Polymarket has confirmed that attackers compromised a 3rd celebration vendor and used the entry to inject malicious code into the platform’s frontend, resulting in a phishing assault that drained an estimated $2.94 million from customers.
Abstract
- Polymarket mentioned a 3rd celebration vendor compromise enabled a phishing assault that stole about $2.94 million from no less than 11 consumer wallets.
- The platform eliminated the malicious dependency, contained the incident and mentioned all affected customers will obtain full refunds.
- DefiLlama recorded the assault because the 89th crypto safety breach of the second quarter, the very best quarterly complete by incident depend on its data.
Polymarket disclosed on X that it has eliminated the affected dependency, contained the incident, and can totally reimburse affected customers.
Blockchain analyst Specter estimated that the assault drained funds from no less than 11 wallets after the malicious script appeared on the platform’s frontend.
Frontend compromise targets consumer wallets
Specter recognized the assault as a phishing marketing campaign fairly than a protocol exploit. The analyst mentioned the injected script enabled attackers to steal funds from linked wallets after customers interacted with the compromised interface.
DefiLlama recorded the incident because the 89th reported crypto safety breach of the second quarter, making it the very best quarterly complete by incident depend within the platform’s data.
DefiLlama additionally reported $74.9 million in losses throughout 29 crypto exploits throughout June. That complete exceeded Might’s $60.5 million however remained properly beneath April’s $644 million.
The platform listed the $36 million Humanity Protocol exploit as June’s largest assault. Different main incidents included a $4.7 million exploit involving the Secret Community bridge, two separate $2.1 million exploits affecting Aztec, and a $1.7 million bridge exploit on Taiko.
DefiLlama reported that personal key compromises accounted for 43% of exploit losses over the previous 30 days. Pretend proof exploits represented 10% of losses, whereas reverse MEV honeypots accounted for 8%.
Earlier exploit traced to compromised non-public key
Polymarket disclosed a separate safety incident a few month earlier after attackers exploited a six 12 months previous non-public key used for inner prime up operations and stole about $600,000.
Safety researchers, together with ZachXBT, PeckShield, and Bubblemaps, initially flagged suspicious exercise involving Polymarket’s UMA CTF Adapter contract on Polygon. Bubblemaps reported that attackers withdrew 5,000 POL each 30 seconds earlier than estimating complete losses at roughly $600,000.
Polymarket protocol contributor Shantikiran Chanal later attributed that incident to a compromised pockets used for inner operations fairly than a vulnerability within the platform’s contracts or core infrastructure.
Josh Stevens, the corporate’s vp of engineering, said on the time that consumer funds and good contracts remained safe and that each one permissions linked to the compromised key had been revoked.
