Polymarket Users Lose $3.1M PUSD in Front-End Script Attack; Funds Bridged to Ethereum

Polymarket Users Lose $3.1M PUSD in Front-End Script Attack; Funds Bridged to Ethereum

N
News Editor
2026-06-28 21:31:37
区块链情报公司 AMLBot 监测显示,Polymarket 用户在 Polygon 网络上因前端恶意脚本入侵,被盗走约 310 万美元 PUSD。攻击者利用 EIP-7702 委托执行诱导用户签署授权,随后将资金转换为 USDC.e 并桥接至以太坊,最终兑换为 ETH 并集中存储。目前约 1891.9 枚 ETH 分布在三个新钱包中。此次攻击手法与 2024 年 1inch 的 Lottie Player 库入侵事件类似,均源于第三方脚本被攻破。事件再次警示去中心化应用前端的安全性薄弱环节,用户需警惕恶意授权签名。
PolymarketSecurity breachFront-end scriptEIP-7702PolygonCross-chain bridgeFund trackingAMLBot

Incident Overview: $3.1 Million PUSD Drained

Blockchain intelligence firm AMLBot has detected a significant security incident targeting Polymarket users on the Polygon network. Attackers injected malicious scripts into the platform's front-end, siphoning approximately $3.1 million worth of PUSD tokens. Users were tricked into signing seemingly legitimate authorization transactions that actually triggered EIP-7702 delegation calls, resulting in complete wallet drainage.

Attack Vector: EIP-7702 Exploitation via Third-Party Script Compromise

AMLBot's analysis reveals that the attack hinged on a front-end script injection. The attackers compromised a third-party library or directly polluted Polymarket's webpage interface, embedding malicious code. When users performed routine interactions, the script prompted them to sign a set of contract approvals that leveraged the EIP-7702 standard, allowing external accounts to execute transactions on their behalf. Once signed, the attacker could transfer all assets from the victim's wallet to a predetermined address.

This technique mirrors a previous attack on 1inch in early 2024, where the Lottie Player animation library was compromised to inject wallet-draining scripts. Both incidents highlight the vulnerability of third-party dependencies in dApp front-end ecosystems.

Fund Flow Tracing: From Polygon to Ethereum

The stolen funds were quickly moved through cross-chain mechanisms. The attacker first swapped PUSD for USDC.e using the Relay protocol, then bridged the tokens to Ethereum mainnet. On Ethereum, the USDC.e was exchanged for ETH, which was subsequently consolidated into three newly created wallet addresses. As of the latest update, these wallets hold approximately 1,891.9 ETH, valued at roughly the same $3.1 million loss. AMLBot continues to monitor the movement of these addresses for any further distribution or exchange activity.

Industry Impact and Mitigation Recommendations

This incident serves as a stark reminder that front-end security is as critical as smart contract auditing. For dApps that require frequent user signatures—such as prediction markets, DEXes, and lending platforms—any compromise of external scripts can lead to catastrophic losses. Development teams should implement Strict Subresource Integrity (SRI) checks, self-host critical scripts, and deploy real-time front-end monitoring tools. On the user side, caution is paramount: avoid signing any authorization pop-ups without verifying the contract address and intended permissions. Hardware wallets should be used to isolate high-value assets, and transaction details must be carefully reviewed before confirmation.

Industry experts are calling for front-end security audits to become a standard part of the DeFi security stack. The adoption of EIP-7702 and similar features offers flexibility but also expands the attack surface. The Polymarket team has not issued an official statement yet, but a swift front-end security overhaul is expected. Investors and participants should remain vigilant and refrain from signing any transactions in an unsettled environment.

This article was originally published by Bit.Fan. For more cryptocurrency news and market insights, visit www.bit.fan.
700

Disclaimer:

The market information, project data, and third-party content displayed on this platform are for industry information sharing only and do not constitute any form of investment advice or return commitment.

Cryptocurrency trading carries high risks. Users should fully assess their risk tolerance and make independent decisions. All profits, losses, and legal responsibilities are borne by the users themselves.