The prediction market Polymarket suffered an exploit via the UMA CTF Adapter smart contract. The alert came from on-chain investigator ZachXBT. In total, more than 520,000 USD flowed out. Moreover, the incident was still active at the time of the first reports.
Polymarket is the decentralised prediction market platform on Polygon. There, users bet with USDC on the outcomes of real-world events. The UMA CTF Adapter, in turn, is the on-chain bridge contract between two systems. Specifically, it links the Gnosis Conditional Token Framework with the UMA Optimistic Oracle. Furthermore, the framework is the foundation of all Polymarket markets, while the oracle verifies market outcomes. ZachXBT published the alert this morning. However, Polymarket and UMA Protocol have not issued an official statement at the time of publication.
Update May 22, 2026, 11:52 a.m. CET: An X account belonging to the Polymarket team has now publicly commented on the attack. According to initial findings, a wallet’s private key was compromised. According to the post, the smart contracts and core infrastructure are secure.
Three addresses identified as Polymarket attackers
The starting point of public observation was the ZachXBT alert. Notably, PolygonScan now labels the central exploiter address 0x8F98075db5d6C620e8D420A8c516E2F2059d9B91 as "Polymarket Adapter Exploiter 1". It shows 194 transactions on the block explorer. Additionally, PolygonScan explicitly attributes the contract 0x91430CaD2d3975766499717fA0D66A78D814E5c5 to the "Polymarket: UMA CTF Adapter Admin". Furthermore, this contract holds 905,419 transactions in total, and the funds drained from it.
The Exploiter 1 address initially received larger Polygon (POL) amounts from the Adapter Admin contract. Subsequently, it forwarded them to at least two further addresses. Specifically, Exploiter 2 received roughly 119,954 POL, while Exploiter 3 took about 105,000 POL. Furthermore, two additional drain addresses appear in the alert. These are 0x871D7c0f9E19001fC01E04e6cdFa7fA20f929082 and 0xf61e39C7EB1E2Ff5af3A24bCA88D40fD11594805. Notably, the drained funds primarily sit in POL rather than USDC. As a result, the cited figure of 520,000 USD merely reflects a price conversion.
However, the final amount remains open. At the same time, the incident was still active during research. According to the block explorer, the last PolygonScan activity of the exploiter address occurred only minutes before the investigation. Meanwhile, neither Polymarket nor UMA Protocol has commented publicly so far. Furthermore, independent confirmation by established forensics firms such as PeckShield or BlockSec likewise remains pending.
Subscribe to our newsletter
The best articles of the week, directly delivered into your mailbox.
UMA CTF Adapter as the technical interface between oracle and prediction market
The UMA CTF Adapter performs a narrow but critical function. Specifically, it connects the Gnosis Conditional Token Framework with the UMA Optimistic Oracle. Moreover, the framework mints ERC-1155 outcome tokens for each Polymarket market. Initially, the contract stores ancillary data, timestamps and reward tokens upon market initialisation. Subsequently, it sends a request to the oracle. Proposers can then submit answers, and they must post a bond to do so. Furthermore, if no one challenges the answer within roughly two hours, it counts as correct. In the event of a second dispute, the request consequently escalates to UMA's Data Verification Mechanism. Notably, this mechanism rules within 48 to 72 hours. At market resolution, the adapter finally burns the ERC-1155 tokens and returns the USDC.e collateral to the entitled parties.
The exact attack vector used by the exploiters remains undisclosed publicly. However, the on-chain data show direct fund outflows from the admin contract. At the same time, no typical pattern of oracle manipulation appears so far. For example, no questionable proposer answer surfaced shortly before market resolution. Therefore, suspicion primarily points to a smart contract or access control weakness in the adapter itself. Nevertheless, no source confirms this at the time of research.
Originally, several adapter versions existed, and they remain visible on PolygonScan. Furthermore, with the CLOB v2 upgrade in April 2026, Polymarket introduced new smart contracts and pUSD as collateral. Consequently, pUSD now gradually replaces the stablecoin USDC.e in the new markets. Whether the exploited adapter relates to an older version or one that still serves active markets remains open at present.
Polymarket exploit hits the core contract for the first time
Polymarket has a broad history of security incidents. However, all of them affected the periphery. In September 2024, users lost more than 500,000 USD through a phishing campaign. Specifically, it ran via the login path of a third-party provider. Later, in December 2024, attackers compromised the authentication service Magic Labs. Notably, they drained accounts despite two-factor protection, while the smart contracts themselves remained untouched. In March 2025, an actor holding 25% of UMA voting power manipulated a 7 million USD market. Specifically, the market concerned the Ukraine minerals agreement. As a result, this exposed an economic incentive weakness, but no technical gap. Subsequently, in February 2026, attackers exploited an off-chain/on-chain synchronisation weakness to invalidate trades. This mainly hit trading bots. In April 2026, the actor "xorcat" finally claimed the theft of 300,000 records. Moreover, the claim included an exploit kit with CVE-2025-62718 at a CVSS score of 9.9.
The common denominator of these incidents has consistently been the auth provider, off-chain infrastructure, governance layer or data protection layer. By contrast, the current incident targets the core smart contract directly. If confirmed, this would therefore mark a qualitatively different category. Furthermore, it strikes the platform at an economic peak. Specifically, Q1 2026 trading volume reached 26.2 billion USD. In addition, March crossed 10 billion USD in a single month for the first time. In April, roughly 291,000 transactions ran across the platform per day. Additionally, a TVL of 514 million USD followed the CLOB v2 rollout. This came alongside the ICE/NYSE investment at a valuation of 8 billion USD.
