The decentralized prediction market platform Polymarket has officially acknowledged a recent security incident that impacted a limited number of user accounts, attributing the problem to a vulnerability in an external authentication service. Complaints emerged on platforms like X and Reddit in recent days, with users describing sudden unauthorized access and significant fund losses.
One particular individual had shared on Reddit how they noticed multiple login attempts upon waking up, despite no signs of compromise on their device or other accounts.
Upon checking Polymarket, they found that all their positions had reportedly been liquidated and that their balance reduced to a mere penny ($0.01).
Similar stories followed in online discussions, including reports of repeated login alerts followed by complete wallet drains.
Notably, several victims emphasized that they avoided suspicious links and maintained two-factor authentication (2FA) on their emails, suggesting the intrusion bypassed typical safeguards.
Community speculation quickly centered on accounts created via Magic Labs, a service popular among cryptocurrency newcomers for its seamless email-based sign-in feature.
Magic Labs generates non-custodial Ethereum wallets automatically, lowering barriers for those without existing crypto setups.
While Polymarket has not explicitly named the provider, the pattern of affected users aligns closely with this integration.
In a statement shared on its official Discord server earlier this week, Polymarket confirmed the issue:
“We recently identified and resolved a security issue affecting a small number of users. The issue was caused by a vulnerability introduced by a third-party authentication provider.”
The company has now stressed and claimed that the reported flaw has been fully addressed, with no continuing threats to the platform. However, this remains to be seen as the situation continues to develop and unfold. Moreover, the growing sophistication of crypto hacks indicates that it is increasingly difficult to anticipate or reliably predict just how these security breaches will impact end-users.
It also committed to reaching out personally to those impacted by these rather concerning issues.
The latest incident highlights significant ongoing challenges in the nascent web3 and crypto space, where convenience features like third-party logins can introduce risks, even on non-custodial platforms.
Although Polymarket’s core smart contracts have reportedly remained untouched, the event underscores the importance of proper integration vetting.
This is not Polymarket’s first encounter with security concerns; previous issues, including phishing campaigns, have affected users as well.
As the platform continues to grow in popularity and overall adoption for event-based forecasting, incidents like this serve as important reminders for various ecosystem participants to prioritize self-custodied wallets along with more careful and heightened vigilance.
Polymarket has not yet disclosed the exact number of affected accounts or total losses, leaving some users awaiting further details on potential recourse.