Polymarket Third-Party Vendor Compromise Drains $2.9M from Users

A third-party vendor compromise discovered Thursday allowed attackers to inject a malicious script into Polymarket's frontend, enabling a phishing attack that drained an estimated $2.94 million from at least 11 user wallets. Polymarket posted on X that it has contained the compromise, removed the affected dependency and will fully refund affected users.

DefiLlama counted the incident as the 89th crypto security breach of the second quarter, extending the quarter’s record for incident count. Exploit losses for June rose to $74.9 million across 29 reported incidents, topping May’s $60.5 million but remaining far below April’s $644 million.

The largest June incidents included a $36 million Humanity Protocol exploit, a $4.7 million Secret Network bridge exploit, two $2.1 million Aztec exploits and a $1.7 million bridge exploit on Taiko. Over the past 30 days, private key compromises accounted for 43% of reported exploit losses, followed by fake proofs at 10% and reverse MEV honeypots at 8%.

polymarket, third party, malicious script, phishing attack, 2.94 million, user wallets, defillama, crypto breach, humanity protocol, private keys