Polymarket's frontend supply chain attack.

On June 26, attackers drained about $3 million from Polymarket users. No contract broke and no key leaked. A vendor that supplies code to Polymarket's website was compromised, and the attacker slipped a malicious script into the page real users loaded.

A website is assembled from many pieces of code, some written in-house, some pulled from outside vendors. Compromise one vendor and its code runs on the genuine site, under the genuine domain. Users approved transactions on the real Polymarket, but the script rewrote what they signed and swept pUSD, its dollar-backed stablecoin.

The site was real. The domain was real. The wallet was real. The browser ran code the site trusted from someone else, and on-chain a signed transaction is final. Securing the contracts and the keys does little when the page itself serves an attacker's script.