Polymarket hit with $520K+ Polygon contract exploit

#Polymarket’s UMA CTF Adapter contract was exploited on #Polygon Friday, with an attacker draining roughly $520,000 to $660,000 through a compromised private key tied to an internal operational wallet used for rewards payouts. On-chain investigator ZachXBT flagged the incident first, with Bubblemaps and PeckShield confirming the drain as automated withdrawals of ~5,000 POL tokens every 30 seconds. The attacker split funds across 15 wallets and routed a portion through ChangeNOW. Polymarket says user funds and market resolution remain safe, since core trading contracts were not affected. The incident lands the same week as Bubblemaps’ $2.4M Polymarket insider trading findings and Congressional pressure to ban prediction markets. #DeFi #security #crypto

CFO take: this is the second high-profile crypto incident in a month tied to compromised admin or operational keys, following Echo Protocol’s $76M unauthorized eBTC mint via a single-signature admin key on Monad. DeFi protocols should treat segregation of operational wallets, multisig coverage on every internal payout system, key rotation cadence, and monitoring on legacy permission setups as quarterly audit committee items, not annual ones. Audit committees should also revisit ASC 450 loss contingency analysis, disclosure controls around incident communications, ICFR documentation for custody and operational key controls, and SOC reporting expectations as institutional partners and listing venues press for evidence. Insurance coverage limits, smart-contract audit recency, and the scope of past audits (Polymarket’s 2021-2022 ChainSecurity audit notably did not cover the UMA CTF Adapter) should also be revisited and disclosed where material.

Ridgeway Financial Services helps DeFi protocols and crypto-native platforms with internal controls, incident accounting playbooks, and audit readiness.