Polymarket hit by $700k POL drain amid conflicting exploit claims
Polymarket suffered a smart-contract exploit on May 22, 2026, with attackers draining approximately $700,000 in USDC and POL tokens. The attacker removed 5,000 POL tokens approximately every 30 seconds before withdrawals reportedly stopped. While X.com and AMBCrypto reported the incident as an exploit, Polymarket-linked accounts later disputed this framing, stating the incident was not a smart-contract attack and did not affect user funds or market resolution. The conflicting claims leave the exact cause, full amount drained, and whether user assets were at risk unresolved. Users were urged to pause all Polymarket activity during the incident, and the platform has not released detailed technical findings.
Polymarket must now defend its security posture to regulators already probing five concurrent surveillance and integrity failures. Any confirmation that user funds were exposed could force immediate capital-reserve or insurance mandates from CFTC enforcement staff while the House weighs Senate-passed account-exclusion legislation.
Polymarket becomes the largest prediction-market platform to suffer a confirmed smart-contract security incident while already under five concurrent federal and journalistic investigations into surveillance gaps on military contracts.