- A compromised third-party vendor let attackers inject malicious code into Polymarket’s front-end, draining about US$3 million (AU$4.35 million) in user funds.
- On-chain investigators at Bubblemaps found fewer than 15 accounts were affected, with the attackers converting stolen funds into roughly 1,893 ETH.
- Polymarket pledged to refund impacted customers in full and said the front-end issue had been contained, but declined to name the breached vendor.
Polymarket confirmed Thursday that a hack on one of its third-party vendors allowed attackers to inject malicious code into the prediction market’s front-end, draining roughly US$3 million (AU$4.35 million) in user funds before the company contained the breach.
The attack did not target Polymarket’s smart contracts. Instead, the compromised vendor served a malicious script to some users’ browsers, which accessed their wallets and drained pUSD, the platform’s USDC-backed stablecoin used to settle all trades.
The attackers then bridged the stolen funds from Polygon to Ethereum and swapped them into about 1,893 ETH, consolidating the proceeds in a single wallet in a common move to obscure the trail and liquidate quickly.
Because the malicious code lived in the website rather than the blockchain, affected users had little way to detect that the interface they trusted had been tampered with.
Related: Senate Democrats Demand Probe Into Trump Family Crypto Venture’s UAE Links
Damage Contained
On-chain investigators at Bubblemaps concluded the damage was largely contained, with fewer than 15 user accounts affected.
Polymarket said it would refund impacted customers in full and confirmed the front-end issue had been contained and the affected dependency removed. The limited account count suggests the malicious script reached only a subset of users before the company caught and pulled it.
The company declined to name the compromised vendor or comment further, leaving open questions about how the supply-chain weakness was introduced and whether other platforms relying on the same provider could be exposed.
The breach was Polymarket’s second in two months. In May, a wallet exploit involving compromised employee credentials led to about US$700,000 (AU$1.02 million) in losses, attributed to a private-key compromise rather than a website flaw.
Together, the two episodes point to operational and third-party risk rather than weaknesses in the underlying protocol.
Front-end and supply-chain attacks bypass audited smart contracts entirely, striking the website layer and outside dependencies that users rarely scrutinise, a vector that has become an increasingly attractive target as on-chain code itself grows harder to crack.
Read more: Australian Crypto Unicorn Immutable Scales Back Game Development in AI Pivot
Credit: Source link
