Loading prices…
Zipp Zipp Advertise
Sign up Sign in
🩸BEARISH WuBlockchain

Polymarket Drained for ~$3M in Third-Party Provider Breach

The injected code sat on the site frontend rather than in Polymarket's core contracts, but the read for prediction markets is harder: vendor risk now sits inside the user-trust boundary, not outside…

Polymarket said its website frontend was injected with malicious code after a third-party provider was breached, allowing attackers to steal roughly $3 million from user accounts. On-chain analysis traced the stolen funds, which were primarily the platform's pUSD stablecoin, to fewer than 15 affected wallets before the proceeds were swapped into ETH.

Why it matters

The exploit ran through a compromised vendor rather than Polymarket's core contracts, which the company said have not been touched and have now been patched. That distinction matters for protocol solvency but does little for the affected users, whose losses were real regardless of where the code lived. It also lands as Polymarket's second security incident in under two months, a pattern that starts to look like a structural exposure rather than a one-off.

Market impact

Polymarket has committed to fully reimbursing affected users, which caps the direct financial damage but does not address the harder question raised here: when a venue's frontend depends on third-party providers, vendor compromise becomes a user-trust event, not an internal IT problem. Prediction-market venues will be reading this closely, particularly around which integrations carry wallet access and how aggressively those dependencies are vetted.

Source: [Polymarket to Refund Users After Scammers Swipe Millions in Website Exploit — Decrypt](https://decrypt.co/372129/polymarket-refund-users-scammers-swipe-millions-website-exploit)

Related tokens
$ETH
#Polymarket#PredictionMarkets#DeFi#Stablecoin

Frequently asked questions

  1. How were Polymarket users drained?

    Polymarket said its website frontend was injected with malicious code after a third-party provider was breached, letting attackers steal roughly $3 million from user accounts.

  2. How many users were affected?

    On-chain analysis showed fewer than 15 wallets were hit, with stolen funds primarily in the platform's pUSD stablecoin before being swapped into ETH.

  3. Will Polymarket users be refunded?

    Polymarket said the vulnerability has been fixed and that affected users will be fully reimbursed, limiting direct financial damage.

  4. Was Polymarket's core protocol compromised?

    The company said its core contracts were not touched and that the attack ran through a compromised third-party vendor integrated into the website frontend.

  5. Is this Polymarket's first security incident?

    No. This marks Polymarket's second security incident in under two months, raising questions about structural vendor-risk exposure.

Source attribution
Aggregated from WuBlockchain · Verified · Last refreshed 1h ago
Open original →

More from Security

Stories our editors think pair well with this one.

Older in Security

Catch up on earlier coverage from this beat.