News
22 May 2026, 11:45
Polymarket’s $700K exploit targets USDC, POL – Are user funds safe?

Explaining Polymarket’s exploit that saw about $700K lost from their rewards payout system.
22 May 2026, 11:31
Verus Bridge Exploiter Returns Majority Of Stolen Funds Following Structured Bounty Deal With Project Team

The hacker behind the Verus Ethereum bridge exploit has returned a large part of stolen funds after signing an official settlement with the project team. According to blockchain security specialist PeckShield, 4,052 ETH was sent back to the Verus team wallet, with a market value of about $8.5 million, representing one of the largest recoveries in some last DeFi bridge attacks. This compensation came in response to a straightforward proposal by the Verus protocol, which advocated negotiation rather than long-term confrontation. The team incentivized the exploiter with a financial payment in tandem with promises of legal certainty, and successfully convinced them to return most of the exploit. This result is also a representation of a trend in decentralized finance, with even more protocols moving to incentive-based models to reduce losses. Verus Bridge Exploiter Returns 75% of Stolen $ETH After Bounty Agreement. The attacker behind the Verus bridge exploit has returned 4,052 ETH, worth about $8.5 million, to the project’s team wallet, according to blockchain security firm PeckShield. The transfer followed a… pic.twitter.com/S1qt5FIsuu — TheCryptoBasic (@thecryptobasic) May 22, 2026 How the Bounty is Impacting the Outcome of The Incident At the heart of that resolution was a painstakingly constructed bounty agreement striking a pragmatic balance between recovery of funds and concession. The exploiter was promised a bounty of 1,350 ETH (around $2.8m) in exchange for returning 4,052.4 ETH in an agreed time frame of just 24 hours. The conditions were specific and timely, leaving little room for doubt. Setting a firm deadline, and specifying the amount to be returned and the reward offered for doing so created an incentive structure where compliance became attractive. The condition is ultimately performed by the exploiter then being paid the bounty and returning approximately 75% of all stolen assets. This approach embodies a change that is seen across the DeFi protocols with how they have been responding to exploits. Teams are relying more on economic incentives rather than simply enforcement or escalation to induce attacker behavior that minimizes total harm done. Clear Definitive Terms Outlined by Verus Community And Developers The Verus team outlined the agreement in a public statement, underscoring transparency and collective decision-making. And the proposal was born out of discussions between developers and members of the community, showing an organized way in which people are responding to the crisis. To the Verus Ethereum Bridge Exploiter: Members of the Verus community and its developers have discussed a set of terms, detailing the size of the bounty, obligations from your side and ours, and how the funds can be returned. 1. We have agreed that the bounty amount will be… — Verus – The Internet of Value (@VerusCoin) May 21, 2026 The conditions included that the exploiter returned 4,052.4 ETH to a specified wallet within 24 hours, minus the agreed bounty of 1,350 ETH and the project would consider funds retained as a legitimate bounty. The team also vowed to halt any continued investigations and not to pursue any further legal or extralegal actions against the assailant. It continued, defining the address claiming 1,350 ETH as an official bounty address in support of the legitimacy of the agreement. The level of detail had been necessary for building trust and assured the exploiter that, should he comply, the protocol would have no issue in honoring its commitments. Decision To Avoid Overly Lengthy Warfare Choosing negotiation instead of escalation shows the Verus teams calculation. Many bridge exploits consist of multi-lock movement operations that make them challenging to ‘recover’ once the money is out. Verus structured such a deal, pitching it almost immediately, and their rapid action raised the odds they’d be able to recover many of Seikonia’s stolen assets. Such an approach also solves the uncertainty and wastefulness that accompany long-running investigations. Whether in decentralized settings, legal cases are slow, expensive, and often ineffectual, especially when the alleged perpetrators operate across borders. By comparison, the bounty format produces direct and quantifiable results. Compared with many previous incidents, it is a strong result, assets are often not recoverable. That also leads to (or is at least one of the implications for) a considerably modified social contract related to DeFi security and incentives design. This incident with Verus shows that cross-chain bridges are still one of the weakest links in the DeFi ecosystem. Bridge exploits tend to result in high losses as they hold large liquidity pools. This model does not put robust security architecture in place to ensure process within perimeters, rather provides a fair play when vulnerability has been exploited. It also begs important questions surrounding what defines ethical hacking in industry, the accountability of varying parties and distinction between exploitation and responsible disclosure. The Degree of Confidence in the Market and Future Expectations The recovery from the fund is immediate but how Verus re-establishes trust in its ecosystem will be long-lasting. In cross-chain infrastructure, risks are particularly well-known, and security breaches may leave long-term impacts on user confidence. However, the transparency of dealing with the event and returning most of these assets should mitigate any reputational damage. Communicating openly with the community and providing a concrete solution makes Verus seen as a protocol that can manage crises. This was bad enough to be a cautionary tale, as well as something that continued to be studied. It highlights the necessity for proactive security, but illustrates the benefits of flexible, incentive-based response to breaches. In conclusion, as decentralized finance (DeFi) inevitably matures, balancing security with incentives and rapid response remains imperative for defining how protocols tackle upcoming challenges. Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services. Follow us on Twitter @nulltxnews to stay updated with the latest Crypto, NFT, AI, Cybersecurity, Distributed Computing, and Metaverse news !
