Key facts
- Polymarket will fully refund users affected by a security exploit.
- A third-party vendor compromise led to the exploit.
- Hackers injected malicious code through the compromised vendor.
- An estimated $2.94 million was stolen.
- At least 11 user wallets were affected.
- Polymarket will cover all user losses.
- The incident involved a supply chain attack vector.
Prediction market platform Polymarket is initiating full refunds for users affected by a security breach that led to the theft of an estimated $2.94 million. The exploit occurred due to a compromise of a third-party vendor, which allowed hackers to inject malicious code into Polymarket's systems. This malicious code targeted at least 11 user wallets, resulting in the loss of funds.
Polymarket has committed to covering all user losses stemming from the incident. The platform's statement indicates that users will be fully reimbursed, ensuring they are not out of pocket due to the security failure. The exact methods used by the hackers to exploit the third-party vendor and subsequently access user wallets are still under investigation, but the injection of malicious code is confirmed.
The incident highlights the ongoing risks associated with supply chain attacks, where vulnerabilities in third-party software or services can have significant downstream consequences for end-users and platforms. Polymarket's decision to refund all users demonstrates a commitment to customer trust and security, even in the face of substantial financial loss.