Key Takeaways
- Hackers drained $700K in POL from Polymarket after compromising a 6-year-old internal private key.
- ZachXBT alerted users, but Polymarket confirmed all user funds remain fully safe.
- To prevent further incidents, Polymarket will next move all private keys to KMS.
Polymarket Faces Security Event: No User Funds Affected
Polymarket, one of the largest prediction markets in the world, experienced a security incident that alerted the platform’s community.
On Friday, blockchain intelligence researcher ZachXBT pointed to a possible compromise of the platform’s admin address on Polygon, noting that a significant amount of funds had already been drained.
According to Bubblemaps, the attackers had been withdrawing 5,000 POL every 30 seconds, splitting the funds across 16 addresses, including centralized exchanges and other services. At the time of writing, reports indicated that the losses reached $700K.
The platform later acknowledged the security event, with Polymarket’s Shantikiran Chanal stating that they were “aware of the security reports linked to rewards payout,” but claiming that user funds and market resolution functions were safe.
“Findings point to a private key compromise of a wallet used for internal operations, not contracts or core infrastructure,” he specified. Furthermore, he explained that Polymarket was rotating its private keys for backend services and conducting an investigation for any internal secrets that could have been affected in the incident.
In April, Polymarket reached trading volumes of over 9 billion. An exploit in the platform’s contracts, depending on its nature, could put these funds in jeopardy.
Nonetheless, Josh Stevens, VP of Engineering at Polymarket, offered a short post-mortem report, shedding more light on the situation.
“We had a 6-year-old private key that was compromised. This was in the internal top-up config, which is why funds were being sent to it. We have rotated this key, revoked all prod permissions and are moving all PKs to KMS keys from now on,” he declared, coinciding with earlier reports that pointed to a private key being compromised.
“No polymarket or UMA contracts have been exploited. All user funds are safe, and using Polymarket.com is safe, so business as usual,” he concluded.