Polymarket's forecasting market contracts have been hacked! 5,000 POL are being withdrawn every 30 seconds, resulting in the evaporation of over 600,000 tons of magnesium.

On-chain analytics platform Bubblemaps issued an urgent alert on X today (May 22nd), indicating that the Polymarket UMA CTF Adapter smart contract used for settling prediction markets is under continuous attack. Attackers are withdrawing funds from the contract at a rate of 5,000 tokens every 30 seconds, with cumulative losses exceeding $600,000 as of this writing, and the number continues to climb.

Bubblemaps directly urged all users to "immediately suspend all Polymarket operations." Chain detective ZachXBT also issued a warning, confirming the attack was underway.

The attacker's address has been locked, and the funds have been distributed across 15 wallets.

According to on-chain data, the attacker's primary address has been identified as 0x8F98…9B91. The stolen funds were immediately dispersed and transferred to 15 different addresses, a typical preliminary step in on-chain money laundering: first splitting, then mixing the coins, and finally withdrawing the funds through cross-chain bridges or centralized exchanges.

The UMA CTF Adapter is a core settlement component of the Polymarket prediction market, responsible for verifying and settling market results through UMA's Optimistic Oracle. The breach of this contract represents a vulnerability in the entire prediction market's settlement layer, and the impact may extend beyond the currently known losses.

The DeFi hacking spree in May continues.

This is the third security incident Polymarket has faced recently. Previously, the platform had experienced a vulnerability in a third-party login service provider that led to the theft of some user accounts, and it also faced allegations of data leakage (which was later denied by the company).

The entire DeFi ecosystem suffered a wave of attacks in May, with five independent hacking incidents occurring in a single week, bringing the monthly total to 19, with total losses of approximately $38.2 million. Just yesterday, THORChain released its ADR028 recovery solution for its own $10.7 million hacking incident.

Polymarket has not issued an official response as of press time. At a rate of 5,000 POL lost every 30 seconds, the final damage from this attack could far exceed $600,000.

Related reports

Polymarket submits "collusion contracts" for CFTC self-certification! SEC Chairman Atkins seeks public comment on prediction market ETFs.

Following the hack, THORChain released a recovery proposal: the protocol would absorb the millions in losses and destroy the attacker RUNE.

Polymarket makes another arrest in Taiwan election betting ring! Rumors circulate online that "many people were woken up by search results for their votes," suggesting a strong gambling addiction?