Polymarket's UMA CTF Adapter Contract Exploited for Up to $658,000 in POL Tokens

An attacker exploited a smart contract associated with Polymarket on the Polygon network, draining between $520,000 and $658,000 in POL tokens through an automated withdrawal scheme, according to multiple secondary reports published May 19, 2025.

The Exploit

The attack targeted Polymarket's UMA CTF Adapter smart contract on Polygon. During the active drain phase, the attacker withdrew 5,000 POL tokens every 30 seconds, according to CryptoNews. The stolen funds were subsequently dispersed across 15 separate wallet addresses.

On-chain investigator ZachXBT identified the attacker's wallet as 0x8F98075db5d6C620e8D420A8c516E2F2059d9B91 and issued the first emergency alert through his Telegram channel, per CryptoNews. Blockchain analytics firm Bubblemaps warned users to pause all Polymarket activity in response to the ongoing situation.

Loss Amount Uncertainty

The exact loss amount remains unclear, with different sources reporting varying figures. ZachXBT reported over $520,000, Bubblemaps reported the total approaching $600,000, and CoinProbe reported $658,000. No official statement from Polymarket or UMA Protocol confirming the precise total has been published in available sources.

Technical Context

The UMA CTF Adapter is custom integration code written and deployed by Polymarket, not a canonical UMA contract, according to CryptoNews. While Polymarket's core exchange contracts underwent a formal security audit by ChainSecurity in 2021–2022, this audit reportedly did not cover the UMA CTF Adapter that was exploited. No direct link to the ChainSecurity audit report was provided in available sources.

User Fund Status Unclear

CoinProbe reported that user funds are "reportedly safe" despite the exploit, but provided no source or official statement confirming this claim. As of May 19, 2025, no official statement from Polymarket or UMA Protocol addressing the incident was available in the research materials.

Outstanding Questions

Several critical details remain unknown: the precise timeline of when the exploit began and was detected, whether the exploit is ongoing or has been patched, the current status of affected contracts, and official confirmation of the total loss amount and user fund safety.

Coinasity's Take

This incident highlights the persistent risks in DeFi infrastructure, particularly with custom integration code that may fall outside the scope of formal security audits. The variance in reported loss figures—from $520,000 to $658,000—and the absence of official statements from Polymarket or UMA Protocol as of May 19 underscore the need for transparent, timely incident response. Until Polymarket issues an official post-mortem with on-chain evidence and clarity on user fund safety, users should exercise caution. The fact that a custom adapter—not core audited contracts—was the attack vector suggests potential gaps in comprehensive security coverage for all platform components.