Polymarket stated that approximately $573,200 was moved on Polygon on May 22 after an old private key used for the platform’s internal operational wallet was compromised. ZachXBT was the first to alert about unusual fund flows related to a Polymarket admin address, before the company confirmed the incident did not stem from a contract exploit. Polymarket asserted that user funds remain safe, Polymarket and UMA contracts were not attacked, and the market resolution process was not affected.
Polymarket Developers stated that the platform noted security reports related to rewards payouts, but asserted that user funds and the market resolution process were not affected. The project stated that current findings point to a compromised private key of a wallet used for internal operations, not a flaw in contracts or core infrastructure.
https://twitter.com/devjoshstevens/status/2057768173915484505?ref_src=twsrc%5Etfw” data-wpel-link=”external” target=”_blank” rel=”nofollow external noopener noreferrer
Josh Stevens, Vice President of Engineering at Polymarket, later emphasized that no Polymarket or UMA contracts were attacked. He said the compromised private key had existed for about 6 years and was within an internal configuration used to replenish the system, causing funds to continue being sent to the related address while the incident was ongoing.
The initial warning came from ZachXBT in his Telegram channel, when he stated that a Polymarket admin address on Polygon appeared to have been compromised. At that time, ZachXBT estimated that over $520,000 had been withdrawn and disclosed that the attacker’s wallet started with 0x8F98.
Warning post in the channel. Source: ZachXBT
Lookonchain later cited this warning along with Arkham data and provided an initial estimate of over $660,000 withdrawn. The initial on-chain alerts caused the incident to be viewed as a contract exploit, before Polymarket confirmed the issue came from the private key of the internal operational wallet.
In a subsequent update, Stevens stated that Polymarket collaborated with ZachXBT, BitcoinVN, and ChangeNOW to freeze $164,000 of the funds moved from the compromised private key. This figure is equivalent to approximately 28.6% of the amount Polymarket confirmed was moved.
https://twitter.com/devjoshstevens/status/2057810397990724009?ref_src=twsrc%5Etfw” data-wpel-link=”external” target=”_blank” rel=”nofollow external noopener noreferrer
The figure published by Stevens is lower than the initial estimate of over $660,000 from Lookonchain, but higher than the level of over $520,000 stated by ZachXBT in the first warning. These levels were provided at different times during the on-chain community’s tracking of the fund flows.
Following the incident, Stevens stated that Polymarket rotated the affected private key, revoked all associated production access, and will move private key management to KMS. These moves were made after the platform determined the incident stemmed from an old key within internal operational processes, rather than a contract flaw.
The move to KMS marks a change in how Polymarket manages keys after the incident. For crypto platforms, private keys tied to operational wallets or admin rights can become major risk points if they remain in automated flows after many years. In this case, Polymarket said associated production rights have been revoked, but has not yet stated the prior scope of authority of the affected wallet.
On the same day, Polymarket Developers also announced a scheduled maintenance, during which trading was paused for about 5-10 minutes and shifted to post-only mode for 2 minutes after restarting. The project later stated that the maintenance was completed and trading returned to normal, but did not clarify whether this maintenance was directly related to the private key incident.
It currently remains unclear how the private key was compromised, what scope of access this internal operational wallet held, and whether Polymarket can recover any further portion of the assets beyond the frozen amount. Polymarket has also not clarified whether the move to KMS will apply to all operational keys or only the group of keys related to this specific incident.
A full postmortem, if published, could clarify which operational flow the affected wallet was in, why a key existing for many years was still being used, and how new control measures will change internal processes.
Bitcoin liquidations surpassed $320 million in longs on May 22 after the SEC unexpectedly delayed…
Apple is reportedly testing an iPhone 19 Pro with a quad-curved OLED display, hidden Face…
Key TakeawaysZano launched the Lite Wallet Beta on Friday, letting users skip full blockchain syncs…
Monday saw the highest daily inflows, with almost $650 million leaving the funds. Bitcoin’s…
The National Transportation Safety Board (NTSB) is pausing the release of previously public information related…
Michael Saylor says a Strategy Bitcoin sale before year-end is ‘not unlikely’ in a Coin…