Polymarket confirmed on May 22 that its platform suffered a hack. Shantikiran Chanal, a developer at the company, said that “we are aware of security reports linked to the payment of rewards (funds that the platform distributes to users who solve markets correctly). User funds and market resolution are safe.
The warning had come earlier from outside. ZachXBT, an on-chain researcher known for tracking theft and fraud in the cryptocurrency ecosystem, published an alert hours before Chanal’s statements pointing out that a Polymarket administrator address had been compromised on Polygon. Its initial estimate placed the amount drained at more than USD 520,000; the Arkham analysis platform updated that figure to more than USD 600,000.
In the following image you can see the holdings associated with the Polymarket hacker, identified by the Arkham team:
Polymarket, which operates on the Polygon network, is a decentralized prediction markets platform, where users bet real money on the outcome of future events, from elections to asset prices.
How did the Polymarket hack happen?
According to Chanal, the vector was the leak of the private key of a wallet used for internal operations. “The findings point to the leak of a private key from a wallet used for internal operations, not contracts or central infrastructure,” said the developer.
The smart contracts that run the markets, and where user funds are deposited, would not have been touched, according to the Polymarket collaborator.
What Polymarket has not yet explained is how the key was leaked or what specific operations the compromised wallet was associated with, beyond the reference to the payment of rewards. Chanal announced further updates, indicating that the investigation remains open.