Polymarket Users Hit by Frontend Script Attack, $3.1M PUSD Stolen
Blockchain intelligence firm AMLBot has reported that Polymarket users on the Polygon network have fallen victim to a malicious script injected into the platform's frontend, resulting in the theft of approximately $3.1 million in PUSD (a Polygon-native stablecoin). The attackers implanted a malicious script that tricked users into signing an authorization transaction leveraging EIP-7702 delegated execution, thereby emptying their wallets.
Polymarket, one of the largest decentralized prediction markets, has a substantial user base. The attack has raised urgent concerns about frontend security within the DeFi ecosystem, especially for platforms that rely on third-party libraries.
Attack Vector: Third-Party Script Compromise and EIP-7702 Abuse
The core of the attack lies in the compromise of a third-party script used by Polymarket's frontend. Malicious code was injected into the page, and when users performed normal operations, a seemingly legitimate authorization popup appeared. In reality, the popup exploited EIP-7702's delegated execution feature to temporarily transfer control of the user's wallet to an attacker-controlled contract address. EIP-7702 allows externally owned accounts (EOAs) to obtain contract-like behavior via a signed authorization—a feature designed for better user experience that was weaponized by the attackers.
AMLBot notes that this attack closely resembles the 2024 incident involving the 1inch web application, where the Lottie Player library was compromised to inject wallet-draining scripts. Both cases demonstrate that frontend supply chain vulnerabilities have become a prime target for hackers, as third-party scripts can be exploited to inject malicious code undetected.
Fund Flow Tracing: Cross-Chain Movements and Consolidation
The stolen PUSD was first converted to USDC.e (the Polygon-wrapped version of native Ethereum USDC) via the Relay protocol. The funds were then bridged to the Ethereum mainnet and finally swapped for ETH, which was consolidated into three new wallet addresses. As of AMLBot's latest update, approximately 1,891.9 ETH are evenly distributed across these three wallets, with no further movement yet. However, the attacker may attempt to launder the funds through mixers or centralized exchanges.
This incident serves as a stark reminder for both users and projects. Users should diligently review transaction signatures and avoid blindly approving permissions. Projects must implement rigorous auditing of third-party dependencies and use Subresource Integrity (SRI) checks to prevent script tampering. AMLBot has stated it will continue monitoring the addresses and will update the community on any developments.

