Polymarket hacked

[joniboini]

These bettors are courting risk storing big amounts in a relatively unsafe platform.

There's a chance that amount is not really big for them so they can use that funds freely. But yeah, I doubt every user is like that. Some of them definitely bite more than they can chew and hoping that their funds won't be drained.

About the bug bounty program, it seems like they already have one? Not sure if the user in screenshot already reported that or not, but so far they seemed to have received more than 800 reports already. CMIIW.

[Synchronice]

11 users were affected and $2.94 million was stolen? That's strange. Anyways, it's good that they are refunding and they'll definitely refund, $3 million is not much for them and of course, they won't close the business for this amount of money but I also have another question. Since this is the error from 3rd party, what happens in such cases? Does 3rd party has to refund money to Polymarket too? And can Polymarket demand them more money for possible reputation damage? Does anyone have an answer to this question?

[Potato Chips]

This amount should still be no biggie for someone as big as polymarket. Though it is still a big leap from their previous exploit amounting to $520K. They should be investing more in security, otherwise the next ones may not be as small as the previous incident and could be detrimental in their business.

11 users were affected and $2.94 million was stolen? That's strange. Anyways, it's good that they are refunding and they'll definitely refund, $3 million is not much for them and of course, they won't close the business for this amount of money but I also have another question. Since this is the error from 3rd party, what happens in such cases? Does 3rd party has to refund money to Polymarket too? And can Polymarket demand them more money for possible reputation damage? Does anyone have an answer to this question?

They probably can sue for damages, but may chose not to so people can forget this faster haha. I imagine this lawsuit will surely gain huge buzz.

[PX-Z]

... That's strange. Anyways, it's good that they are refunding and they'll definitely refund, $3 million is not much for them and of course, they won't close the business for this amount of money but I also have another question.

Regardless, if the amount is not big compare to their total holdings, but that is still $3m, were talking millions, you can't make profit with such amount in just days, it will take weeks or even months for them to recover it and that is a huge loss, unless it came from the third party responsible of the hack or if it will come from the insurance, that amount is still huge.
Anyways, kudos to them, they should make the responsible pay for the damage.

[Darker45]

These bettors are courting risk storing big amounts in a relatively unsafe platform.

About the bug bounty program, it seems like they already have one? Not sure if the user in screenshot already reported that or not, but so far they seemed to have received more than 800 reports already. CMIIW.

They already have an existing program for that even before the latest breach took place. I don't know, perhaps they're just too complacent or laid-back, taking for granted certain warnings. Or they don't want to pay?

They've been suffering security breaches. Most recently, there was one in December last year, followed by another in March, and then this one in June. Will there be another one in September? It seems there's a pattern.

By the way, the amount has already been updated to $3.1 million.

[NotATether]

From one of the comments, it's interesting to note that repeated efforts were earlier exerted warning them of a vulnerability. They were ignored.


https://x.com/SkeeSkiiirt/status/2070415172364317107


https://x.com/leaveVeeAlone/status/2065953504850518119

"They were ignored" is an understatement. They straight-up made fun of the vulnerability disclosers on X and attacked their credibility.

The whole thing is a shitshow, and I will pull up tweets from Polymarket later demonstrating the FAFO behavior, but I'm currently typing on a device that doesn't support the X client.

Needless to say, Polymarket got what they deserved. Feel bad for the users, and I actually use them but was not hacked, but they were let down by the arrogant behavior of Polymarket.

[Z-tight]

By the way, the amount has already been updated to $3.1 million.

Yeah, for their sake i hope it stays at this, and doesn't get any larger. Though i am sure they can cover far more than that, but a loss is a loss and it hurts, especially when the service is facing a lot of regulatory problems in so many countries, plus a federal investigation in the U.S.. They have also been restricted in a lot of countries too.

It is surely not the best time for the prediction service. But this would have been avoided if they were proactive and spent a good portion of their revenue into their platform's security.

