Author
Ahmed Barakat
Author
Share it
Facts Checked by
CryptoNews Writing Group
Author
An attacker destroyed $ 600,000 from Polymarket, attacking its UMA CTF Adapter smart contract on Polygon, and a researcher on the chain. ZachXBT reporting the incident identified the attacker’s wallet as 0x8F98075db5d6C620e8D420A8c516E2F2059d9B91.
ZachXBT first issued an emergency warning on its Telegram channel, followed by Bubblemaps users to suspend all Polymarket transactions as the platform’s losses rose to $600,000.
The proposed integration, the UMA CTF Adapter, is the integration module that allows Polymarket’s predictive markets to be configured via UMA’s Optimistic Oracle. It is not part of UMA’s audited core protocol.
Note: The best crypto to change your profile
How the Polymarket Exploit Worked: The Smart Contract Threat
The UMA CTF adapter is an integration code written and distributed by Polymarket, not an official UMA contract. Like UMA notes makes clear, protocol integrators build their own adapters on top of Optimistic Oracle, and those adapters have project-specific logic and reliability logic that falls outside the scope of UMA security.
This design opportunity is where the Polymarket project was discovered. The CTF adapter puts financial management and access to information that determines the stability of the forecast markets and the flow of money.
Polymarket exchange contracts were officially reviewed by ChainSecurity in 2021-2022, which stated that all identified issues were addressed before they were sent to the mainnet. That search did not match the UMA CTF Adapter. Taking advantage of it.
This is a recurring pattern in the Failure of the DeFi platform: Reviews only affect components submitted for review, not compilations that are saved later.
Polymarket’s history of risk-adjacent oracles is not unusual. Previous experiences related to errors entered into the Polymarket data, known as Paris, showed that the adapter and the word structure represent the weak point of the prediction markets, regardless of whether the basic contracts work properly.
On-Chain Footprint and What the Data Reveals
Onchain data tracked the attacker withdrawing 5,000 $ POL tokens every 30 seconds during the drain, an output that pointed to an automated script making repeated calls. By the time the alert was issued, the attacker had withdrawn about $600,000 according to Bubblemaps, ZachXBT’s image shows a loss of more than $520,000.
The post-exploit behavior corresponds to the initial laundering on the chain. The attacker spread the stolen funds across 15 wallet addresses in a distributed manner that led to tracking and reduced any freezing.
At the time of reporting, the amount of dispersion is still distributed among those 15 addresses without confirmation of the movement of the mixer or bridge. ZachXBT’s information on the base wallet group provides researchers with a starting point, although 15 addresses complicate any recovery without consensus.