22 May 2026, 11:26
Polymarket Faces Fresh Security Crisis After $660,000 Exploit

The prediction market platform Polymarket is once more in the spotlight, this time for an exploit that reportedly siphoned off 660,000 from wallets associated with it. Onchain analysts identified dubious transactions from a contract expected to carry key responsibilities for market settlement operations shortly after the incident attracted industry-wide concern. According to blockchain investigators, the attacker remained relentless and moved stolen funds at an unprecedented rate across many wallets in a bid to muddy tracking efforts. Reports in crypto security channels said nearly 5,000 POL tokens per 30 seconds were drained through the exploit. According to analysts, the stolen assets were processed through at least 15 distinct wallets in the days immediately following extraction, a well-known practice by thieves to break trails of suspicious transactions before recycling revenues via balancer-like services or exchanges. Due to the fact that Polymarket is currently the worlds largest blockchain based prediction market platform, this exploit instantly turned into one of the most talked about, seismic events in the history of crypto. The episode led to a renewed focus on operational security practices for high value crypto applications that deal with very large amounts of user activity and liquidity. Warning: #Polymarket 's contract appears to be exploited, and the attacker is stealing funds. So far, more than $660K has already been stolen. Source: @zachxbt https://t.co/WXvRwtWEFs pic.twitter.com/sIa0FWEEzo — Lookonchain (@lookonchain) May 22, 2026 Onchain Investigators Trace The Attack According to several posts on social media and monitoring platforms, the suspicious activity associated with the exploit was noticed by crypto investigator ZachXBT among others. Researchers monitoring the attack noticed immediate fund transfers aligned with mechanical draining action. Wallets were drained at specific time intervals prior to the funds being split into thousands of different addresses, making it difficult to trace. As it unfolded quickly, our worry was amplified because the affected infrastructure involved functionality around settlement for on-chain prediction market operations. Settlement contracts are key components of prediction markets, as they define the settlement of events (by finalizing outcomes) and their respective awards to users after an event resolves. Initial responses from the crypto world raised concerns that Polymarket’s core protocol may have been directly compromised. Due to the sensitivity of settlement infrastructure in event-driven trading platforms, concerns soon arose as to how it would affect user balances and open market positions. At the same time, traders and users slammed the platform for its initial silence after the incident. With news of the exploit loosed into the wild, many in the market noted that an extension of time before disclosure introduced even greater uncertainty and deepened apprehensions about platform transparency when security crises arise. Polymarket Says Core Contracts Remain Safe Polymarket issued a public statement in response to ongoing speculation, stating that user funds were safe and the platform was still functioning correctly. We’re aware of the security reports linked to rewards payout. User funds and market resolution are safe. Findings point to a private key compromise of a wallet used for internal top-up operations, not contracts or core infrastructure. More updates to follow. — Polymarket Developers (@PolymarketDevs) May 22, 2026 The breach did not exploit Polymarket’s core smart contracts, protocol architecture. Instead, the hack was apparently tied to a compromised private key or an internal operational wallet. It is an important distinction since it fundamentally changes the character of a security event. The incident has therefore appeared to be more related to operational security management of delegate-controlled access to privilege wallets rather than directly exposing a vulnerability in