistent with a deliberate laundering chain designed to break on-chain traceability before off-ramping. No recovery has been reported at the time of writing.
N/A