Polymarket compensates users for losses after a hack through a contractor: damages estimated at $3 million
The decentralized prediction platform Polymarket has announced full reimbursement of losses to users affected by an attack carried out through the compromise of a third-party contractor. According to on-chain analysts, the amount of stolen funds amounted to approximately $3 million.
The incident was discovered in the morning when the platform team detected that a malicious script had been injected into the frontend for some users. In a statement, Polymarket representatives clarified that the issue is localized, the affected dependency has been removed, and all affected users will receive full reimbursement.
Attack Details
According to data from the analytical platform PeckShield, attackers withdrew the stablecoin pUSD, backed by USDC at a 1:1 ratio on the Polygon network, from user wallets. The funds were then exchanged for ETH and moved to a single Ethereum address, where they still remained at the time of writing the report. An analyst under the pseudonym Specter estimated the losses at $2.94 million and recorded more than 11 compromised wallets.
Bubblemaps confirmed that the attack affected fewer than 15 accounts and published some of the victims' addresses. It is important to note that the incident only affected the user interface — Polymarket's smart contracts remained untouched. The company has not yet disclosed which contractor was hacked or how long the malicious code was present on the site.
Recurring Security Issue
This is the second security incident for Polymarket in recent months. In May, the platform faced a compromise of the private key of a wallet used for internal operations, resulting in damages of approximately $700,000, although user funds were not affected at that time. In December 2025, there was also a hack of accounts through a vulnerability in a third-party provider — exact figures and the contractor's name were not disclosed.
My analysis: Recurring incidents involving third-party contractors point to a systemic problem in supply chain management in DeFi. Polymarket needs not only to strengthen internal security but also to implement strict audits for all external integrations. Otherwise, user trust, which has already been undermined, will continue to decline, and this is critical for a platform dealing with real money.