Polymarket takes responsibility for the hack through a contractor: compensation for damages and a warning signal for DeFi
The decentralized prediction platform Polymarket has officially announced full reimbursement of all losses for users affected by a recent attack. The incident, as it turned out, was linked to the compromise of a third-party contractor, which led to the injection of a malicious script into the user interface. According to preliminary data from on-chain analysts, the total damage amounted to approximately $3 million.
Polymarket representatives clarified that the attack was contained and the infected code was removed. The team contacted each affected user and guaranteed a full refund. However, details about which specific contractor was compromised and how long the malicious script remained active have not yet been disclosed.
Attack Details: How Attackers Withdrew Funds
According to data from the analytical service PeckShield, the attackers managed to withdraw approximately $3 million in pUSD tokens from the wallets of affected users. An analyst under the pseudonym Specter clarified that at least 11 wallets were affected, with exact losses totaling around $2.94 million. After withdrawing the funds, the attackers converted pUSD into ETH and consolidated all assets on a single Ethereum address, where they remain as of the time of this analysis. It is important to emphasize: the attack affected only the platform's frontend interface, not its smart contracts.
According to Bubblemaps, the number of affected accounts does not exceed 15, suggesting that the attack was targeted rather than widespread. Nevertheless, the fact that the vulnerability emerged through a trusted contractor raises serious questions about security processes within the Polymarket ecosystem.
Systemic Issue: Third Incident in Six Months
This is not the first time Polymarket has faced compromise through third-party services. In May 2026, the platform reported a leak of a private key for a wallet used for internal operations, resulting in $700,000 in damages. In December 2025, there was a hack of user accounts due to a vulnerability in another third-party provider. Thus, the current attack is the third such episode in the past six months, pointing to a chronic problem in risk management related to external counterparties.
Against the backdrop of recent hacks of other protocols (Ekubo, THORChain, Verus), this incident serves as another reminder that even large and popular DeFi platforms are not immune to supply chain attacks. Polymarket acted correctly by taking responsibility and promising reimbursement, but restoring user trust will require more systemic measures for auditing and monitoring all integrations.
Expert Opinion: Polymarket demonstrates a responsible approach by promptly reimbursing damages. However, three incidents in six months is a worrying signal. The market needs not just "hot" fixes, but a fundamental restructuring of security processes, especially regarding work with contractors. Users should temporarily increase vigilance when interacting with the platform until more reliable protection mechanisms are implemented.