Polymarket UMA CTF Adapter — Legacy Admin Private Key Compromise — May 22, 2026

Attacker: 0x8F98075db5d6C620e8D420A8c516E2F2059d9B91 (compromised UMA CTF Adapter Admin); drained addresses: 0x871D…9082 and 0xf61e…4805

Funds moved to: ~$458K USDC + ~$200K POL drained from 2 addresses connected to the reward payout system, split across 16 wallets then routed to CEXs and services like ChangeNOW. Last attacker transaction at 09:00 UTC.

Attacker wallet: 0x8F98075db5d6C620e8D420A8c516E2F2059d9B91. The compromised wallet held 'resolveManually rights' on the UMA Adapter (much more severe potential impact, not exploited).

Timeline: On 22 May 2026, ZachXBT publicly flagged a suspected exploit on Polymarket's UMA CTF Adapter contract on Polygon. The attacker 0x8F98075db5d6C620e8D420A8c516E2F2059d9B91 systematically drained 5,000 POL every 20-30 seconds via an automated script, from addresses 0x871D…9082 and 0xf61e…4805. Total drained: ~$700K (~$458K USDC + ~$200K POL). Bubblemaps independently confirmed the active exploit. Polymarket developer Josh Stevens: 'not a contract hack, likely a compromise of an old private key' (6-year-old private key included in an internal top-up config). Last attacker transaction at ~09:00 UTC. Polymarket (Shantikiran Chanal) confirmed: 'user funds and market resolution are safe... private key compromise of a wallet used for internal top-up operations'. Funds split across 16 wallets, some deposited to ChangeNOW. The compromised wallet held 'resolveManually rights' on the UMA Adapter — severe potential attack vector not exploited. Worst-case scenario: 'resolveManually rights' unexploited would have allowed the attacker to manually force market resolutions.