Polymarket Refunds Users After $3M Vendor Hack Drains Accounts
In brief
- Third-party vendor compromise allowed hackers to inject malicious code into Polymarket's frontend on Thursday.
- Attackers stole roughly $3 million in pUSD stablecoin from customer wallets across fewer than 15 accounts.
- Polymarket confirmed full refunds for affected users and removed the frontend vulnerability from its platform.
- Bubblemaps on-chain analysis identified the limited scope of the breach to under 15 user accounts.
- Security incident marks Polymarket's second breach in two months.
How the hack unfolded
One of Polymarket's third-party vendors suffered a hack Thursday, enabling attackers to gain access to the prediction market's infrastructure. The attack allowed hackers to inject malicious code into Polymarket's front-end, the company said. Polymarket declined to comment on which vendor was compromised.
The attackers targeted customer wallets containing pUSD, a Polymarket-specific dollar-pegged stablecoin backed by USDC. Stolen funds were converted into ETH and moved to an Ethereum wallet. The scope of the attack proved limited — on-chain sleuths at Bubblemaps concluded that fewer than 15 user accounts were affected.
Response and remediation
Polymarket moved quickly to contain the damage. The company said it is refunding impacted customers in full, and the frontend issue has been contained and removed.
This incident marks the second breach for Polymarket in a month. Last month, the platform suffered another hack involving a wallet used by company employees to top up and pay out user rewards. That exploit cost the company roughly $700,000 and was likely caused by a private key compromise. The back-to-back breaches raise questions about the platform's vendor management and internal security protocols.
