Polymarket acknowledged that roughly $573,200 was moved on Polygon on Could 22 after an outdated non-public key used for the platform’s inner operational pockets was compromised. ZachXBT was the primary to alert about uncommon fund flows associated to a Polymarket admin handle, earlier than the corporate confirmed the incident didn’t stem from a contract exploit. Polymarket asserted that person funds stay secure, Polymarket and UMA contracts weren’t attacked, and the market decision course of was not affected.
Polymarket Confirms Inner Pockets Key Compromise
Polymarket Builders acknowledged that the platform famous safety stories associated to rewards payouts, however asserted that person funds and the market decision course of weren’t affected. The challenge acknowledged that present findings level to a compromised non-public key of a pockets used for inner operations, not a flaw in contracts or core infrastructure.
No polymarket or UMA contracts have been exploited. All person funds are secure, and utilizing https://t.co/7bOD8pgjQC is secure, so enterprise as regular.
We had a 6-year-old non-public key that was compromised. This was within the inner top-up config, which is why funds have been being despatched to it.…
— Josh (@devjoshstevens) Could 22, 2026
Josh Stevens, Vice President of Engineering at Polymarket, later emphasised that no Polymarket or UMA contracts have been attacked. He mentioned the compromised non-public key had existed for about 6 years and was inside an inner configuration used to replenish the system, inflicting funds to proceed being despatched to the associated handle whereas the incident was ongoing.
ZachXBT Flagged the Admin Deal with
The preliminary warning got here from ZachXBT in his Telegram channel, when he acknowledged {that a} Polymarket admin handle on Polygon appeared to have been compromised. At the moment, ZachXBT estimated that over $520,000 had been withdrawn and disclosed that the attacker’s pockets began with 0x8F98.
Warning submit within the channel. Supply: ZachXBT
Lookonchain later cited this warning together with Arkham information and offered an preliminary estimate of over $660,000 withdrawn. The preliminary on-chain alerts precipitated the incident to be seen as a contract exploit, earlier than Polymarket confirmed the difficulty got here from the non-public key of the interior operational pockets.
$164K Frozen After $573.2K Was Moved
In a subsequent replace, Stevens acknowledged that Polymarket collaborated with ZachXBT, BitcoinVN, and ChangeNOW to freeze $164,000 of the funds moved from the compromised non-public key. This determine is equal to roughly 28.6% of the quantity Polymarket confirmed was moved.
With @zachxbt main the trouble alongside @Bitcoin_Vietnam and @ChangeNOW_io, we managed to freeze $164,000 of the $573,200 in funds transferred from the compromised non-public key.
Actually was a workforce effort, and it was superb how shortly everybody reacted. Because of everybody who… https://t.co/LW2pHZuFG7
— Josh (@devjoshstevens) Could 22, 2026
The determine printed by Stevens is decrease than the preliminary estimate of over $660,000 from Lookonchain, however larger than the extent of over $520,000 acknowledged by ZachXBT within the first warning. These ranges have been offered at totally different occasions in the course of the on-chain neighborhood’s monitoring of the fund flows.
Polymarket Rotates Key After Compromise
Following the incident, Stevens acknowledged that Polymarket rotated the affected non-public key, revoked all related manufacturing entry, and can transfer non-public key administration to KMS. These strikes have been made after the platform decided the incident stemmed from an outdated key inside inner operational processes, somewhat than a contract flaw.
The transfer to KMS marks a change in how Polymarket manages keys after the incident. For crypto platforms, non-public keys tied to operational wallets or admin rights can turn out to be main threat factors if they continue to be in automated flows after a few years. On this case, Polymarket mentioned related manufacturing rights have been revoked, however has not but acknowledged the prior scope of authority of the affected pockets.
On the identical day, Polymarket Builders additionally introduced a scheduled upkeep, throughout which buying and selling was paused for about 5-10 minutes and shifted to post-only mode for two minutes after restarting. The challenge later acknowledged that the upkeep was accomplished and buying and selling returned to regular, however didn’t make clear whether or not this upkeep was immediately associated to the non-public key incident.
What Polymarket Has But to Disclose
It at present stays unclear how the non-public key was compromised, what scope of entry this inner operational pockets held, and whether or not Polymarket can get better any additional portion of the property past the frozen quantity. Polymarket has additionally not clarified whether or not the transfer to KMS will apply to all operational keys or solely the group of keys associated to this particular incident.
A full postmortem, if printed, may make clear which operational movement the affected pockets was in, why a key current for a few years was nonetheless getting used, and the way new management measures will change inner processes.
