Polymarket users lose nearly $3 million in website supply-chain attack
The crypto prediction market Polymarket says attackers stole close to $3 million from users after compromising a third-party vendor and injecting a malicious script into the platform's website. The script ran on the live site and prompted users connecting their wallets to approve transactions that drained their funds; researchers traced roughly $2.94 million taken from around a dozen accounts and bridged into Ethereum. Because the attack rode in through a trusted frontend dependency rather than Polymarket's own systems, it was invisible to users. Polymarket removed the dependency, contained the incident, and pledged full refunds. It was the platform's second security incident in two months.
- Check
- Review the third-party scripts and dependencies loaded by your web frontends, and confirm you would detect unauthorized changes to them; users should be wary of unexpected wallet-signing prompts.
- Affected
- Web platforms that load third-party frontend dependencies, and their users; a single compromised vendor can inject wallet-draining or credential-stealing code that runs as trusted, first-party code in the browser.
- Fix
- Pin and integrity-check third-party scripts with Subresource Integrity, monitor frontend code for unauthorized changes, vet and limit vendor dependencies, and warn users to scrutinize every wallet-signing or credential prompt.