Polymarket Hacked for $3 Million via Compromised Third-Party Vendor
Decentralized prediction market Polymarket suffered a $3 million hack after attackers compromised a third-party vendor to inject a malicious script into the platform's frontend.
Polymarket, a leading decentralized prediction market built on the Polygon blockchain, disclosed on Thursday that it had been breached after a third-party vendor was compromised. The attackers injected a malicious script into the platform's frontend, targeting a subset of users and stealing approximately $3 million worth of pUSD, the platform's USDC-backed trading currency.
Blockchain security firm PeckShield tracked the stolen funds, reporting that the attacker bridged the assets from Polygon to Ethereum and swapped them for roughly 1,893 ETH. A blockchain analyst confirmed that the losses totaled nearly $3 million, with funds taken from at least 11 victims. The specific vendor exploited and the exact method of compromise have not been disclosed.
Polymarket acknowledged the incident in a post on X, stating, 'This morning we discovered a 3rd party vendor had been compromised, injecting a malicious script into our frontend for some users. We’ve contained it & removed the affected dependency.' The company promised to contact all impacted users and provide full refunds, though it did not specify how many users were affected.
The attack highlights the persistent supply-chain risks facing decentralized finance (DeFi) platforms, where reliance on third-party code and services can introduce vulnerabilities beyond the platform's direct control. Polymarket's use of a third-party vendor for frontend functionality created an entry point for the attackers to siphon user funds.
This incident is the latest in a series of high-profile crypto thefts. Earlier this month, the Kelp DAO suffered a $290 million heist attributed to North Korean hackers, and the Aztec protocol was hit by a second $2 million exploit. The Polymarket hack, while smaller in scale, underscores that even well-known DeFi platforms are not immune to supply-chain attacks.
Polymarket has not yet responded to requests for comment on the exact amount stolen or the number of victims. The company's promise to fully refund affected users may help mitigate reputational damage, but the breach serves as a stark reminder for DeFi platforms to rigorously audit third-party dependencies and implement robust client-side security measures.