Key Takeaways:
- Hackers drained $700K in POL from Polymarket after compromising a 6-year-old internal private key.
- ZachXBT alerted users, but Polymarket confirmed all user funds remain fully safe.
- To prevent further incidents, Polymarket will next move all private keys to KMS.
Polymarket, one of the largest prediction markets in the world, experienced a security incident that alerted the platform’s community.
On Friday, blockchain intelligence researcher ZachXBT pointed to a possible compromise of the platform’s admin address on Polygon, noting that a significant amount of funds had already been drained.
According to Bubblemaps, the attackers had been withdrawing 5,000 POL every 30 seconds, splitting the funds across 16 addresses, including centralized exchanges and other services. At the time of writing, reports indicated that the losses reached $700K.
The platform later acknowledged the security event, with Polymarket’s Shantikiran Chanal stating that they were “aware of the security reports linked to rewards payout,” but claiming that user funds and market resolution functions were safe.
“Findings point to a private key compromise of a wallet used for internal operations, not contracts or core infrastructure,” he specified. Furthermore, he explained that Polymarket was rotating its private keys for backend services and conducting an investigation for any internal secrets that could have been affected in the incident.
In April, Polymarket reached trading volumes of over 9 billion. An exploit in the platform’s contracts, depending on its nature, could put these funds in jeopardy.
Nonetheless, Josh Stevens, VP of Engineering at Polymarket, offered a short post-mortem report, shedding more light on the situation.
“We had a 6-year-old private key that was compromised. This was in the internal top-up config, which is why funds were being sent to it. We have rotated this key, revoked all prod permissions and are moving all PKs to KMS keys from now on,” he declared, coinciding with earlier reports that pointed to a private key being compromised.
“No polymarket or UMA contracts have been exploited. All user funds are safe, and using Polymarket.com is safe, so business as usual,” he concluded.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
