Polymarket Hit By ‘Internal Top-Up’ Wallet Exploit, $700K Drained

On-chain investigator ZachXBT flagged a suspected drain tied to Polymarket on Friday, saying over $520,000 had been taken from addresses linked to the prediction market’s Polygon infrastructure.

Polymarket developers later acknowledged the incident and said it involved an internal rewards wallet and did not affect user funds or market outcomes.

“Findings point to a private key compromise of a wallet used for internal top-up operations, not contracts or core infrastructure,” the Polymarket Developers account tweeted.

Over an hour after the initial disclosure, on-chain analytics platform Bubblemaps estimated the loss at about $700,000, saying the funds were split across 16 addresses and routed through centralized exchanges and other services.

Prediction markets on Polymarket use contracts that record bets and pay winners after an outside service confirms the result. The wallet involved in Friday’s incident appears to have been used for rewards payments, separate from the contracts that handle user funds and market outcomes.

Operational risks

Andy Yajin Zhou, associate professor at the Chinese University of Hong Kong and co-founder of on-chain security firm BlockSec, told Decrypt their initial review was consistent with the Polymarket developers’ account that the incident involved a private key compromise rather than a flaw in the platform’s core systems.

“Based on our initial analysis, this does not appear to be a flaw in the adapter contract logic or prediction market infrastructure itself,” Zhou said. “At this stage, we have not identified evidence suggesting a protocol-level exploit, oracle manipulation, or a generalized vulnerability in adapter-based market infrastructure.”

Incidents like this point to operational security risk, including key management, access control, signing policies, monitoring, and other safeguards around wallets used for routine operations, Zhou explained.

Blockchain security firm Cyvers reached a similar conclusion, saying the incident appeared to affect operational or admin wallets, instead of Polymarket’s core contracts or its system used for settling markets, pointing to a broader industry risk around privileged wallets.

“Even when prediction market protocols are secure at the smart contract level, privileged adapter or admin wallets remain a critical attack surface if key management or operational security is compromised,” Hakan Unal, senior security operation lead at Cyvers, told Decrypt.

The incident fits a broader shift in how attackers are targeting crypto projects, Dan Dadybayo, strategy lead at crypto infrastructure developer Horizontal Systems, told Decrypt.

“This increasingly looks like a key management failure rather than a smart contract exploit,” Dadybayo said. “The interesting shift across crypto is that attackers are no longer primarily breaking protocols. They’re targeting the operational layers around them: admin wallets, permissions, and infrastructure.”

Decrypt has reached out to Polymarket for comment and will update this article should they respond. This is a developing story.