Polymarket Suffers Security Exploit, User Funds Safe
Quick Look
- Polymarket experienced a security exploit affecting a wallet used for internal top-up operations, potentially compromising a six-year-old private key.
- While at least $600,000 was drained, the company assures user funds and core infrastructure remain safe.
AI-generated summary
Why It Matters
Polymarket, a major prediction market platform, experienced a security breach where a wallet used for internal operations was compromised. This led to the draining of funds, though the company insists core infrastructure and user assets are secure.
Polymarket confirmed a security exploit affected part of its infrastructure, pointing to a possible private key compromise involving a wallet used for top-up operations, while saying user funds and market resolution were safe.
In a Friday X post, Polymarket developers said contracts and core infrastructure were unaffected. Polymarket product lead Akanshu Jain and multiple other Polymarket employees also said user funds and market resolution are safe.
Blockchain investigator ZachXBT first flagged the exploit as a compromise to the Polymarket-linked UMA Conditional Tokens Framework (CTF) Adapter contract on Polygon, with the exploiter draining at least $520,000.
However, Josh Stevens, Polymarket’s vice president of engineering, said the contracts were safe and that the exploit was limited to a six-year-old private key used for internal top-up operations. All permissions tied to the key have been revoked, he said.
The UMA CTF adapter is an oracle contract used to help resolve Polymarket prediction markets through UMA’s Optimistic Oracle. Polymarket is the world’s second-largest prediction market with $3.7 billion in monthly trading volume, according to DefiLlama.
Polyscan data reviewed by Cointelegraph showed more than 100 small transfers into the alleged attacker wallet. Most were worth up to 5,000 Polygon (POL) tokens.
Address of the Polymarket adapter contract attacker. Source: Polygonscan
Exploit losses climb past $600,000
Multiple blockchain data platforms reported similar onchain activity tied to the suspected exploit.
Blockchain data visualization platform Bubblemaps said in a Friday X post that the attacker continues to remove about 5,000 POL tokens every 30 seconds, amassing about $600,000 in stolen funds at the time of writing.
Source: Bubblemaps
Blockchain data platform Lookonchain estimated that about $660,000 was drained from the Polymarket-linked contract as of 9:01 am UTC on Friday.
Related: Crypto VC funding plunges to $659M in April, hits near two-year low
Polymarket integrated UMA’s optimistic oracle solution on Feb. 3, 2022, enabling automated and decentralized resolution for its prediction market contracts.
Cointelegraph contacted Polymarket and UMA for comment but had not received a response by publication.
Open Questions
- What is the exact timeline of the private key compromise?
- Were there any internal security lapses that allowed the six-year-old key to be compromised?
- Will Polymarket take further steps to enhance its security protocols beyond revoking the key?
- What is the total amount of Polygon (POL) tokens that were drained?
