Polymarket users get their bags back after a $3M frontend oopsie 🪙

Prediction market platform Polymarket says it will fully reimburse users affected by a phishing incident that blockchain security researchers estimate drained nearly $3 million from at least 11 wallets. The attack, disclosed on June 25, originated from a compromised third-party vendor that injected a malicious script into parts of the Polymarket frontend. The platform said it discovered the compromised vendor earlier that day, removed the affected dependency and contained the incident, adding that it is contacting impacted users directly and will refund them in full.

According to blockchain security firm PeckShield, attackers drained approximately $3 million worth of PUSD from more than 11 victim wallets before bridging the stolen funds from Polygon to Ethereum. The researchers said the attacker subsequently exchanged the proceeds for roughly 1,893 ETH, consolidating the assets into a monitored Ethereum address. Blockchain analyst Specter put the losses at an estimated $2.94 million across at least 11 Polymarket user wallets. Polymarket has not publicly confirmed the estimated losses or the number of affected wallets, and has not disclosed the identity of the compromised vendor or released a detailed technical postmortem. The company said only users who interacted with the compromised frontend during the attack window were affected, and that its underlying smart contracts were not impacted.

The incident was the 89th reported crypto security breach of the second quarter, extending the most-hacked quarter on record by incident count, according to DefiLlama data. Crypto exploit losses reached $74.9 million across 29 reported incidents in June, surpassing May's $60.5 million total but remaining well below April's $644 million figure. Over the past 30 days, private key compromises accounted for 43% of reported exploit losses, making them the leading attack vector, according to DefiLlama. About a month before the latest attack, Polymarket disclosed a separate $600,000 exploit traced to a six-year-old private key used for internal top-up operations. Josh Stevens, Polymarket's vice president of engineering, said at the time that the platform's contracts and user funds remained safe and that all permissions tied to the key had since been revoked.

Polymarket currently holds over $450 million in total value locked, up 301% from $112 million a year ago, according to DefiLlama. The platform said the latest incident has been contained, and that it is continuing to investigate while preparing to issue refunds to every affected user.