Loading prices…
🩸BEARISH

Polymarket's UMA CTF Adapter Exploited for $520K on Polygon

A targeted exploit on the prediction market's optimistic-oracle bridge — not its main AMM — underscores how interconnected DeFi composability keeps turning a single adapter into a system-level risk…

Polymarket's UMA CTF Adapter contract on Polygon was the target of a suspected attack flagged by on-chain investigator ZachXBT, with losses exceeding $520K. The incident once again shows how DeFi composability turns a single adapter contract into a system-level risk surface for the protocols that depend on it.

Why it matters

The UMA CTF Adapter is the bridge between Polymarket's Conditional Token Framework positions and UMA's optimistic oracle — the price-discovery layer that resolves prediction market outcomes. An exploit there doesn't just hit a smart contract; it compromises the integrity of price feeds that downstream markets, including leveraged or synthetic exposure to prediction market shares, rely on. For a venue that has branded itself as the largest prediction market in the world, the reputational and counterparty cost extends well beyond the dollar figure.

Market impact

The two affected contracts and the attacker's address have been publicly identified, allowing white-hat responders and Polymarket's own team to trace the flow. At a $520K loss, the hit is contained — not a nine-figure bridge drain — but it lands on top of a year of repeated prediction-market and oracle-adapter exploits that have steadily eroded trust in the wrapper layer between DeFi primitives and their consumer apps. Expect a post-mortem on the adapter's access controls and a closer look at how UMA's optimistic oracle handles disputed resolutions.

Related tokens
$POL

Frequently asked questions

  1. What exactly was exploited on Polymarket?

    The UMA CTF Adapter contract on Polygon, which bridges Polymarket's Conditional Token Framework positions to UMA's optimistic oracle — the layer that resolves prediction-market outcomes. It is not Polymarket's main AMM.

  2. How much was lost in the Polymarket exploit?

    Losses exceeded $520,000 according to the on-chain investigator ZachXBT, who first flagged the incident.

  3. Which contracts and addresses are involved?

    The affected contracts are 0x871D7c0f9E19001fC01E04e6cdFa7fA20f929082 and 0x91430CaD2d3975766499717fA0D66A78D814E5c5. The attacker's address is 0x8F98075db5d6C620e8D420A8c516E2F2059d9B91.

  4. Who reported the Polymarket attack?

    On-chain investigator ZachXBT issued a community alert after spotting suspicious activity on the adapter contract.

  5. Why does a $520K loss matter for a venue this size?

    The dollar figure is contained, but the exploited layer is the oracle bridge used by downstream markets and synthetic exposure. A compromise there affects outcome resolution and price feeds, not just one user's wallet.

Source attribution
Aggregated from WuBlockchain · Verified · Last refreshed 46d ago
Open original →