Polymarket confirms $3M user fund theft via third-party vendor breach
Tags Security · Infrastructure · Consumer
Polymarket confirmed that a compromised third-party vendor injected malicious scripts into its frontend, draining approximately $3 million in cryptocurrency from user wallets. Blockchain security firm PeckShield identified the attack, which affected over 11 victims. Polymarket said it has contained the incident and is refunding affected users in full. The breach follows revelations that Polymarket paid creators to post fake betting videos, compounding the platform's reputational challenges.
Technical significance
The Polymarket breach highlights the attack surface created by third-party JavaScript dependencies in web applications handling financial assets. A single compromised vendor script was sufficient to drain funds from multiple users, demonstrating that DeFi and prediction market platforms inherit the security posture of their entire supply chain. This will likely accelerate the adoption of stricter CSP policies and Subresource Integrity checks across fintech.