Polymarket has confirmed a security incident caused by a vulnerability in a third-party authentication provider that resulted in some user accounts having their assets completely drained.
Polymarket confirms security breach, some accounts completely emptied of funds.
On December 24th, Polymarket, a leading prediction market platform in the crypto market, officially confirmed that the project had experienced a security breach resulting in the complete loss of balances in some user accounts.
Users discovered their accounts had been compromised even though they hadn't clicked any suspicious links.
- This information was released by Polymarket after days of community reports of being scammed on Reddit and X, raising concerns about the security of the largest prediction market platform currently on the market.
- Initial reports emerged earlier this week, when many users reported receiving numerous notifications about unusual logins, before discovering that all their trading positions had been closed and their balances were almost zero.
Notably, some victims stated that they did not click on any phishing links, did not install any strange extensions, and other services were functioning normally, quickly pointing suspicion towards Polymarket's login system rather than user error.
Polymarket has issued a statement, asserting that the error originated from the third-party authentication provider.
Following a wave of feedback from the community, Polymarket officially responded on the project's Discord channel, confirming that the platform had recently experienced a security incident affecting a limited number of users.
According to Polymarket, the vulnerability lies not in the smart contract or the protocol's core infrastructure, but originates from a third-party authentication service provider integrated into the login process.
- The project stated that the issue has been detected and fully resolved, and affirmed that there is currently no ongoing security risk and that the majority of users are unaffected.
- Polymarket also committed to proactively contacting affected accounts directly to handle the next steps. However, the platform did not disclose the specific number of affected users, the value of assets lost, nor did it name the third-party verification provider involved in the incident, leaving many questions unanswered within the community.
Magic Labs is being mentioned by the community.
Although Polymarket did not disclose the identity of the third-party authentication provider involved in the incident, many users in the community believe that Magic Labs is very likely the link leading to this event.
- Magic Labs is an email login service integrated directly into Polymarket, allowing users to create non-custodial wallets without managing Seed Phrase or setting up traditional wallets. This solution is often highly regarded for its ability to significantly reduce onboarding barriers, making it easier for newcomers to access crypto through an experience similar to Web2.
However, this very model frequently raises concerns about the security vulnerability. On X, one user reported that their Polymarket wallet was emptied despite not clicking on any suspicious links or receiving phishing emails, and confirmed that the account was created through Magic Labs.
- Similar feedback has led the community to question whether vulnerabilities in the email authentication mechanism will continue to be a weakness, especially given that Magic Labs has previously been named in security incidents related to its prediction market platform.
This isn't the first time Polymarket has had problems.
- This is not the first time Polymarket has faced security incidents involving third parties. Previously, in September 2024, some users logging into Polymarket via Google accounts reported having USDC wallets completely emptied through proxy function calls ; at that time, Polymarket also investigated the possibility that the vulnerability originated from an external authentication provider.
- Subsequently, in November 2025, the platform suffered another large-scale phishing campaign, when fraudsters exploited the comments section to post fake links, luring users into logging in and causing over $500,000 in losses.
- This chain of incidents reveals a systemic risk that exists, not in the protocol's core smart contract, but in the user experience layer and the hybrid authentication mechanism between Web2 and Web3.
Coin68 compilation
