- Polymarket will fully reimburse users after a $3 million frontend exploit hit fewer than 15 accounts.
- Hackers used a compromised third-party provider to install malicious code and steal pUSD tokens.
- The latest exploit follows a separate $700,000 admin wallet breach disclosed by Polymarket last month.
Polymarket has confirmed that it will fully refund users affected by a website exploit that resulted in the loss of about $3 million in digital assets after attackers compromised one of the platform’s third-party service providers. The incident disclosed a vulnerability in the prediction market’s website frontend, allowing hackers to add malicious code that targeted user wallets.
While the company said the issue has been contained and removed, the attack marks the second security incident involving Polymarket in less than two months, showing repeated threats affecting systems outside its core prediction market infrastructure.
Third-Party Breach Enabled Frontend Attack
According to Polymarket, the attackers gained access through a compromised third-party vendor rather than the platform’s core systems. The breach allowed malicious code to be programmed into the website’s frontend, creating an opportunity for hackers to drain user funds.
Blockchain analysis indicated that fewer than 15 accounts were affected during the attack. The stolen assets primarily consisted of pUSD, Polymarket’s USDC-backed stablecoin. After withdrawing the funds, the attackers swapped most of the stolen pUSD for Ether.
The company stated that the vulnerability has been fixed and removed from the website. It also confirmed that every affected user will receive a full refund for the losses linked to the exploit. However, Polymarket did not identify the third-party provider involved in the breach and declined to comment further on the incident.
Second Security Incident in Two Months
The website exploit follows another security event disclosed by Polymarket last month. In that incident, an administrative wallet used to fund employee rewards was compromised through what developers later described as an exposed private key.
Initial estimates placed the losses at approximately $520,000 before later blockchain tracking raised the figure to about $700,000. Developer Josh Stevens said the compromised key had been in use for 6 years before being exposed through an internal configuration issue. The company responded by rotating credentials and moving to key management services.
Related: Polymarket Faces Scrutiny Over Alleged Fake Betting Success Videos
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.
