Polymarket Users Lose $3.1M in Front-End Script Attack; Technique Mirrors 2024 1inch Incident

Polymarket Users Lose $3.1M in Front-End Script Attack; Technique Mirrors 2024 1inch Incident

N
News Editor
2026-06-28 19:31:15
According to AMLBot monitoring, Polymarket users on Polygon network suffered a front-end malicious script intrusion, losing approximately $3.1 million in PUSD. The attack exploited EIP-7702 delegate execution to trick users into signing malicious authorizations. Stolen funds were converted via Relay to USDC.e, bridged to Ethereum mainnet, and swapped to ETH, currently held as 1,891.9 ETH across three new wallets. The method closely resembles the 2024 1inch attack where the Lottie Player library was compromised to inject wallet-draining scripts, highlighting the persistent threat of third-party front-end dependencies in DeFi.
Polymarketfront-end attackmalicious scriptEIP-7702on-chain securityphishing attackAMLBotPolygon

Attack Overview

According to blockchain intelligence firm AMLBot, several users of the decentralized prediction market platform Polymarket have fallen victim to a front-end malicious script attack on the Polygon network, losing approximately $3.1 million in PUSD. The attacker injected malicious JavaScript code into Polymarket's front-end page. When users connected their wallets and initiated transactions, the script tricked them into signing what appeared to be legitimate authorization transactions. In reality, these transactions invoked a malicious contract call leveraging EIP-7702 delegate execution functionality. This allowed the attacker to drain the users' PUSD tokens without further confirmation. The stolen funds were subsequently converted to USDC.e via the Relay cross-chain bridge, bridged to Ethereum mainnet, and finally swapped to ETH. The ETH has been consolidated into three newly created wallets, currently holding approximately 1,891.9 ETH in total.

Technical Analysis of the Attack

EIP-7702 is an Ethereum Improvement Proposal that allows externally owned accounts (EOAs) to temporarily acquire contract code within a single transaction, enabling delegate execution. The attacker crafted a specially designed EIP-7702 transaction that caused the user's wallet to unintentionally authorize a malicious contract for token transfers. This technique is strikingly similar to the 2024 attack on 1inch's web application, where the attacker exploited a vulnerability in the third-party Lottie Player animation library, injecting wallet-draining scripts into its released version. Any user visiting the 1inch frontend had their wallet assets stolen. AMLBot notes that this Polymarket incident once again demonstrates that third-party front-end dependencies have become a weak link in the DeFi security chain. The attacker likely compromised a CDN package or JavaScript library referenced by Polymarket's frontend, replacing it with a malicious version to achieve 'frontend poisoning' of a legitimate website.

Stolen Asset Tracking and Current Status

On-chain data reveals that the stolen PUSD was first converted to USDC.e via Relay, then bridged to Ethereum mainnet. On Ethereum, USDC.e was swapped to ETH, and after multiple splits and consolidations, the funds were finally deposited into three newly created addresses. As of this writing, these three addresses collectively hold approximately 1,891.9 ETH, worth nearly $4 million (subject to ETH price fluctuations). No further money laundering activity has been detected yet, and the attacker's identity remains unknown. AMLBot continues to monitor the related addresses.

Security Recommendations

This event once again sounds the alarm: front-end security is one of the most overlooked yet highly destructive risks in the DeFi ecosystem. For users, it is strongly recommended to always use hardware wallets and carefully review transaction details—especially contract addresses and function calls—before signing any transaction. Security plugins such as Scam Sniffer and Pocket Universe can help identify malicious authorizations. Additionally, users should regularly check token approvals on Etherscan or use tools like Revoke.cash to revoke unnecessary allowances. For project teams, strict third-party dependency review mechanisms should be implemented, including Content Security Policy (CSP) and Subresource Integrity (SRI) checks. Self-hosting critical libraries or using whitelist CDNs is also advisable. Furthermore, establish an emergency response plan so that frontend services can be suspended immediately and users notified upon detection of any abnormal frontend behavior.

This article was originally published by Bit.Fan. For more cryptocurrency news and market insights, visit www.bit.fan.
800

Disclaimer:

The market information, project data, and third-party content displayed on this platform are for industry information sharing only and do not constitute any form of investment advice or return commitment.

Cryptocurrency trading carries high risks. Users should fully assess their risk tolerance and make independent decisions. All profits, losses, and legal responsibilities are borne by the users themselves.