Polymarket’s security headache just got worse: blockchain monitors now estimate the total loss from the platform’s recent frontend attack at about $3.1 million.
What happened
- AMLBot updated its estimate to ~$3.1M, up from earlier figures near $2.94M. The firm says thieves took PUSD from 11 Polygon wallets, quickly bridged the funds to Ethereum and converted them into roughly 1,893 ETH.
- Security trackers (Specter Analyst, PeckShield) have characterized the incident as a phishing-style frontend compromise that used malicious EIP-7702 delegated-execution code to trick users into approving harmful wallet activity. The attacker then routed the proceeds through bridges and swaps to consolidate funds on Ethereum.
Polymarket’s response
- On June 25 Polymarket said a third‑party vendor had been compromised, allowing attackers to inject malicious script into the site for some users. The company says it has removed the affected dependency, contained the incident and is contacting and “refunding [affected users] in full.”
- The platform emphasized the breach targeted the website frontend — not its on‑chain protocol — highlighting how browser‑loaded code can create dangerous wallet prompts even when the site appears normal.
Why this matters
- Frontend and third‑party dependencies are increasingly a weak link: smart contracts may be intact, but external libraries or vendor code can expose connected wallets to risk.
- The attack is part of a broader surge in crypto security incidents: DefiLlama logged this event as one of the quarter’s many breaches, contributing to Q2 becoming the most incident‑heavy period on record.
- Polymarket has a recent history of security and account concerns (a March flagged issue on Polygon contracts and a December Discord incident), which, combined with the current breach, puts added pressure on the company.
Regulatory backdrop
- The hack comes as Polymarket faces heightened regulatory and legal scrutiny. Senators Adam Schiff and John Curtis have asked the CFTC to investigate alleged deceptive advertising practices — including possible use of simulated trading sites, staged transactions and undisclosed influencer promotions.
- Separately, Polymarket and rival Kalshi are embroiled in litigation over sports‑linked event contracts. Kentucky has accused prediction markets of unlicensed sports betting, while the CFTC maintains such event contracts fall under federal derivatives oversight. These cases could help determine whether sports prediction markets are regulated as derivatives or as gambling.
What to watch
- Whether Polymarket follows through on full refunds and how long reimbursements take.
- Any tracking or recovery efforts by on‑chain observers and law enforcement.
- Broader industry reactions on vendor audits, frontend security practices, and whether regulators use this incident to press for tighter oversight.
Practical reminder for users: when connecting wallets, scrutinize approval prompts, limit token approvals, and review recently granted permissions. Frontend compromises are hard to spot — vigilance and minimal exposure remain essential.
Read more AI-generated news on: undefined/news
