AI News CryptoTRADE THE NEWS
A cracked smartphone screen with a red battery
Crypto
Polymarket

Polymarket contains vendor compromise after malicious frontend script drains ~$2.94M

The platform says the affected dependency was removed and impacted users will be fully refunded.

By AI News Crypto Editorial Team4 min read

Polymarket said it contained a third-party vendor compromise that let attackers inject a malicious script into its frontend, with an analyst estimating about $2.94 million drained from at least 11 user wallets. The platform said the affected dependency was removed and that impacted users would be fully refunded.

Key Takeaways

  • A third-party vendor compromise enabled a malicious script injection into Polymarket’s frontend, impacting multiple users.
  • Blockchain analyst Specter estimated roughly $2.94 million was drained from at least 11 wallets, describing the flow as phishing-enabled.
  • Polymarket said the incident was “has been contained,” the “affected dependency has been removed,” and users “would be fully refunded.”
  • DefiLlama logged the event as the 89th reported crypto security breach of Q2 by incident count and put June exploit losses at $74.9 million across 29 incidents.

Polymarket Vendor Compromise Injects Malicious Frontend Script

Attackers compromised a third-party vendor used by Polymarket and used that access to inject a malicious script into the platform’s frontend, affecting multiple users. The mechanism matters because it targets the web layer traders actually interact with, not necessarily the on-chain contracts.

Blockchain analyst Specter estimated the incident drained about $2.94 million from at least 11 Polymarket user wallets. Specter said the injected script appeared to facilitate phishing, a pattern where a trusted interface is manipulated to trick users into approving transfers or revealing sensitive information.

The packet does not include a platform-confirmed loss total, the full number of affected users, or the exact time window the script was live beyond a reference to discovery on Thursday. That leaves traders working off an analyst estimate while waiting for a final accounting.

Containment Steps and Refund Commitment From Polymarket

Polymarket said on X the compromise “has been contained” and the “affected dependency has been removed.” The platform also said impacted users “would be fully refunded.”

That refund commitment is the key stabilizer for near-term user behavior. It can cap reputational damage if executed quickly and cleanly, but it does not eliminate operational risk for active users until there is confirmation of processing details and edge cases. In incidents like this, the second-order effect is often confidence in the interface, not just the dollar amount lost.

The incident also lands after a separate Polymarket disclosure about a month earlier of a $600,000 exploit tied to a six-year-old private key used for internal top-up operations. Polymarket vice president of engineering Josh Stevens said at the time that contracts and user funds remained safe and that permissions tied to the key were revoked.

Security Backdrop: Q2 Incident Pace and June Loss Totals

DefiLlama characterized the Polymarket event as the 89th reported crypto security breach of Q2 by incident count, extending what it described as the most-hacked quarter on record by incident count. June exploit losses totaled $74.9 million across 29 incidents, compared with $60.5 million in May and $644 million in April, per DefiLlama.

DefiLlama’s breakdown of the last 30 days also frames the environment: private key compromises accounted for 43% of reported exploit losses, fake proof exploits were 10%, and reverse MEV honeypots were 8%.

Polymarket’s scale raises the stakes. DefiLlama data puts the platform at over $450 million in TVL, up 301% from $112 million a year ago. That growth makes frontend integrity and vendor hygiene more than a technical detail, since more prediction-market flow is now concentrated behind a single web surface.

Signals to Watch for Polymarket vendor compromise drains $2.9M

The first confirmation that matters is whether refunds have actually been processed, including timing, method, and whether any users fall into unresolved edge cases.

Next is a postmortem that names the compromised third-party vendor or dependency and pins down the exact window the malicious script was live. Without that, traders cannot properly scope exposure or judge whether the fix is durable.

Loss reporting is also still in flux. Any update beyond Specter’s estimate, including additional affected wallets or a platform-confirmed total, will determine whether this stays a contained user-level incident or expands into a broader trust event.

Finally, watch Polymarket’s TVL, currently reported above $450 million by DefiLlama, for signs of short-term capital rotation after the refund rollout. A flat or recovering TVL would suggest the market is treating this as an operational hiccup rather than a structural counterparty risk.

Frontend/Vendor Risk Is a Different Failure Mode Than Smart-Contract Risk

I don’t treat this as a smart-contract story. The core failure mode described here is web supply chain risk, where a compromised dependency can turn a legitimate frontend into a phishing surface and push users into signing away funds.

The threshold that matters is execution: if Polymarket delivers full refunds quickly and publishes a clear postmortem that narrows the exposure window, this looks more like a sentiment catalyst than a fundamental shift. If the loss tally grows or refund processing drags, the setup starts to look structural rather than narrative-driven because trust in the interface is the product.

Sources