the protocol core logic. Polymarket stated that its core contracts were never compromised and stressed that the structure of the overall architecture remains intact. The company described the exploit as an internal- rather than protocol-level security failure. However, the event has serious implications for how infrastructure is managed, which are not mitigated by a TLS migration without protocol compromise. Leaked private keys corresponding to a working wallet can expose an attacker to sensitive systems, treasury capabilities at least for the timespan during which that pair is alive, and even related operations depending on general wallet permission in crypto environments. Multiple Security Incidents Raise Concerns The new exploit has drawn particularly increased scrutiny due in part to being the latest blow in a series of security incidents that have beset Polymarket over a short time-frame. Some reports suggest that the platform experienced a compromised user account (breached through login). Two months later, in February 2026, alleged trading bots connecting to Polymarket were compromised. So this most recent attack is actually the third notable kind of security-related incident that Polymarket has seen in just about a six-month period. This trend elevates conversations within the industry from isolated incidents to more high-level issues of the safety culture at large in platform operations. While the technical causes are different, a repeat of incidents can sometimes shake user confidence when-in-fact, the underlining protocol works as intended. If you plan on being a trading and prediction platform layer decentralized, the key to upfront growth is trust. Users rely primarily on the belief that both code and protocols managing assets, payments, consulting system failures are resistant to external attacks as well as internal corruption. Well-publicized and repeat security incidents complicate branded reputation efforts, particularly for platforms with increasing trade volumes from speculative capital in a decentralized finance ecosystem facing growing international trading activity. Prediction Markets Face Growing Security Pressure This incident comes at a time of accelerated growth in blockchain prediction markets. Polymarket and similar platforms have gained major traction due to traders continuing to use event-based markets as a way of speculating on elections, macroeconomic developments, cryptocurrency movements, sports outcomes, and geopolitical events. The attractiveness of these platforms as targets from attackers due to rising liquidity and public visibility combined. With the prediction market sector maturing, operational security is becoming as much of a focus as protocol design. While smart contracts can be secured, weaknesses lie in wallet management or internal permissions, as well as infrastructure coordination. This exploit at Polymarket is just a small example of a more systemic reality with crypto: decentralized applications are often a collaborative system that allows onchain contracts and offchain operational systems to function, but some part of it can have malfunctions. However, security failures in either layer can cause downstream risks. In both insights and beliefs about users, the distinction between a protocol exploit and an operational compromise for platform functionality may be irrelevant to how reliable the platform will be for managing funds and positions. Although Polymarket stands firm that user funds were protected, and core systems were not breached, it is the latest reminder of just how critical infrastructure security must be for expanding crypto platforms. With so much latent adoption potential, and capital flowing into decentralized prediction markets, operational resilience, along with transparent incident response will become the new criteria for platforms to establish long-term user trust. Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services. Follow us on Twitter @nulltxnews to stay updated with the latest Crypto, NFT, AI, Cybersecurity, Distributed Computing, and Metaverse news !
