Polymarket Refunds $3M After Third-Party Vendor Exploit Drains User Funds
Polymarket users lost $3M after hackers exploited a third-party vendor to inject malicious code. The platform contained the breach and is fully refunding victims. This second incident in two months raises concerns about reliance on external vendors.
Quick Take
Hackers stole $3M from under 15 Polymarket users via vendor compromise.
Malicious code injected into front-end; funds converted to ETH.
Polymarket will fully reimburse affected users.
Second security incident in two months, following $700K employee wallet hack.
Market Impact Analysis
BearishThe exploit highlights third-party risks and erodes trust in Polymarket, but quick refund and containment limit broader market impact.
Speculation Analysis
Key Takeaways
- Attackers drained $3M from less than 15 Polymarket users through a compromised third-party vendor.
- Malicious code injected into the front-end converted pUSD to ETH; funds remain in an Ethereum wallet.
- Polymarket has contained the breach and is processing full refunds for all affected users.
- This marks the platform's second security incident in two months, following a $700K employee wallet hack.
What Happened
Polymarket's front-end was exploited after a third-party vendor was compromised, allowing hackers to inject malicious code. The attack siphoned $3 million from fewer than 15 user wallets. Polymarket swiftly contained the breach and removed the malicious code. The platform confirmed it will fully reimburse all victims. This is the second security incident for Polymarket in two months, following a $700,000 employee wallet hack in May.
The Numbers
The exploit drained approximately $3 million in pUSD, Polymarket's dollar-pegged stablecoin backed by USDC. On-chain data shows attackers converted the stolen funds into ETH and consolidated them into a single Ethereum wallet. Less than 15 accounts were affected, limiting the blast radius. For comparison, last month's employee wallet hack resulted in a $700,000 loss, likely due to a private key compromise.
Why It Happened
The root cause was a compromised third-party vendor, which allowed hackers to modify Polymarket's front-end code. By injecting malicious scripts, attackers could intercept transactions or drain wallets directly. Polymarket's reliance on external vendors for critical infrastructure creates a supply-chain risk. Even if core smart contracts are secure, the front-end remains a vulnerable attack surface.
Broader Impact
This incident highlights the persistent threat of third-party dependencies in Web3. While Polymarket acted quickly, repeated security lapses could erode user trust. Other prediction markets and dApps face similar risks if they rely on centralized vendor integrations. The attack may prompt a shift toward more decentralized front-end architectures.
What to Watch Next
- Whether Polymarket discloses the vendor and implements stricter vetting or decentralized alternatives.
- Movement of the stolen ETH—if hackers attempt to launder through mixers or exchanges.
- Potential copycat attacks targeting other platforms with similar third-party front-end dependencies.
This article is for informational purposes only and does not constitute financial advice.
Always late to trends?
Join for the latest news, insights & more.
Disclaimer: Bytewit is an independent media outlet that delivers news, research, and data.
© 2026 Bytewit. All Rights Reserved. This article is for informational purposes only.
