A decentralized prediction market platform, Polymarket, confirmed on December 25 that some users’ funds were stolen and their account balances wiped out due to a security vulnerability in a third-party authentication provider. The affected users primarily registered through Magic Labs, a service that allows users to log in with their email address and automatically creates a non-custodial Ethereum wallet.
This vulnerability bypassed standard security measures such as two-factor authentication, sparking widespread concern in the market over the security of third-party integrations on crypto platforms.
01 Incident Overview: Asset Risks Exposed by Third-Party Vulnerabilities
The asset theft Polymarket users experienced did not stem from a vulnerability in the platform’s core smart contracts. Instead, it resulted from a security flaw in a third-party authentication provider the platform relies on.
In its official Discord channel, the platform stated: "We recently discovered and resolved a security issue affecting a small number of users, which was caused by a vulnerability in a third-party authentication provider."
Although the platform claims the issue has been fixed and there is no ongoing risk, the exact number of affected users and the total amount lost have not been disclosed. This lack of information has triggered widespread concern in the community about the true scale and severity of the incident.
02 Attack Process: Reconstructing Typical User Cases
According to user reports on social media, this security incident exhibited clear patterns.
One Reddit user detailed their experience: "I woke up this morning to three notifications about login attempts to Polymarket—my device wasn’t compromised, Google detected no suspicious activity, and all my other services are normal."
However, when they logged in to Polymarket, they found all their trades had been closed, and their account balance was just $0.01. This meant their wallet had been almost completely drained.
Another user reported a similar experience. Even though they hadn’t clicked any suspicious links and had enabled two-factor authentication on their email, they still couldn’t prevent attackers from emptying their account after receiving three login attempt notifications.
03 Affected Users: Magic Labs Registrants Targeted
Victims of this security incident shared a common trait: most had registered their Polymarket accounts via Magic Labs.
Magic Labs is a third-party login service designed for crypto newcomers. It allows users to sign in with just an email address, and the system automatically generates a non-custodial Ethereum wallet in the background. While this design significantly lowers the entry barrier to crypto, it also introduces new attack vectors.
Attackers appear to have found ways to bypass multi-factor authentication, rather than relying on traditional phishing or malware to compromise user devices. This has raised serious concerns about third-party authentication services becoming single points of failure.
04 Platform Response: Lack of Clarity Raises Further Doubts
Polymarket’s response to the incident showed a clear tendency to withhold information, which led to more questions than answers.
First, the platform vaguely stated that only a "small number of users" were affected, without providing specific figures or percentages. Second, it did not disclose the total amount stolen, making it impossible for the community to assess the severity of the event. Third, Polymarket did not explicitly name the third-party provider involved, though the community widely suspects Magic Labs.
On the technical side, Polymarket claimed the issue was "resolved" but did not explain what specific fixes were implemented.
Some community members noted that after the incident, Polymarket appeared to increase its one-time password length from three digits to six, but the company has not publicly commented on this change.
05 Security Lessons: Systemic Risks of Third-Party Integrations
This isn’t the first time Polymarket has faced a security incident due to third-party services. Back in September 2024, several users who logged in via Google accounts reported that their USDC funds were transferred to phishing addresses.
Last month, a phishing campaign exploiting the platform’s comment section led to user losses exceeding $500,000. These incidents highlight a common challenge for crypto platforms: even if the core smart contracts are secure, reliance on third-party services can still create security vulnerabilities.
Industry analysts point out that when users depend on unified authentication infrastructures not directly controlled by the core platform, integrated systems become especially susceptible to attacks.
06 User Actions: Practical Tips for Asset Protection
For cryptocurrency users, the Polymarket incident offers important security lessons.
The most direct advice is to avoid using third-party login options and instead connect to platforms with wallets where you control the private keys. While this raises the barrier to entry, it remains the best way to secure your assets until platforms can prove they can safely integrate third-party services.
Users should regularly review account activity, enable all available security features, and stay alert to any unusual login attempts. Distributing assets across multiple platforms, rather than concentrating funds in one place, is also a sensible risk mitigation strategy.
With Polymarket planning to migrate from Polygon and launch its own Ethereum Layer 2 network, users should pay extra attention to asset security during the transition.
Looking Ahead
As of December 25, Polymarket’s total trading volume had reached $1.538 billion, with 419,309 monthly active users. When users wake up to find only $0.01 left in their accounts, the incident is no longer a simple technical glitch—it’s a serious test of the security architecture of the entire crypto ecosystem.
User fund security remains the cornerstone of Gate’s platform operations. As the crypto industry faces increasingly complex security challenges, Gate continues to strengthen its security infrastructure and provide users with multiple layers of asset protection.
