Polymarket’s UMA CTF Adapter contract on Polygon has reportedly been targeted for suspected exploitation, with onchain analysts warning users to suspend operations.
Summary
- ZachXBT flagged a suspected UMA CTF Adapter exploit on Polygon with over $520K in reported losses.
- PeckShield said two addresses were compromised and some of the stolen money was deposited into ChangeNOW already.
- Bubblemaps warned attackers were removing 5,000 POLs every 30 seconds as losses continued to rise rapidly.
A ZachXBT public alert stated that Polymarket’s UMA CTF Adapter contract with Polygon was allegedly compromised. The alert listed more than $520,000 in losses and named the attacker’s address as 0x8F98075db5d6C620e8D420A8c516E2F2059d9B91.
PeckShield later said ZachXBT reported that the contract “may be exploited.” The security firm said the two addresses, 0x871D…9082 and 0xf61e…4805, fetched about $520,000. It also said that part of the stolen funds has already moved to ChangeNOW.
Polymarket protocol contributor Shantikiran Chanal said the security reports are linked to the reward payment activity. He said users’ funds and market settlements are safe, adding that early findings point to “the abandonment of the wallet’s private key used for internal operations, not contracts or underlying infrastructure.”
Bubblemaps warns users to pause the activity
Bubblemaps also warned that the Polymarket contract had been used. The company said the attackers were removing 5,000 POLs every 30 seconds and estimated a loss of about $600,000 during the warning period.
PolygonScan data for 0x871D…9082 shows multiple outgoing transfers of 5,000 POL to an address marked as Administrator for Polymarket’s UMA CTF Adapter. Several transmissions occurred about 30 seconds apart, similar to the pattern flagged by Bubblemaps.
Meanwhile, Polymarket documents that the UMA CTF Adapter connects markets with UMA’s Optimistic Oracle. The adapter is used to request and retrieve data for the correction of speculative markets created by a framework of conditional tokens.
Polymarket’s new documentation states that all results on the platform are tokenized with CTF, and the results tokens are backed by locked pUSD. That makes the affected contract environment compatible with how markets are created, settled, and implemented onchain.
This is not Polymarket’s first UMA-related controversy. Earlier it was noted that the UMA whale is suspected to have influenced the outcome of the Polymarket market related to the Trump-Ukraine mineral agreement, raising questions about the voting power of the oracle and the reliability of the market settlement.
The attack comes as Polymarket expands
This event comes as Polymarket has been moving from a crypto-native forecasting space to a larger market structure discussion. A recent report by crypto.news said that the prediction markets led by Polymarket and Kalshi have grown into one of the fastest growing financial sectors.
The platform has also faced regulatory pressure and market formation. A previous report noted the Wisconsin lawsuit against Polymarket, Kalshi, Coinbase, Robinhood, and Crypto.com-linked, arguing that some speculation markets operate as unlicensed gambling products.
The alleged exploit adds a new layer of technical risk to that debate. Polymarket has already come under scrutiny for questions about regulations, settlement rules, and market integrity. Contract level incident now brings user security and smart contract controls back into focus.
The latest warning also follows a wider series of DeFi security incidents. Recent reports included the suspended Echo Protocol bridge after unauthorized eBTC transactions, while the Verus Ethereum bridge case took a different turn after an exploiter recovered 4,052 ETH, following an 11.5 million fraudulent transfer attack.
