Polymarket Loses About $700K After Rewards Wallet Key Leak

Polymarket reported that about $700,000 was drained from an internal rewards and top-up wallet on May 22, 2026. The project said user deposits and market outcomes were not affected.

On-chain investigator ZachXBT flagged activity that moved more than $520,000 from addresses tied to Polymarket’s Polygon infrastructure. Polymarket developers confirmed the incident and said the affected wallet handled routine rewards payouts and top-ups rather than holding user funds or managing market settlement.

On-chain analytics provider Bubblemaps later estimated the total loss at roughly $700,000. The platform reported the stolen funds were split across 16 addresses and routed through centralized exchanges and other services before suspected withdrawals stopped.

The Polymarket Developers account tweeted: “We’re aware of the security reports linked to rewards payout. User funds and market resolution are safe. Findings point to a private key compromise of a wallet used for internal top-up operations, not contracts or core infrastructure. More updates to follow.”

Polymarket’s prediction markets use smart contracts to record wagers and settle payouts after an external service confirms outcomes. Developers said the drained wallet was separate from the contracts that record bets and determine winners and did not interact with user deposits or market resolution logic.

Andy Yajin Zhou, associate professor and co-founder of on-chain security firm BlockSec, observed the pattern is consistent with a private key compromise rather than a protocol-level exploit and pointed to weak key management and access controls as likely factors.

Hakan Unal, senior security operation lead at Cyvers, warned that privileged adapter or admin wallets remain a critical attack surface if key management or operational security is compromised.

Dan Dadybayo, strategy lead at Horizontal Systems, described a broader pattern in which attackers target admin wallets and operational infrastructure instead of breaking core smart contracts.

Industry data show substantial losses across decentralized finance in early 2026. More than $840 million was reported stolen in the first five months of the year, with April accounting for over $600 million, including two major incidents that moved hundreds of millions of dollars.

Polymarket said it is continuing its investigation and will provide further updates as new information becomes available.