Polymarket saw a live drain of POL tokens that briefly looked like a contract-level exploit, but the team has since ruled that out and pointed the investigation at the platform's centralized login layer. The incident is the most visible security stress test the prediction-market sector has faced since crossing mainstream adoption thresholds in 2025.
Why it matters
Crypto's prediction-market category pulled in roughly $64B in traded volume in 2025 — its product–market fit moment — but almost all of that flow still moves through email, social, or custodial login paths rather than self-custodied wallets. That keeps onboarding easy and lets the venues look like consumer apps, but it also concentrates the attack surface: the keys that protect user balances live on infrastructure Polymarket itself operates, not on chain. A drain that is not a contract exploit is, by definition, a login-layer exploit, and that is the structural risk the rest of the category is now repricing.
Market impact
POL sold off into the disclosure, and competing prediction-market venues with similar login stacks traded lower in sympathy even though their contracts were not implicated. The longer tail of the story is regulatory: prediction markets have so far sat in a grey zone where their resolution mechanisms are not formally registered as derivatives or as betting, and a credential-based drain makes that ambiguity harder to defend in front of US and EU policymakers already circling the sector.
Frequently asked questions
-
Did Polymarket get hacked?
The Polymarket team has ruled out a contract-level exploit. The active drain of POL is being investigated as a credential or login-layer issue rather than a bug in the on-chain contracts.
-
How were the POL tokens drained if the contracts are safe?
Prediction-market venues like Polymarket route most retail sessions through centralized logins, meaning session keys live on infrastructure the platform operates. A drain that is not a contract exploit runs through those credentials instead.
-
Why is the login layer the structural risk for prediction markets?
Crypto prediction markets pulled in roughly $64B in 2025, but almost all of that flow moved through email, social, or custodial logins rather than self-custodied wallets. Easy onboarding concentrates the attack surface on infrastructure the venue itself controls.
-
What happened to the POL price during the incident?
POL sold off into the disclosure, and competing prediction-market venues with similar login stacks traded lower in sympathy, even though their contracts were not implicated in the drain.
-
Could this incident trigger regulation of prediction markets?
Regulators in the US and EU have already been examining prediction-market resolution rules. A credential-based drain makes the sector's 'we are not a betting venue' defence harder to sustain in any future enforcement or rulemaking conversation.
CryptoSlate