Polymarket Users Lose $3.1M PUSD in Front-End Script Attack; Funds Traced to Three Wallets

Polymarket Users Lose $3.1M PUSD in Front-End Script Attack; Funds Traced to Three Wallets

N
News Editor
2026-06-28 18:31:27
Blockchain intelligence firm AMLBot reported on June 28 that Polymarket users on Polygon network were hit by a malicious front-end script injection, resulting in losses of approximately $3.1 million in PUSD. The attacker exploited the EIP-7702 delegation execution mechanism to trick users into signing authorization transactions, then drained their wallets. The stolen funds were converted to USDC.e via Relay, bridged to Ethereum, and finally swapped to ETH — currently ~1,891.9 ETH spread across three newly created wallets. AMLBot highlighted the similarity to the 2024 1inch front-end attack where the Lottie Player library was compromised. This incident underscores the vulnerability of third-party scripts in DeFi frontends and the need for stricter content security policies.

Attack Overview: $3.1M PUSD Drained

According to AMLBot, several Polymarket users on the Polygon network were affected by a malicious front-end script, losing approximately $3.1 million worth of PUSD. The attacker injected a malicious script into the dApp's front-end interface. When users interacted with the platform, the script induced them to sign what appeared to be legitimate authorization transactions but actually invoked the EIP-7702 delegation execution mechanism, allowing the attacker to empty the users' wallets completely.

Technical Breakdown: Malicious Script and EIP-7702

The core of the attack lies in the exploitation of EIP-7702, an account abstraction proposal that introduces delegation execution. The malicious script presented a fake authorization request that looked normal to users, including plausible gas estimates and contract interactions. Once the user signed, the attacker gained control over the wallet's assets. This method is more deceptive than traditional phishing because the signature payload mimics a standard interaction. The root cause is not a smart contract vulnerability but a compromised third-party library on the front-end.

Fund Flow: Cross-Chain Conversion and Distribution

The stolen PUSD was first converted to USDC.e via the Relay protocol, then bridged to the Ethereum mainnet. On Ethereum, all USDC.e was swapped to ETH, totaling approximately 1,891.9 ETH. The funds were subsequently concentrated into three newly created wallet addresses. AMLBot noted that the ETH has not moved further as of publication, likely awaiting laundering via mixers or centralized exchanges.

Historical Parallel: 2024 1inch Attack

AMLBot drew a direct comparison to the January 2024 attack on the 1inch web application. In that incident, attackers compromised the Lottie Player library's update channel, injecting a wallet-draining script into the 1inch front-end. Both cases highlight that centralized third-party scripts represent a critical attack surface in DeFi. Once a provider is breached, all dApps using that script become vulnerable.

Security Recommendations and Industry Impact

The incident reinforces the urgency of front-end security for dApps. Polymarket and similar platforms should enforce strict Content Security Policies (CSP), audit all third-party dependencies, and implement real-time signature validation. For users, it is advisable to manually verify the details of every signature — especially those involving terms like "delegate" or "approve" — and consider using hardware wallets that display raw signing data for greater transparency.

This article was originally published by Bit.Fan. For more cryptocurrency news and market insights, visit www.bit.fan.
800

Disclaimer:

The market information, project data, and third-party content displayed on this platform are for industry information sharing only and do not constitute any form of investment advice or return commitment.

Cryptocurrency trading carries high risks. Users should fully assess their risk tolerance and make independent decisions. All profits, losses, and legal responsibilities are borne by the users themselves.