22 May 2026, 11:08
Attackers drain more than $520,000 from Polymarket contract

A Polymarket security incident drained more than $520,000 in collateral from the platform’s UMA CTF Adapter contract on Polygon on May 22, 2026. On-chain investigator ZachXBT flagged the incident in a community alert and pointed to a compromised deployer address as the likely entry point for the attack. The drain played out across a short window around 09:00 UTC. No official notice from Polymarket or UMA had been posted at the time of reporting. How the Polymarket drain played out? The hack targeted the Polymarket UMA CTF Adapter Admin Contract at address 0x91430C…E5c5, which is an upgradeable proxy that manages the main adapter that holds the market collateral. The blockchain reveals the initial events recorded on the Admin Contract at around 09:00:30 UTC. That should raise an alarm about a proxy pattern exploit. The initial events were quickly followed by transfer events for Polygon’s native currency, POL. At 09:00:49, the adapter admin received 5,000 POL from a Polymarket address. Five seconds later, it sent close to 9,994 POL out to the attacker-controlled account. The pattern repeated at 09:01:19 with another 5,000 POL inflow, followed by a transfer of close to 5,000 POL to the same attacker address at 09:01:26. The two-step transfer moved more than 10,000 POL out of the adapter in under a minute. The drained addresses listed by ZachXBT, 0x871D7c0f and 0xf61e39C7, had sent collateral into the adapter that the attacker then withdrew through the admin contract. The primary attacker address received the POL transfers and began consolidating the funds shortly afterward. A compromised key, not a smart contract bug In this way, the chain of initializing calls to the admin contract shows the risk of key theft and initialization vulnerability rather than any issue with the UMA optimistic oracle logic. The contract was based on the UMA oracle, but the breach occurred in the access control level, and the hacker received the ability to perform admin-only calls. It can be assumed that either the deployment process happened with the help of a key compromised by attackers or an uninitialized contract proxy was available for exploitation. After receiving administrator powers, the hacker could withdraw the whole collateral balance without any need for custom exploits. The Polymarket hack resembles similar events reported earlier in 2026. For instance, the Step Finance hack of about $27.3 million happened due to a breach of the executive key and the multi-sig mechanism at the beginning of 2026. A similar case is the Drift Protocol hack of about $285 million; it happened in April 2026 as a result of a socially engineered admin key, which enabled whitelisting worthless collateral. There were no software vulnerabilities in those smart contracts. Attacker wallet activity and tracing The address 0x8F98075d should be flagged as highly suspicious because it was the destination for both POL collateral transfers and is the greatest opportunity for movement of stolen value out of or into the Polygon network. Similarly, the intermediary address involved in initializing calls 0x65070BE9 can be assumed to be controlled by attackers and deserves similar monitoring. Based on past experiences, there is a possibility that the next step will involve cross-chain bridges and mixing. In the case of Drift , the stolen funds were partially bridged to Ethereum via the cross-chain protocol belonging to Circle prior to laundering. There were no reports as of reporting of large outgoing bridges from the suspect addresses. If you're reading this, you’re already ahead. Stay there with our newsletter .
22 May 2026, 10:15
Polymarket Confirms User Funds Safe After Exploit, Core Infrastructure Unaffected

BitcoinWorld Polymarket Confirms User Funds Safe After Exploit, Core Infrastructure Unaffected Polymarket, the leading decentralized prediction market platform, has moved to reassure users following a security incident involving its UMA CTF adapter contract. In an official statement, the platform confirmed that user funds and market settlements remain secure, with the exploit limited to a specific operational wallet. Details of the Incident Polymarket protocol developer Shantikiran Chanal addressed the situation on X, stating that the company is aware of a security incident related to reward payments. The ongoing investigation indicates that a private key for an internal operations wallet was exposed, but the platform’s core smart contracts and infrastructure were not compromised. This distinction is crucial, as it means the underlying mechanics of the prediction markets themselves were not attacked. Scale of the Exploit While Polymarket works to contain the breach, on-chain data from Santiment reveals the exploit’s impact. The attacker has been systematically draining 5,000 POL tokens approximately every 30 seconds. At current market rates, the total amount stolen has reached an estimated $520,000. The exploit specifically targeted the UMA CTF (Capture The Flag) adapter contract, which is used for reward distribution in certain platform activities. What This Means for Users For the average Polymarket user, the primary takeaway is that their positions and funds are safe. The platform has emphasized that market settlements are proceeding normally and that no user assets were directly accessed. However, the incident highlights the ongoing risks associated with operational security in the decentralized finance (DeFi) space, where even isolated private key compromises can lead to significant financial losses. Broader Implications for Prediction Markets This event serves as a reminder of the layered security challenges faced by crypto platforms. While smart contract vulnerabilities often dominate headlines, this exploit underscores the importance of securing internal operational wallets and private key management. For Polymarket, which has seen a surge in user activity and trading volume ahead of major political events, maintaining user trust is paramount. The platform’s swift and transparent communication regarding the incident is a positive signal for its commitment to security. Conclusion The Polymarket exploit, while concerning, appears to be contained to a specific, non-critical part of the platform’s operations. User funds remain secure, and the core infrastructure continues to function. The incident, however, has resulted in the loss of over half a million dollars in POL tokens and serves as a critical case study in the importance of comprehensive security protocols that extend beyond smart contract audits. FAQs Q1: Were my funds on Polymarket affected by the exploit? A1: No. Polymarket has confirmed that user funds and market settlements were not affected. The exploit was limited to a specific internal operations wallet used for reward payments. Q2: What was the cause of the exploit? A2: The investigation indicates that a private key for an internal operations wallet was exposed. The platform’s core smart contracts and infrastructure were not attacked. Q3: How much was stolen in the Polymarket exploit? A3: On-chain data from Santiment shows that the attacker has stolen approximately $520,000 worth of POL tokens, draining 5,000 POL every 30 seconds. This post Polymarket Confirms User Funds Safe After Exploit, Core Infrastructure Unaffected first appeared on BitcoinWorld .
