Polymarket takes responsibility: full reimbursement of losses after hack through contractor
The decentralized prediction market platform Polymarket has officially announced full reimbursement of funds to affected users following a recent attack that impacted the client-side of the website. The incident occurred due to the compromise of a third-party contractor, which allowed attackers to inject a malicious script into the interface for some visitors. According to on-chain analysts, the damage amounted to approximately $3 million.
Attack Details: Not Smart Contracts, but the Frontend
According to the team's statement, the issue was quickly localized, and the infected dependency was removed. It is important to emphasize: the attack affected only the user interface, not Polymarket's underlying smart contracts. This means that the core logic of the prediction markets and the funds stored in the protocol remained untouched. The attackers focused on a phishing scheme targeting users' wallets.
An analyst under the pseudonym Specter recorded the withdrawal of funds from more than 11 wallets totaling approximately $2.94 million. The stolen pUSD tokens, which, according to the platform's documentation, are backed by USDC at a 1:1 ratio via an on-chain contract on Polygon, were converted into ETH and collected at a single Ethereum address, where the funds still remained at the time of writing.
Alarming Trend: Third Incident in Six Months
This is not the first time Polymarket has faced security issues through third parties. In May 2026, the platform already reported the compromise of a private key for internal operations, resulting in a loss of about $700,000. And in December 2025, there was a hack of user accounts due to a vulnerability at another provider. The fact that this is the third similar episode in the last six months raises serious questions about the audit processes and risk management when selecting contractors.
My Analysis: Polymarket demonstrates the right approach by promptly taking financial responsibility. However, the recurring nature of attacks through contractors points to a systemic problem in software supply chain management. For a decentralized platform claiming to be a leader in the prediction market space, the lack of an isolated environment for third-party code and a formal process for verifying updates is a vulnerability that will be exploited again until it is addressed at the architectural level.