Polymarket's private key compromise on Polygon.
Last week, more than $520,000 was drained from two Polymarket smart contracts on Polygon. The contracts themselves were not exploited. An internal operations wallet with admin privileges on the UMA CTF Adapter was compromised.
The wallet was used for rewards payouts and liquidity maintenance. It held elevated permissions because those tasks required them. At some point, the key was exposed, and whoever obtained it used those permissions to drain the contracts.
Polymarket confirmed that user funds and market resolution contracts were unaffected. The compromised key's access was scoped to operational functions, so the blast radius stayed contained. Keys were rotated and permissions were revoked.
This is a pattern that shows up repeatedly in crypto security incidents. The cryptography holds. The contracts hold. What fails is the operational layer around them: Who has access to which keys, whether those permissions are still necessary, and how often they're reviewed.
Securing a key at rest is well understood. Governing how, when, and by whom a key gets used is where most teams fall short.
Related
SciPHR