the coinformer
Contact About
Live 5m

Polymarket exploit could have put $453M at risk, ex-Monad head of DeFi says

Ex-Monad head of DeFi says the recent Polymarket exploit could have been way worse.

Polymarket

Abdul Rehman, the former head of DeFi at Layer-1 blockchain Monad, says Polymarket's recent private-key compromise could have been far worse than the roughly $660,000 actually drained because the compromised wallet allegedly had admin rights tied to manual market resolution.

The incident was first flagged by blockchain sleuth ZachXBT, who wrote in a Telegram post that "a Polymarket admin address appears to have been compromised on Polygon." The investigator detailed that the attacker drained more than $520,000 from Polymarket.

Blockchain security firm PeckShield later wrote in a post on X that part of the stolen funds had already been deposited into ChangeNOW, a non-custodial crypto exchange.

Josh Stevens, vice president of DeFi engineering at Polymarket, pushed back on claims that the protocol itself had been exploited, writing in an X post that "no polymarket or UMA contracts have been exploited." He also added that "all user funds are safe, and using Polymarket.com is safe, so business as usual."

Stevens said the issue was a compromised legacy key, not a contract failure. "We had a 6-year-old private key that was compromised," he wrote, adding that the key was inside Polymarket's internal top-up configuration, which is why funds kept being sent to it.

Polymarket has rotated the key, revoked production permissions and is moving private keys to KMS, or key management service, keys, he added.

Later, Stevens said in another X post that the team had frozen $164,000 of the $573,200 taken from the compromised key, with help from ZachXBT, Bitcoin Vietnam and ChangeNOW.

"Its scary"

Although Polymarket's direct loss was under half a million dollars, Rehman pointed out in an X post that the bigger risk was what the compromised wallet may have been able to do.

Due to Polymarket's architecture, the platform's markets need someone or something to decide who won. Rehman says the hacked admin wallet had access to a manual override function, meaning the attacker could have tried to make markets settle their way instead of only draining the cash sitting in the wallet.

In Rehman's worst-case scenario, the attacker could have bought bets on Polymarket, pushed those markets into manual review, waited out the safety delay, and then used the hacked admin access to declare their own bets as winners.

"Its scary because it took the polymarket team roughly over an hour to get this situation under control. In that time the exploiter could have caused serious damage to active markets (over $453m in open interest)"

Abdul Rehman

Rehman said active markets had more than $453 million in open interest, meaning that much exposure could have been at risk if the attacker had used the key for market manipulation.

The unresolved question is why a six-year-old private key still had production permissions and why Polymarket's internal funding system kept sending money to a wallet after it had been compromised.

👀 2