Incident Overview: $3.1 Million PUSD Drained
Blockchain intelligence firm AMLBot has detected a significant security incident targeting Polymarket users on the Polygon network. Attackers injected malicious scripts into the platform's front-end, siphoning approximately $3.1 million worth of PUSD tokens. Users were tricked into signing seemingly legitimate authorization transactions that actually triggered EIP-7702 delegation calls, resulting in complete wallet drainage.
Attack Vector: EIP-7702 Exploitation via Third-Party Script Compromise
AMLBot's analysis reveals that the attack hinged on a front-end script injection. The attackers compromised a third-party library or directly polluted Polymarket's webpage interface, embedding malicious code. When users performed routine interactions, the script prompted them to sign a set of contract approvals that leveraged the EIP-7702 standard, allowing external accounts to execute transactions on their behalf. Once signed, the attacker could transfer all assets from the victim's wallet to a predetermined address.
This technique mirrors a previous attack on 1inch in early 2024, where the Lottie Player animation library was compromised to inject wallet-draining scripts. Both incidents highlight the vulnerability of third-party dependencies in dApp front-end ecosystems.
Fund Flow Tracing: From Polygon to Ethereum
The stolen funds were quickly moved through cross-chain mechanisms. The attacker first swapped PUSD for USDC.e using the Relay protocol, then bridged the tokens to Ethereum mainnet. On Ethereum, the USDC.e was exchanged for ETH, which was subsequently consolidated into three newly created wallet addresses. As of the latest update, these wallets hold approximately 1,891.9 ETH, valued at roughly the same $3.1 million loss. AMLBot continues to monitor the movement of these addresses for any further distribution or exchange activity.
Industry Impact and Mitigation Recommendations
This incident serves as a stark reminder that front-end security is as critical as smart contract auditing. For dApps that require frequent user signatures—such as prediction markets, DEXes, and lending platforms—any compromise of external scripts can lead to catastrophic losses. Development teams should implement Strict Subresource Integrity (SRI) checks, self-host critical scripts, and deploy real-time front-end monitoring tools. On the user side, caution is paramount: avoid signing any authorization pop-ups without verifying the contract address and intended permissions. Hardware wallets should be used to isolate high-value assets, and transaction details must be carefully reviewed before confirmation.
Industry experts are calling for front-end security audits to become a standard part of the DeFi security stack. The adoption of EIP-7702 and similar features offers flexibility but also expands the attack surface. The Polymarket team has not issued an official statement yet, but a swift front-end security overhaul is expected. Investors and participants should remain vigilant and refrain from signing any transactions in an unsettled environment.