22 May 2026, 09:57
Polymarket Exploit: 5,000 POL Drained every 30 Seconds

An attacker drained over $600,000 from Polymarket, attacking its UMA CTF Adapter smart contract on Polygon, with on-chain investigator ZachXBT flagging the exploit and identifying the attacker’s wallet as 0x8F98075db5d6C620e8D420A8c516E2F2059d9B91. ZachXBT issued an emergency alert first on his Telegram channel, followed by Bubblemaps warning users to pause all Polymarket activity as the platform’s losses climbed toward $600,000. ZachXBT warning, Telegram The targeted contract, the UMA CTF Adapter, is the custom integration layer that allows Polymarket’s prediction markets to settle via UMA’s Optimistic Oracle. It is not part of UMA’s audited core protocol. Discover: The Best Crypto to Diversify Your Portfolio How the Polymarket Exploit Worked: The Smart Contract Vulnerability The UMA CTF Adapter is custom integration code written and deployed by Polymarket, not a canonical UMA contract. As UMA’s own documentation makes clear, protocol integrators build their own adapter contracts on top of the Optimistic Oracle, and those adapters carry project-specific logic and trust assumptions that fall entirely outside UMA’s security model. This structural gap is where the Polymarket exploit found its surface. The CTF Adapter encodes the custom economics and access control that determine how prediction market positions settle and how funds flow. ALERT: Polymarket UMA CTF Adapter Exploited The Adapter acts as a bridge between the platform and the UMA oracle. It was via this bridge that the hacker managed to manipulate the system. Over $500K has been stolen. The hacker is currently laundering the stolen funds on… pic.twitter.com/K8EcR1SqmW — ProMint (@ProMint_X) May 22, 2026 Polymarket’s core exchange contracts underwent a formal security audit by ChainSecurity in 2021–2022, which reported that all critical issues identified were addressed before mainnet deployment. That audit did not cover the UMA CTF Adapter. The exploit did. This is a recurring pattern in DeFi platform failures : audits cover only the components submitted for review, not the integration layers bolted on afterward. Polymarket’s history with oracle-adjacent risk is not new. A prior incident involving erroneous off-chain data fed into Polymarket’s oracle stack, the so-called Paris case, demonstrated that adapter and oracle design represent a systemic weak point for prediction markets, independent of whether the base contracts function correctly. On-Chain Footprint and What The Data Reveals Onchain data tracked the attacker removing 5,000 $POL tokens every 30 seconds during the active drain phase, a withdrawal cadence that points to an automated script executing repeated contract calls. By the time the alert was issued, the attacker had extracted approximately $600,000 according to Bubblemaps, with ZachXBT’s figure placing confirmed losses at over $520,000. The post-exploit behavior is consistent with early-stage on-chain laundering. The attacker dispersed the stolen proceeds across 15 separate wallet addresses in a fragmentation pattern designed to complicate chain-of-custody tracing and slow any freeze or recovery attempt. As of the time of reporting, the dispersed funds remain distributed across those 15 addresses with no confirmed movement to a mixer or cross-chain bridge. ZachXBT’s public identification of the originating wallet gives investigators a clear on-chain starting point, though the 15-address dispersal complicates any downstream recovery without exchange cooperation. Discover: The Best Token Presales The post Polymarket Exploit: 5,000 POL Drained every 30 Seconds appeared first on Cryptonews .














































