Polymarket Hit By ‘Internal Top-Up’ Wallet Exploit, $700K Drained

Polymarket, the major prediction market platform built on Polygon, disclosed a wallet exploit that drained approximately $700,000 from an internal top-up wallet. The platform confirmed that user funds stayed secure and that smart contracts and core infrastructure remained uncompromised.

The exploit specifically targeted Polymarket's internal wallet system rather than user-facing assets. The platform's architecture segregates operational wallets from customer deposits, a design choice that contained the damage. Polymarket maintains order books and liquidity pools that facilitate trades on events ranging from elections to sports outcomes. The protocol operates on Polygon, a scaling solution for Ethereum, and has emerged as the leading decentralized prediction market venue.

Polymarket did not disclose the vector used in the attack or provide details on the exploitation timeline. The platform stated that security measures prevented broader contagion across its infrastructure. Prediction markets have drawn regulatory scrutiny in the United States, particularly around political event trading. The Commodity Futures Trading Commission indicated concerns about unregistered prediction markets operating without proper oversight.

This incident underscores operational risks that DeFi platforms face beyond smart contract vulnerabilities. Internal infrastructure, wallet management, and operational security remain attack surfaces. Polymarket's separation of operational and user wallets functioned as a firewall, limiting exposure. The platform did not specify whether it would recover the $700,000 or adjust security protocols.

The exploit emerges as prediction markets gain prominence in crypto trading. Polymarket processed substantial volume during major political events, with users betting on election outcomes. The platform previously faced compliance questions from regulators concerned about market manipulation and undisclosed positions on predicted events.

Polymarket's parent company, Polymarket Inc., operates the frontend interface while the underlying protocol functions on-chain. The organization did not announce compensation for losses or a detailed postmortem of the attack. Recovery of drained funds depends on whether the attacker moved assets through mixers or left tokens on-chain where blockchain forensics could trace activity.