In June 2026, Polymarket users lost an estimated $3 million in a supply chain attack. The attacker compromised a third-party vendor to insert malicious code into the Polymarket frontend.
Inside the Attack
Web3 projects combine smart contract backends with traditional Web2 frontends. While the focus is often on smart contract vulnerabilities, the Polymarket hack is an example of how attacks targeting the frontend can have on-chain effects as well.
In this case, the Polymarket attacker focused their efforts on a third-party vendor that the project used. By compromising this vendor, the attacker was able to insert malicious JavaScript code into the Polymarket frontend.
This malicious code was then served to users who visited the legitimate Polymarket site. Since these JavaScript components have access to user-provided information and the user’s view of the site, this type of supply chain attack can grant the attacker access to the user’s private key or the ability to trick them into creating and approving malicious transactions.
In this case, the attacker was able to steal an estimated $3 million in PUSD from at least eleven impacted wallets. These funds were transferred from Polygon to Ethereum via a cross-chain bridge, where they were swapped to approximately 1,893 ETH and consolidated into a single wallet. However, the PUSD peg remained steady throughout the incident.
Lessons Learned from the Attack
This Polymarket incident demonstrates the risks associated with reliance on third-party vendors. In this case, the attacker didn’t compromise Polymarket’s smart contracts or off-chain infrastructure. Instead, they targeted one of the project’s third-party vendors and introduced malicious code into one of the dependencies used by its Web2 frontend. When this dependency was loaded by the site and served to users, the malicious code took advantage of the provided access – and trust in the legitimate Polymarket site – to extract value from their wallets.
This type of threat is difficult to protect against since the attackers compromised a third-party environment outside of the organization’s control. However, organizations can take steps to monitor their exposure to these supply chain risks and identify suspicious modifications to third-party code trusted by their applications.
Halborn offers security advisory services that can help organizations assess their supply chain risk exposure early in the software development process and advise on solutions for minimizing and managing these risks. To learn more about how to protect your organization against supply chain threats, get in touch with Halborn.