Polymarket Confirms Front-End Supply-Chain Breach and Pledges Full Refunds After Malicious Script Drains User Funds

— By Tony Rabbit in News

Polymarket Confirms Front-End Supply-Chain Breach and Pledges Full Refunds After Malicious Script Drains User Funds

Polymarket confirmed on June 25, 2026 that a compromised third-party vendor injected a malicious script into its front-end, tricking some users into approving transfers that drained their funds. Polymarket said it contained the incident and will refund affected users in full. On-chain analysts estimate roughly 3 million dollars in losses.

On June 25, 2026, the prediction market Polymarket confirmed that its website had been hit by a front-end supply-chain attack. According to Polymarket's own statement, a compromised third-party vendor injected a malicious script into the site for some users, prompting them to sign transactions that handed control of their funds to an attacker. Polymarket said it contained the incident, removed the affected dependency, and would refund affected users in full. Crucially, this was not a smart contract or oracle exploit. The platform's underlying contracts were not breached. The attack happened at the website layer, which is exactly why it matters for everyone who self-custodies their crypto.

What Polymarket confirmed

  • Polymarket officially confirmed a front-end breach via its verified X account on June 25, 2026.
  • A compromised third-party vendor injected a malicious script into the front-end for some users.
  • The script prompted affected users to approve transfers of pUSD, Polymarket's USDC-backed dollar token on Polygon.
  • Polymarket said it contained the incident, removed the dependency, and will refund affected users in full.
  • The smart contracts were not exploited. This was a website-layer attack.

What happened

Polymarket described the incident in a public statement, reproduced by outlets including Benzinga, Decrypt and Protos: "This morning we discovered a third-party vendor had been compromised, injecting a malicious script into our frontend for some users. We've contained it and removed the affected dependency. We're contacting impacted users and refunding them in full." In plain terms, a piece of software that Polymarket's website depended on was hijacked, and through it the attacker slipped malicious code onto the site that some visitors loaded. That code did not break Polymarket's contracts. Instead, it tricked users into signing approvals that let the attacker move their tokens.

A front-end attack, not a contract hack

This distinction is the whole story. In a contract exploit, attackers find a flaw in the on-chain code and drain a pool directly. Here, the contracts were fine. The weak link was the website, the layer between you and the blockchain. By compromising a third-party dependency, the attacker changed what the site asked users to sign, turning a routine interaction into a wallet-draining approval. This is a supply-chain attack, and it is increasingly common because the front-end is often softer than the audited contracts behind it. It is also worth being precise about which Polymarket incident this is. It is separate from the May 2026 UMA CTF Adapter exploit on Polygon, a different event flagged by on-chain investigators, and from earlier disputes around the platform's oracle. For background on the platform itself, see our guide to Polymarket and prediction markets.

How much was taken

Polymarket did not publish a dollar figure, a victim count, or the name of the compromised vendor. The numbers circulating come from on-chain analysts, not from Polymarket, and should be read as estimates. On-chain security firms including PeckShield, Bubblemaps and Specter reported roughly 3 million dollars in pUSD drained from fewer than 15 wallets. Analysts also reported that the stolen pUSD was bridged from Polygon to Ethereum and swapped into ETH before being consolidated. Because Polymarket itself has not confirmed any of these figures, treat them as analyst estimates that may be revised as more is traced.

Why this matters even if your token is "safe"

The lesson here is uncomfortable but important: token and contract safety is necessary, but it is not enough. You can check a token for a honeypot, confirm the contract looks clean, and still lose funds if the website you connect to has been compromised and you approve a malicious transaction. The front-end is an attack surface in its own right. When the interface itself lies to you, the only defense left is scrutinizing exactly what your wallet is asking you to sign.

How to protect yourself from front-end and approval attacks

The takeaway

Polymarket appears to have responded quickly, containing the incident and committing to full refunds, which limits the damage to users. But the episode is a clear reminder that in crypto the website is part of your threat model. A compromised dependency can turn a trusted interface against you in seconds, and no contract audit will save you if you approve the malicious transaction yourself. Slow down on every signature, keep approvals tight, and treat unexpected prompts as hostile until proven otherwise. This is a developing story and the figures attributed to analysts may change. This article is for information only and is not financial advice.