$3M Exploit Hits Polymarket: Users to Receive Full Refunds After Third-Party Breach

• A compromised third-party vendor gave hackers a way in, and around $3M was stolen from Polymarket users.
• The vulnerability has been patched, and every affected user will be made whole.

The platform for predicting market users impacted by a website exploit that led to the theft of about $3 million in cryptocurrency assets will receive full reimbursement from Polymarket. The claim is that, instead of an issue with the underlying architecture of the platform, the incident was due to malware that was added to the front end of the platform by a compromised third-party vendor.

The malicious script was distributed to only a few selected individuals. It helped the attacker drain funds from the users’ wallets while interacting with the affected front-end. Then Polymarket declared that they were able to identify the cause of the issue, isolate the dependence and begin contacting the affected users.

“Our team discovered that a third-party vendor had been compromised, injecting a malicious script into our frontend for some users,” the company said in a statement. “We’ve contained it, removed the affected dependency, and are refunding impacted users in full.”

Around 15 Wallets Impacted as Stolen Funds Were Moved to Ethereum

An estimate that fewer than 15 user accounts were affected by the attack. Polymarket’s pUSD stablecoin, which the attacker bridged from Polygon to Ethereum before exchanging for about 1,893 ETH. It made up the majority of the stolen assets.

Instead of a direct violation of Polymarket’s smart contracts, security researchers characterised the event as a supply chain hack. This distinction shows that the platform’s core protocol was unaffected. Moreover, the attack used hacked third-party code on the website to target customers.

Even though the firm admits that the vulnerability has been patched, there is no information regarding which vendor has suffered due to the attack. Polymarket has not conducted a full technical analysis of the attack either.

Second Security Incident Raises New Concerns

Less than two months have passed since another security problem involving a wallet under company control that was used to give out user rewards. A compromised private key was allegedly the cause of the previous incident, which caused losses of about $700,000.

The current incident underscores the increasing hazards connected with third-party software dependencies. Even though Polymarket’s willingness to compensate impacted users may help restore confidence. Supply chain attacks are becoming a major security concern for the crypto sector. Also, it depends more and more on outside service providers.

Crypto Market Highlights

Cardano (ADA) Sends Mixed Signals: Is a Breakout Brewing or Another Drop Around the Corner?