Polymarket Picks Up the Tab After Vendor's Bad Code Siphons ~$3M 🧾

Polymarket will fully reimburse users affected by a phishing attack that drained approximately $3 million from more than 11 wallets, the prediction market platform said in a statement published on June 25. The incident was traced to a compromised third-party vendor that injected a malicious script into parts of Polymarket's frontend, exposing users who interacted with the site during the attack window to the phishing scheme.

The company said it discovered the compromised vendor earlier in the day, removed the affected dependency, and contained the incident. Polymarket added that it is contacting impacted users directly and will refund them in full. The platform has not disclosed the identity of the compromised vendor, the number of affected users, or a timeline for a full technical postmortem.

Blockchain security firm PeckShield reported that attackers drained approximately $3 million worth of PUSD from victim wallets before bridging the stolen funds from Polygon to Ethereum. According to the researchers, the attacker subsequently exchanged the proceeds for roughly 1,893 ETH and consolidated the assets into a monitored Ethereum address. Polymarket has not publicly confirmed the estimated losses or the number of affected wallets.

The platform emphasized that only users who interacted with the compromised frontend during the attack window were affected, and that its underlying smart contracts were not impacted. Unlike many phishing incidents that leave users responsible for their losses, Polymarket said it intends to reimburse everyone affected by the attack.

No timeline has been provided for either the reimbursement process or the publication of a full incident report, and the company said its investigation remains ongoing.