Decentralized prediction market platform Polymarket confirmed this week that a third-party vendor was compromised, resulting in a malicious script being injected into its frontend. The company says it has contained the incident and removed the affected dependency, and has pledged to fully refund impacted users.
Polymarket disclosed the breach in a post on X, keeping details sparse. The company stated: “This morning we discovered a 3rd party vendor had been compromised, injecting a malicious script into our frontend for some users. We’ve contained it and removed the affected dependency.” It did not specify how many users were affected or the total value of cryptocurrency stolen. When contacted for additional comment, Polymarket said it had nothing to add beyond its public statement.
Scope of the Theft
Blockchain security firm PeckShield assessed that approximately $3 million worth of pUSD, Polymarket’s USDC-backed trading currency, was stolen through a phishing campaign facilitated by the injected script. According to PeckShield, the attacker moved the stolen funds from the Polygon network to Ethereum, converting them to roughly 1,893 ETH. An independent blockchain analyst corroborated the total loss figure of nearly $3 million, with funds drained from at least 11 victim accounts.
Attack Vector and Attribution
The attack follows a well-documented pattern in Web3 security incidents: a software supply chain compromise that introduces malicious frontend code, in this case designed to redirect or capture user funds. This technique allows attackers to target end users without directly breaching the platform’s core infrastructure.
- Initial vector: Third-party vendor compromise leading to frontend script injection
- Mechanism: Malicious script delivered as a phishing campaign to some users
- Funds moved: Polygon to Ethereum, converted to approximately 1,893 ETH
- Victims identified: At least 11 accounts, totaling close to $3 million
No attribution has been established. The identity of the threat actor remains unknown at this time.
Implications for Web3 Platforms
This incident underscores the persistent risk that third-party dependencies pose to decentralized finance platforms. Even where core smart contracts remain intact, a single compromised vendor in the frontend delivery chain can expose users to significant financial loss. Security teams operating in the Web3 space should treat frontend integrity monitoring and dependency vetting with the same rigor applied to on-chain security controls.
Polymarket has indicated that affected users will be contacted directly and made whole, though the timeline and mechanism for refunds have not been detailed publicly.