ZachXBT flags suspected $520K exploit of Polymarket UMA adapter on Polygon
Onchain investigator ZachXBT flagged a suspected exploit of Polymarket's UMA CTF Adapter smart contract on Polygon on May 22, 2026, with approximately $520,000 drained from two operational wallets, according to tier-1 and tier-2 sources. The exploit targeted the oracle adapter that Polymarket uses to resolve market outcomes. Polymarket's team confirmed the incident and stated that no customer funds were affected, as the drained assets belonged to the platform's own wallets rather than user accounts directly. Details on the precise attack vector remain limited. The incident adds to a string of security breaches affecting prediction market and DeFi protocols this year.
Polymarket must now defend its security posture to regulators already probing five concurrent surveillance and integrity failures. Any confirmation that the oracle resolution layer was compromised could force immediate smart-contract audit mandates or operational restrictions from CFTC enforcement staff.
Polymarket now faces four concurrent enforcement pressures this week — a $700K POL drain, South Korean gambling probe, Ohio politician-trading ban, and this $520K oracle exploit — as security and regulatory threats converge on the platform from separate vectors.