Skip to main content
5 min read

Polymarket Frontend Attack: $3M
Drained via Third-Party Script Compromise

$3M in PUSD was drained from Polymarket users after a third-party vendor injected malicious frontend code; impacted users are set for refunds.

AUTOSEC.DEVAUTOSEC.DEV
Polymarket Frontend Attack: $3M Drained via Third-Party Script Compromise
  • Incident Date: June 25, 2026
  • Target: Polymarket users
  • Target Overview: Polymarket is a prediction market platform where users trade event-based markets. The reported incident affected a subset of users interacting with Polymarket's web frontend, not a confirmed vulnerability in Polymarket's smart contracts.
  • Total Loss: Approximately $3 million in PUSD
  • Reported Consolidation Address: 0xe65b1C586757c5510B60F998Eebb14C1eF71E1eD
  • Attack Vector: Front-end hijack / third-party script compromise / supply chain attack

Incident Review & Technical Details

1. Attack Path

  1. A third-party vendor became the entry point: Polymarket said a third-party vendor had been compromised, allowing a malicious script to reach the frontend for some users. Public reporting did not identify the vendor at the time of writing.
  2. The injected script targeted connected wallets: According to OurCryptoTalk and CryptoTimes, the malicious frontend code targeted PUSD, Polymarket's collateral asset on Polygon, and appears to have relied on malicious approvals or signature prompts rather than a smart-contract exploit.
  3. User wallets were drained on Polygon: On-chain investigator Specter reportedly estimated approximately $2.94 million in PUSD drained from at least 11 wallets. For article consistency, this report uses the rounded canonical loss figure of approximately $3 million.
  4. Funds moved from Polygon to Ethereum: PeckShieldAlert, as cited by CryptoTimes, reported that the attacker bridged the stolen funds from Polygon to Ethereum and swapped them into roughly 1,893 ETH.
  5. ETH was consolidated into one main address: Public reporting identified 0xe65b...E1eD as the primary consolidation wallet, with roughly 1,892.92 ETH observed shortly after the swaps.

2. Impact Scope

  • User-Level Loss: The reported loss was approximately $3 million in PUSD from affected user wallets.
  • Affected Asset: PUSD on Polygon, described by OurCryptoTalk as Polymarket's collateral token introduced in the platform's April 2026 upgrade and backed 1:1 by USDC.
  • Affected Surface: The compromised surface was the browser-delivered frontend dependency path, not a confirmed break in Polymarket's on-chain market contracts.
  • Victim Count: Specter reportedly identified at least 11 affected wallets; the final victim count had not been fully published in the reviewed sources.
  • Fund-Flow Risk: The bridge to Ethereum and conversion into ~1,893 ETH created a faster-moving recovery problem, although the consolidation address remained publicly traceable in early reporting.
  • Ecosystem Contagion: No PUSD backing failure, protocol insolvency, market-wide settlement failure, or broader DeFi contagion was reported in the reviewed sources.

3. Official Statements

  • Polymarket Traders: The Polymarket Traders X account said the team discovered a compromised third-party vendor on June 25, 2026, contained the issue, removed the affected dependency, and would contact impacted users for full refunds.
  • CryptoTimes: CryptoTimes reported that PeckShieldAlert amplified the incident and described the Polygon-to-Ethereum bridge plus ~1,893 ETH swap path.
  • OurCryptoTalk: OurCryptoTalk reported the same third-party vendor compromise, the approximate $2.94 million PUSD loss estimate, at least 11 affected wallets, and the 0xe65b...E1eD consolidation address.
  • Protos: Protos described the incident as a frontend hack targeting Polymarket's third-party vendor path and resulting in approximately $3 million stolen from users.

4. Investigation Progress

The public evidence points to a Web2 supply-chain failure monetized through Web3 wallet permissions. The open questions are the compromised vendor's identity, the exact malicious script behavior, the full affected-user list, and whether any other production frontend dependencies shared the same trust path.

Recommended response steps for Polymarket-style dapps:

  • Publish a final incident timeline covering vendor compromise, script injection, first malicious transaction, containment, dependency removal, and reimbursement status.
  • Disclose the affected dependency, script URL or package identity, integrity controls in place before the incident, and the post-incident control changes.
  • Provide users with a verified list of addresses, approvals, or signatures to review and revoke.
  • Reconstruct representative victim flows to determine whether the drain relied on token approvals, permit-style signatures, transaction substitution, or another wallet-interaction pattern.
  • Add production safeguards for third-party scripts, including strict Content Security Policy, Subresource Integrity where feasible, dependency pinning, build provenance, script allowlisting, and frontend behavior monitoring.
  • Continue tracing the ~1,893 ETH consolidation path and coordinate with exchanges, bridges, analytics providers, and law-enforcement contacts if funds move toward cash-out venues.

AUTOSEC.DEV Solution

The Polymarket incident shows how a trusted Web3 frontend can become the drain path when third-party browser code is allowed to touch wallet interactions.

  1. Attack Surface Analysis - The reported compromise came through a third-party vendor feeding code into Polymarket's frontend, not through a broken market contract. AUTOSEC.DEV maps external scripts, SaaS integrations, DNS and hosting paths, CI/CD dependencies, exposed build artifacts, and wallet-facing frontend trust boundaries so teams can see which outside systems can alter production transaction flows.
  2. Security Baseline Review - Because Polymarket said it removed an affected dependency after containment, the practical hardening work is dependency governance: script allowlists, CSP, release approvals, monitoring, secrets hygiene, and emergency rollback procedures. We review those controls against the exact assets users sign through, including wallet connection flows and approval prompts.
  3. Incident Response - For active user-drain incidents involving PUSD, Polygon-to-Ethereum bridging, and a public consolidation wallet, response has to combine frontend forensics with on-chain tracing. AUTOSEC.DEV supports malicious-script scoping, user-impact reconstruction, approval-revocation guidance, exchange and bridge notification packages, and post-incident remediation validation.

Reference