author
Ahmed Barakat
author
Share
Fact verified by
CryptoNews editorial team
author
An attacker has drained over $600,000 from Polymarket, attacking its UMA CTF converter smart contract on Polygon, with an on-chain verifier. ZackXBT Flag the exploit and identify the attacker’s wallet as 0x8F98075db5d6C620e8D420A8c516E2F2059d9B91.
ZachXBT first issued an emergency alert on his Telegram channel, followed by Bubblemaps warning users to pause all Polymarket activity as the platform’s losses rise to $600,000.
The target contract, UMA CTF Converter, is the custom integration layer that allows Polymarket’s prediction markets to be stabilized through UMA’s Optimistic Oracle. It is not part of the UMA’s core audit protocol.
Discover: The best cryptocurrencies to diversify your investment portfolio
How the Polymarket vulnerability worked: Smart contract vulnerability
The UMA CTF Converter is a custom integration token written and published by Polymarket, not an underlying UMA contract. like UMA’s own documents It shows that protocol integrators build their adapter contracts on top of the Optimistic Oracle, and these adapters carry project-specific logic and trust assumptions that fall completely outside of UMA’s security model.
This structural gap is where Polymarket exploitation found its surface. The CTF Converter encodes a custom economy and access control that determines how expected market positions are settled and how funds flow.
Polymarket’s underlying exchange contracts underwent a formal security audit by ChainSecurity in 2021-2022, which reported that all critical issues identified prior to mainnet deployment had been addressed. This audit did not include the UMA CTF converter. Exploitation has occurred.
This is a recurring pattern DeFi platform failure: Audits only cover components submitted for review, not integration layers that are installed afterward.
Polymarket’s history with risks associated with Oracle is not new. A previous incident involving erroneous off-chain data fed into PolyMarket’s oracle stack, the so-called Paris case, showed that the design of the switch and oracles represents a systemic weakness for prediction markets, regardless of whether the underlying contracts were working properly.
The footprint on the chain and what the data reveals
Onchain data tracked the attacker removing 5,000 POL tokens every 30 seconds during the active attrition phase, a withdrawal cadence that refers to an automated script executing repeated contract calls. By the time the alert was issued, the attacker had extracted nearly $600,000 USD according to Bubblemaps, with ZachXBT’s number estimating confirmed losses at more than $520,000 USD.
Post-exploitation behavior is consistent with early-stage cross-chain money laundering. The attacker distributed the stolen proceeds across 15 separate wallet addresses in a fragmented pattern designed to complicate tracking the chain of custody and slow down any block or recovery attempt.
As of press time, dispersed funds remain spread across those 15 addresses with no confirmed movement to a mixer or cross-chain bridge. ZachXBT’s public definition of a native wallet gives investigators a clear starting point on the chain, although the 15-address distribution complicates any recovery without exchange cooperation.
Discover: The best advance token sales
