Polymarket Cites Third-Party Vulnerability in Recent User Account Hack

Decentralized prediction market platform Polymarket confirmed that multiple users were affected by a recent security breach involving a third-party authentication provider. Reports of account hacks began surfacing earlier this week on X and Reddit, as affected users took to social media to detail their losses.

“Today I woke up and see 3 attempts to login to polymarket — My device isn’t compromised, google found nothing suspicious, all other services are fine,” one user wrote on Reddit. “So I went to Polymarket and realized that all my deals were closed and balance is $0.01.”

Another user in the comment section claimed to have experienced a similar security breach, receiving three attempted login notifications before funds were drained from their Polymarket account, despite not clicking any links and having two-factor authentication enabled on their email.

According to user reports on social media, the issue appears to have affected users who signed up for Polymarket through Magic Labs, which lets users sign in via email addresses and creates non-custodial Ethereum wallets. Magic Labs sign-up is widely used by first-time crypto users who do not already have digital asset wallets.

On Tuesday, Polymarket acknowledged the security issue on its official Discord channel. “We recently identified and resolved a security issue affecting a small number of users,” Polymarket wrote. “The issue was caused by a vulnerability introduced by a third-party authentication provider.”

Polymarket did not, however, reveal the number of affected users or the value stolen as a result. It also did not name the third-party provider at the core of the issue. The platform stated it has resolved the issue and that no lingering risks remain. “We will be in contact with impacted users,” Polymarket added. The Block has reached out to Polymarket for further information on the situation.