Attack Overview
According to blockchain intelligence firm AMLBot, several users of the decentralized prediction market platform Polymarket have fallen victim to a front-end malicious script attack on the Polygon network, losing approximately $3.1 million in PUSD. The attacker injected malicious JavaScript code into Polymarket's front-end page. When users connected their wallets and initiated transactions, the script tricked them into signing what appeared to be legitimate authorization transactions. In reality, these transactions invoked a malicious contract call leveraging EIP-7702 delegate execution functionality. This allowed the attacker to drain the users' PUSD tokens without further confirmation. The stolen funds were subsequently converted to USDC.e via the Relay cross-chain bridge, bridged to Ethereum mainnet, and finally swapped to ETH. The ETH has been consolidated into three newly created wallets, currently holding approximately 1,891.9 ETH in total.
Technical Analysis of the Attack
EIP-7702 is an Ethereum Improvement Proposal that allows externally owned accounts (EOAs) to temporarily acquire contract code within a single transaction, enabling delegate execution. The attacker crafted a specially designed EIP-7702 transaction that caused the user's wallet to unintentionally authorize a malicious contract for token transfers. This technique is strikingly similar to the 2024 attack on 1inch's web application, where the attacker exploited a vulnerability in the third-party Lottie Player animation library, injecting wallet-draining scripts into its released version. Any user visiting the 1inch frontend had their wallet assets stolen. AMLBot notes that this Polymarket incident once again demonstrates that third-party front-end dependencies have become a weak link in the DeFi security chain. The attacker likely compromised a CDN package or JavaScript library referenced by Polymarket's frontend, replacing it with a malicious version to achieve 'frontend poisoning' of a legitimate website.
Stolen Asset Tracking and Current Status
On-chain data reveals that the stolen PUSD was first converted to USDC.e via Relay, then bridged to Ethereum mainnet. On Ethereum, USDC.e was swapped to ETH, and after multiple splits and consolidations, the funds were finally deposited into three newly created addresses. As of this writing, these three addresses collectively hold approximately 1,891.9 ETH, worth nearly $4 million (subject to ETH price fluctuations). No further money laundering activity has been detected yet, and the attacker's identity remains unknown. AMLBot continues to monitor the related addresses.
Security Recommendations
This event once again sounds the alarm: front-end security is one of the most overlooked yet highly destructive risks in the DeFi ecosystem. For users, it is strongly recommended to always use hardware wallets and carefully review transaction details—especially contract addresses and function calls—before signing any transaction. Security plugins such as Scam Sniffer and Pocket Universe can help identify malicious authorizations. Additionally, users should regularly check token approvals on Etherscan or use tools like Revoke.cash to revoke unnecessary allowances. For project teams, strict third-party dependency review mechanisms should be implemented, including Content Security Policy (CSP) and Subresource Integrity (SRI) checks. Self-hosting critical libraries or using whitelist CDNs is also advisable. Furthermore, establish an emergency response plan so that frontend services can be suspended immediately and users notified upon detection of any abnormal frontend behavior.

