Polymarket $520K exploit on Polygon flagged by ZachXBT, funds safe

By Khal · · 1 min read

Editorial illustration for: ZachXBT flags $520K Polymarket exploit on Polygon, team says funds are safe
Published May 22, 2026, 9:47 a.m. (13 hours ago)

In brief

  • ZachXBT flagged $520K drained from two Polymarket smart contracts on Polygon
  • Polymarket confirmed user funds and market resolutions remain safe
  • Polygon Labs CTO attributed issue to compromised market initializer, no user impact

The Breach

ZachXBT flagged the suspected exploit involving two affected addresses: 0x871D7c0f9E19001fC01E04e6cdFa7fA20f929082 and 0x91430CaD2d3975766499717fA0D66A78D814E5c5. Funds were allegedly sent to attacker address 0x8F98075db5d6C620e8D420A8c516E2F2059d9B91.

Polymarket developers moved quickly to respond. The company said it's aware of reports tied to its rewards payout system. More importantly, the team emphasized that user funds and market resolutions remain safe. Rather than describing this as a broader smart contract vulnerability, Polymarket characterized the issue as a private key compromise of an internal operations wallet.

Official Reassurance

Polygon Labs' CTO Mudit Gupta offered additional clarity on the technical nature of the incident. The market initializer was compromised, he indicated, but with no impact to users or contracts. This distinction matters: it suggests the breach didn't penetrate Polymarket's core infrastructure or user-facing systems.

Polymarket has not yet issued an official statement from its main X account. CoinDesk reached out to Polymarket for additional comment, though no further details have emerged at this time.