Polymarket has confirmed that attackers stole approximately $3 million in cryptocurrency from users after compromising a third party service that supplied code to the platform’s website. The incident did not exploit Polymarket’s smart contracts. Instead, it targeted the platform’s frontend through a supply chain attack, allowing malicious code to reach users interacting with the site.
The company said it quickly contained the breach, removed the compromised dependency, and began contacting affected users. Polymarket also pledged to fully reimburse everyone impacted by the attack, although it has not disclosed the number of victims or provided a timeline for refunds.
How the Attack Unfolded
Blockchain security researchers estimate that attackers drained nearly $3 million in PUSD from more than a dozen user wallets. According to on-chain analysis, the stolen assets were rapidly bridged from Polygon to Ethereum before being converted into roughly 1,893 ETH, a common tactic used to complicate asset tracking.
Key details reported so far include:
- The attack originated from a compromised third party vendor rather than Polymarket’s core infrastructure.
- Malicious JavaScript was injected into the platform’s frontend for a limited group of users.
- The attackers targeted wallet interactions instead of exploiting smart contracts.
- Polymarket says it has removed the affected dependency and is refunding all verified victims.
Growing Focus on Frontend Security
The incident highlights an increasing threat facing cryptocurrency platforms. Even when smart contracts remain secure, attackers can compromise external software providers and inject malicious code into trusted websites, tricking users into approving fraudulent transactions.
Polymarket emphasized that its underlying protocol was not breached and described the event as a third party supply chain compromise. The platform is continuing its investigation while working directly with affected users.
The breach comes during a period of heightened scrutiny for crypto security, reinforcing concerns that frontend infrastructure and vendor management remain critical attack surfaces for decentralized applications. Although Polymarket’s commitment to reimburse users may help restore confidence, the incident serves as another reminder that security risks extend beyond blockchain protocols themselves and into the broader software ecosystem supporting Web3 applications.
