Polymarket confirmed Thursday that a compromised third-party vendor allowed attackers to inject malicious code into the prediction market's front-end, draining roughly $3 million in user funds. The attack did not target Polymarket's smart contracts but instead served a malicious script through the compromised vendor to some users' browsers, which accessed their wallets and drained pUSD, the platform's USDC-backed stablecoin. Supply-chain attacks have become an increasingly attractive vector in crypto as they bypass audited on-chain code entirely, striking the website layer and outside dependencies that users rarely scrutinize.
Attackers Injected Malicious Script Through Compromised Vendor
The compromised vendor served a malicious script to some users' browsers, which accessed their wallets and drained pUSD, the platform's USDC-backed stablecoin used to settle all trades. The attackers then bridged the stolen funds from Polygon to Ethereum and swapped them into about 1,893 ETH, consolidating the proceeds in a single wallet. Because the malicious code lived in the website rather than the blockchain, affected users had little way to detect that the interface they trusted had been tampered with. Polymarket declined to name the compromised vendor or comment further.
Fewer Than 15 Accounts Affected, Full Refunds Pledged
On-chain investigators at Bubblemaps concluded the damage was largely contained, with fewer than 15 user accounts affected. Polymarket said it would refund impacted customers in full and confirmed the front-end issue had been contained and the affected dependency removed. The limited account count suggests the malicious script reached only a subset of users before the company caught and pulled it. The company stated in a post that it had discovered the compromised third-party vendor this morning and had contained the breach and removed the affected dependency.
Second Polymarket Breach in Two Months
The breach was Polymarket's second in two months. In May, a wallet exploit involving compromised employee credentials led to about $700,000 in losses, attributed to a private-key compromise rather than a website flaw. Together, the two episodes point to operational and third-party risk rather than weaknesses in the underlying protocol. Front-end and supply-chain attacks bypass audited smart contracts entirely, striking the website layer and outside dependencies that users rarely scrutinize, a vector that has become an increasingly attractive target as on-chain code itself grows harder to crack.
FAQ
What caused the Polymarket breach that drained $3 million in user funds?
A compromised third-party vendor allowed attackers to inject malicious code into Polymarket's front-end. The malicious script accessed some users' browsers, drained pUSD from their wallets, and converted the stolen funds into roughly 1,893 ETH. The attack targeted the website layer rather than Polymarket's smart contracts.
How many Polymarket users were affected by the vendor breach?
On-chain investigators at Bubblemaps found fewer than 15 accounts were affected by the malicious script. Polymarket pledged to refund impacted customers in full and confirmed the front-end issue had been contained and the affected dependency removed.
Did Polymarket experience other security incidents recently?
In May, Polymarket suffered a separate wallet exploit involving compromised employee credentials that led to about $700,000 in losses. That incident was attributed to a private-key compromise rather than a website flaw, making the vendor breach Polymarket's second security incident in two months.
