Polymarket will refund users hit in the June 25 security incident, after attackers stole about $3.1 million. The key point is where the breach happened. This was not a protocol exploit: the on-chain system that runs and settles Polymarket’s markets was not compromised. The attack came through third-party software embedded in the website, where a malicious script was injected into the frontend seen by some users.
That means the damage was serious, but narrower than a smart-contract drain. The market infrastructure held up. The vulnerability was the website layer users clicked through, not the contracts holding the markets together. Reported losses were limited to a small number of wallets, in the low teens, rather than across the broader platform.
For users, that distinction matters. Funds were stolen through the interface, not because the core protocol failed. So the immediate test for Polymarket is less about rebuilding broken market plumbing and more about proving the website path is clean, the bad dependency is gone, and affected users are made whole.