Overview
- On Friday on‑chain investigator ZachXBT flagged rapid outflows from Polymarket‑linked Polygon addresses and public estimates rose from about $520,000 to roughly $700,000 as analysts observed an automated pattern of 5,000 POL being moved about every 30 seconds.
- Polymarket told users the incident stemmed from a compromised legacy private key on an internal ‘top‑up’ or rewards wallet and not from a smart‑contract exploit, and the team said market outcomes and user balances were not impacted.
- The engineering team immediately rotated the affected key, revoked production permissions, paused some operations as a precaution, and announced a plan to migrate private keys to a KMS for stricter management.
- On‑chain tracing shows the stolen POL was split across 15 to 16 addresses and routed through services including ChangeNOW and mixers, with security firms reporting partial freezes but the final audited loss still unresolved.
- Security experts say the incident underscores a wider industry shift where attackers target operational keys and refiller services, highlighting the need for HSM or KMS storage, multi‑sig controls, and regular credential rotation and audits.