Polymarket compensates $3 million after attack through a compromised contractor: incident analysis
The prediction market platform Polymarket has officially announced full compensation for user losses resulting from a cyberattack carried out through the compromise of a third-party vendor. According to on-chain analysts, the damage amounted to approximately $3 million. The incident once again raises questions about the security of decentralized applications, particularly regarding their reliance on external infrastructure providers.
Details of the Hack
According to a statement from the Polymarket team, a malicious script was injected into the platform's frontend for some users after a third-party contractor was compromised. The issue was contained, and the infected dependency was removed. Platform representative Connor Brandi confirmed the theft of funds but declined to provide further comments.
Analysts from PeckShield estimated the damage at $3 million, while a researcher under the pseudonym Specter specified the figure at $2.94 million, noting that more than 11 wallets were affected. According to Bubblemaps, the attack impacted fewer than 15 accounts, and potential damage was largely limited. The attackers withdrew pUSD tokens, backed by USDC at a 1:1 ratio, through a smart contract on Polygon, then converted them into ETH and consolidated them on a single Ethereum address, where the funds remain at the time of writing this analysis.
Vulnerability — Not Smart Contracts, but the Interface
It is important to emphasize: the attack targeted the user interface, not Polymarket's underlying smart contracts. This means the protocol itself was not hacked — the issue lay in the trusted but poorly secured infrastructure of the contractor. The company has not yet disclosed which vendor was compromised or how long the malicious code was present on the site.
Recurring Pattern
This is already the third such incident in the past six months. In May 2026, Polymarket faced a compromise of a private key for a wallet used for internal operations, resulting in damage of about $700,000. In December 2025, the platform reported a hack of user accounts due to a vulnerability in a third-party provider. The systemic problem is obvious: Polymarket repeatedly falls victim to attacks not through its own code, but through third parties, indicating insufficient auditing of external integrations.
Against the backdrop of increasingly frequent hacks of other protocols — Ekubo, THORChain, Verus, Echo, and Map Protocol — this incident serves as yet another reminder: in DeFi, the security of the software supply chain is becoming a critical factor that cannot be ignored.
My analysis: Compensating for losses is the right but belated step. Polymarket needs to radically overhaul its policy for working with contractors and implement mandatory auditing of all external dependencies. Otherwise, the platform's reputation, especially ahead of potential regulatory pressure, will be completely undermined. The prediction market is too valuable to risk due to negligence in vendor selection.