Polymarket rotates private key after leak

Polymarket said on May 21 that it rotated an internal private key and revoked associated on-chain permissions after what it described as a compromise of a six-year-old key used in an internal top-up configuration. Josh Stevens, the company’s vice president of engineering, said in a public update that no Polymarket or UMA contracts were exploited and that user funds remained safe. The company also said swaps, transfers and token deployments were temporarily frozen while it worked through remediation. Polymarket said it is now migrating all private keys to a key-management system. ### Which key was compromised, and what was it used for? Josh Stevens said the compromised credential was a “6-year-old private key” in Polymarket’s “internal top-up config,” a setup he said explained why funds were being sent to it. That description points to an internal operational wallet rather than a user wallet or a market-resolution contract. Polymarket’s own documentation distinguishes between user-controlled trading keys and internal operational systems. (sandmark.com) Its API documentation says user trading remains non-custodial and that the private key used for authentication stays under the user’s control, which is separate from the internal key Stevens described in the incident update. ### Did the leak affect user funds or market contracts? Stevens said, “No Polymarket or UMA contracts have been exploited. (sandmark.com) All user funds are safe, and using Polymarket.com is safe, so business as usual.” A separate post from Shantikiran Chanal said the reports were linked to rewards payout and that “user funds and market resolution are safe.” Those statements indicate the company is drawing a line between an internal wallet compromise and any exploit of the smart contracts that handle market resolution. (docs.polymarket.com) UMA’s role in Polymarket’s setup is tied to market resolution through the UMA CTF Adapter, according to reporting that cited the company’s public comments. ### Why were swaps, transfers and token deployments frozen? Polymarket said on May 21 that swaps, transfers and token deployments were frozen temporarily while remediation proceeded. (sandmark.com) The company did not describe that pause as a user-fund loss event; it framed it as an operational response while permissions were revoked and keys were rotated. The freeze fits the company’s description of the affected systems. (forklog.com) Reporting that cited on-chain investigators said addresses connected to operational flows, including top-ups and rewards, were the focus of the incident rather than the contracts users trade against directly. ### How much money appears to have moved? On-chain estimates varied on May 22. Sandmark, citing investigators including ZachXBT, Lookonchain and Bubblemaps, said the transfers involved 1.24 million POL and 458,671 USDC.e. (sandmark.com) Other crypto outlets put the apparent loss in a range from roughly $520,000 to about $700,000, but Polymarket had not published a final figure in the materials reviewed. Because those figures come from third-party on-chain reads rather than a company post-mortem, they should be treated as provisional. Polymarket’s public statements focused on the source of the compromise, the safety of user funds and the remediation steps it was taking. ### What is Polymarket changing now? Polymarket said all private keys are being moved to a key-management system, or KMS, after the compromise. (sandmark.com) That is the clearest next operational step the company has disclosed publicly. Polymarket’s documentation already tells developers to store sensitive values in environment variables or a secrets manager, and the company’s post-incident language suggests it is now applying that discipline across its own internal key handling. (sandmark.com) May 22 coverage of the incident was still relying on Polymarket’s initial public updates and on-chain observations, and the company had not yet published a full post-mortem in the materials reviewed. (sandmark.com) The next concrete milestone is any formal incident report from Polymarket detailing the final loss figure, the affected addresses and when frozen functions are fully restored. (docs.polymarket.com)