Prediction market platform Polymarket lost $3.1 million after attackers breached a third-party frontend vendor and drained funds from 11 user wallets. The platform's own audited smart contrac
Prediction market platform Polymarket lost $3.1 million after attackers breached a third-party frontend vendor and drained funds from 11 user wallets.
The platform's own audited smart contracts remained intact throughout the incident.
According to a report, the stolen PUSD tokens were moved from Polygon (POL) to Ethereum (ETH) via a cross-chain bridge. Polymarket has not publicly named the compromised vendor.
Frontend vendor attacks target the web interface that connects users to a platform's underlying contracts. The smart contracts themselves hold and govern funds, but users interact through a browser-based layer built and maintained by third-party software providers.
In this case, attackers appear to have injected malicious code at that interface layer. Affected users who interacted with Polymarket's frontend during the attack window had their wallet approvals redirected. Eleven wallets lost funds before the compromise was detected.
The fact that smart contracts passed audits offers limited protection when the attack vector is upstream of the contract layer.
Polymarket has operated under elevated regulatory attention since the Commodity Futures Trading Commission began an investigation into the platform's US user access. The CFTC probe, which has been ongoing through 2026, centers on whether Polymarket's prediction markets constitute unregistered commodity contracts available to American users.
The platform attracted mainstream attention during the 2024 US election cycle, when its markets became widely cited in media coverage of presidential race odds. That visibility brought both user growth and regulatory scrutiny. The combination of an active CFTC investigation and a high-profile security incident creates compounded reputational pressure for the platform's operators.
Prediction market security has been a recurring concern in the sector. Frontend attacks are particularly difficult to prevent because they rely on compromising third-party suppliers rather than the core protocol. Several DeFi platforms have suffered similar supply-chain style compromises in the past two years.
Also Read: Micron Becomes Wall Street’s Next AI Obsession After 236% Rally
Polymarket has not confirmed whether affected users will receive compensation. The platform has also not disclosed the identity of the compromised vendor, which limits third-party security reviews of the attack chain.
The CFTC investigation adds a layer of complexity. Any public statement about the hack could intersect with ongoing regulatory proceedings. The stolen funds' movement to Ethereum via a bridge makes tracing possible in principle, though recoveries in frontend vendor exploits are rare without law enforcement involvement.
Read Next: HIVE Just Borrowed $115M At Zero Percent To Bet Against Bitcoin Mining
