Hackers exploited a third-party provider vulnerability to steal approximately $3 million in assets from fewer than 15 accounts.
Polymarket suffered a security breach after malicious code was injected into its website frontend via a third-party provider. Hackers stole about $3 million in user assets, primarily in the platform’s pUSD stablecoin, which was later converted to ETH. The incident affected fewer than 15 accounts, according to on-chain analysis.
This is the platform’s second security incident in nearly two months. Polymarket stated the vulnerability has been resolved and confirmed full reimbursement for affected users. The breach highlights ongoing risks in decentralized finance infrastructure despite prior security improvements.