A private key exploit drained over $573,000 from Polymarket, on-chain security firms said on Friday. Polymarket VP of Engineering Josh Stevens confirmed the attack on X. He said that a six-year-old private key was compromised — while maintaining that user funds tied to the platform are not under threat.
The breached private key was tied to a “top-up” wallet which was used to roll out automated rewards payout.
“This was in the internal top-up configuration, which is why funds were being sent to it,” Stevens said. “We have rotated this key, revoked all prod permissions and are moving all PKs to KMS keys from now on.”
As per Stevens, the platform has managed to freeze $164,000 of the $573,200 in funds transferred from the compromised private key.
“Really was a team effort, and it was amazing how quickly everyone reacted. Thanks to everyone who helped on this,” Stevens noted.
Here’s what is known so far
On-chain sleuth ZachXBT was first to flag the breach on Polymarket. Security platforms like PeckShield, LookOnChain, and Bubblemaps were also quick to hop in on the investigation.
PeckShield, as part of its findings, claimed that Polymarket’s UMA CTF adapter contract was exploited. The UMA adapter can be defined as a middleman contract written by Polymarket to bring real-time data on-chain to derive the true outcomes of ongoing bets.
However, Stevens clarified that no Polymarket or UMA contracts were exploited. There are, however, inconsistencies in the figure that is being reported stolen under the attack.
While Stevens has claimed that funds amounting to over $573,000 were impacted, LookOnChain claimed $660,000 were stolen, PeckShield said around $520,000 were drained, and Bubblemaps suggested that losses for Polymarket have climbed to $700,000 as part of the breach.
“Suspected withdrawals have stopped. The stolen funds were split across 16 addresses and routed through CEXs and other services,” Bubblemaps noted, sharing the exploiter addresses.
This incident adds to the elongating list of hack attacks that have started targeting the DeFi sector, now that the centralized finance crypto ecosystems are more protected with information like user KYCs.
As per data by DeFiLlama, Polymarket’s TVL stands at $445 million at the time of writing.
Source: DeFiLlama
For Polymarket, this makes for the first confirmed loss of operational funds that has resulted from an exploit incident. Since being launched in 2020, the platform has historically maintained a clean track record in terms of smart contract vulnerabilities.