[avp2306]

... That's strange. Anyways, it's good that they are refunding and they'll definitely refund, $3 million is not much for them and of course, they won't close the business for this amount of money but I also have another question.

Regardless, if the amount is not big compare to their total holdings, but that is still $3m, were talking millions, you can't make profit with such amount in just days, it will take weeks or even months for them to recover it and that is a huge loss, unless it came from the third party responsible of the hack or if it will come from the insurance, that amount is still huge.
Anyways, kudos to them, they should make the responsible pay for the damage.

Even if we or they said the amount got hack is to small compare on the asset or holding of the company still that $3 million got hacked from them still huge. Lots of people can't earn that amount on a day or maybe for many months of working. But since Polymarket is big platform maybe they could recover it in just few days.

But what's important is on how they handle the situation and compensate the damage taken by said hacking incident. Accountability is needed and it will be good that same with other platforms do refund after some of their users got affected. By doing they can eventually regain back the trust of those people doubting about the security of their site.

[PostQuantumBTC]

By the way, the amount has already been updated to $3.1 million.

Yeah, for their sake i hope it stays at this, and doesn't get any larger. Though i am sure they can cover far more than that, but a loss is a loss and it hurts, especially when the service is facing a lot of regulatory problems in so many countries, plus a federal investigation in the U.S.. They have also been restricted in a lot of countries too.

It is surely not the best time for the prediction service. But this would have been avoided if they were proactive and spent a good portion of their revenue into their platform's security.

The difference between $3.1 million and $2.94 is $160 thousand. If Polymarket will be able to pay for $2.94 million, it will also be able to pay the remaining $160 thousand. Polymarket is a very big market that can pay much more if that amount was stolen from their users because of Polymarket fault. The breach can not get more than this, even if it get more than this, it is not going to be a far higher amount of money than $3 million. But I saw somewhere that the site was hacked 2 months ago also.

[Z-tight]

Accountability is needed and it will be good that same with other platforms do refund after some of their users got affected. By doing they can eventually regain back the trust of those people doubting about the security of their site.

They already said they are going to cover the losses. And, not all services reimburse customers when they suffer losses due to the fault of the platform, it depends on the amount lost and the financial strength of the platform. If it is a huge collapse, like that of ftx, they would have to file for bankruptcy, and under new leadership try to recover whatever assets are left, in order to pay creditors something. It is not always straightforward and could take so many years, like mt. Gox.

Finally, covering losses shouldn't automatically transcend into renewed trust. The platform would actually have to put more resources into security to prevent similar situations from occurring. And apparently, Polymarket has failed to do this, because they have been hacked more than once.

[noorman0]

11 users were affected and $2.94 million was stolen? That's strange. Anyways, it's good that they are refunding and they'll definitely refund, $3 million is not much for them and of course, they won't close the business for this amount of money but I also have another question. Since this is the error from 3rd party, what happens in such cases? Does 3rd party has to refund money to Polymarket too? And can Polymarket demand them more money for possible reputation damage? Does anyone have an answer to this question?

Polymarket didn't specifically name a third-party vendor, but I'm sure it was part of their front-end development suite. In conclusion, the target of this hack wasn't at the protocol level. It was simply anyone who randomly clicked on a phishing link, all of whom happened to have a significant account balance.
I read local news reports that there was indeed a phishing campaign underway when Polymarket published their hack.

[NotATether]

As promised here are the links and screenshot dumps.

This is from X:





https://x.com/vxunderground/status/2070361730866168252
https://x.com/PolymarketTrade/status/2070155882906730671

This isn't even the only tweet from them. There were more tweets from this platform which sound exactly like what someone with a 50x long on $TRUMP would've wrote, declaring that all the cybersecurity researchers warning them about the flaws were a bunch of idiots and doomspeakers, and that their platform was one of the most secure. But unfortunately I've liked so many posts, I'm having trouble finding the posts on X with references to those.