Governance Attack on UMA by ‘BornTooLate.Eth’
A rogue actor, identifiable by the Ethereum wallet address ‘BornTooLate.Eth’, has executed a governance attack on the Universal Market Access (UMA) protocol. UMA serves as a decision-making oracle, crucial for platforms like Polymarket, and this attack specifically targeted a Ukraine-themed contract. By strategically acquiring a substantial amount of UMA tokens, this individual became one of the largest stakeholders in the governance of the platform.
UMA operates as a decentralized “optimistic” oracle protocol, which is designed to resolve disputes within prediction markets. It empowers UMA token holders to vote on disputed outcomes, but this opens the door to potential manipulation. The protocol has previously encountered its share of controversies, particularly in its resolution of contentious markets. Notable examples include decisions regarding Barron Trump’s association with a Presidential meme coin, the ambiguous circumstances surrounding the ‘finding’ of the OceanGate submarine, and the disputed electoral processes in Venezuela. Such resolutions have drawn criticism for being overly subjective, leading to frustration among certain market participants.
Recent on-chain data reveals that BornTooLate.Eth currently holds around 1.3 million UMA tokens, placing them among the top five governance stakers. This significant holding grants them considerable influence over how disputes within the UMA ecosystem are resolved. In the case of the Ukraine-themed contract at the center of this attack, bettors were asked to speculate on the likelihood of a deal being finalized that would grant U.S. access to the country’s rare earth resources by the end of March. Although reports indicate that negotiations are ongoing, no formal agreement has been reached. Nevertheless, the contract on Polymarket was resolved as ‘yes’ after BornTooLate.Eth utilized their staked UMA tokens to cast a ‘yes’ vote on the resolution.
A Very Unprofitable Trading Strategy
Interestingly, despite the aggressive nature of this governance attack, it appears that no substantial financial gain was realized by any of the involved parties. Data from on-chain curator Polymarket Analytics indicates that the largest winner from this particular contract earned just over $55,000. In contrast, the losses incurred were relatively modest when compared to other high-profile Polymarket contracts, with the biggest loser forfeiting approximately $73,000.
Further inspection of the Etherscan page associated with BornTooLate.Eth reveals that this actor began accumulating UMA tokens over a year ago. Given their current holdings of over 1.3 million tokens, it is estimated that accumulating such a treasury for the purpose of the attack would have cost upwards of $2 million.
In response to these events, Polymarket has stated that no refunds will be issued, asserting that this situation does not constitute a “market failure.” In a statement shared on Discord, the platform indicated that it is collaborating with the UMA oracle team to enhance safeguards against similar occurrences in the future. “This market resolved against the expectations of our users and our clarification,” a spokesperson noted on Discord. “We’re committed to building the future of prediction markets, which requires creating resilient systems in which everyone can trust.”
As of now, Polymarket founder Shayne Coplan has not provided a comment regarding the situation.