Decentralized prediction market platform Polymarket has confirmed a security breach affecting multiple users, attributing the incident to a vulnerability at a third-party authentication provider. Reports of unauthorized account access and asset losses began surfacing earlier this week on social media platforms X and Reddit.
Affected users described waking up to multiple login attempts on their accounts, only to find their balances drained to near zero. One user detailed on Reddit: "Today I woke up and see 3 attempts to login to polymarket — My device isn't compromised, google found nothing suspicious, all other services are fine. So I went to Polymarket and realized that all my deals were closed and balance is $0.01." Another user reported a similar experience, noting their funds were stolen despite having two-factor authentication enabled and not clicking any suspicious links.
Polymarket officially acknowledged the issue on its Discord channel on Tuesday, stating: "We recently identified and resolved a security issue affecting a small number of users. The issue was caused by a vulnerability introduced by a third-party authentication provider." The platform confirmed it has resolved the vulnerability and that no ongoing risks remain, promising to contact impacted users directly. However, Polymarket has not disclosed the specific third-party provider involved, the exact number of affected users, or the total value of assets stolen.
Social media reports suggest the breach may be linked to users who signed up through Magic Labs, a service that allows email-based sign-in and creates non-custodial Ethereum wallets, commonly used by newcomers to crypto. This incident follows previous security concerns on the platform. In September 2024, users logging in via Google accounts reported wallet drains where attackers used "proxy" function calls to move USDC funds to phishing addresses. Separately, a phishing campaign exploiting Polymarket's comment sections last month resulted in over $500,000 in user losses.
The breach highlights the persistent security challenges in the crypto ecosystem, particularly the risks associated with third-party dependencies. Even when a platform's core technology is secure, external providers can create critical weak links. Polymarket's response—quick acknowledgment and vulnerability resolution but limited transparency—raises questions about accountability and user protection in decentralized finance.
