Key Takeaways
In the days leading up to Christmas, several Polymarket users logged in to an unwelcome surprise: their account balances had vanished.
On Dec. 24, Polymarket confirmed that a limited number of user accounts were drained after attackers exploited a security flaw in a third-party authentication service used by the platform.
While the incident did not compromise Polymarket’s core infrastructure, it reignited broader concerns about the risks introduced by external login and wallet providers in Web3.
According to Polymarket, the issue stemmed from a vulnerability in an external authentication system used by some users to access their accounts via email-based logins.
Although Polymarket did not publicly name the provider, user reports across X, Reddit, and Discord suggest that Magic Labs—commonly used for email-based, non-custodial wallet access—may have been involved.
The flaw allowed unauthorized access to certain accounts, enabling attackers to drain USDC balances without user approval.
Polymarket said the vulnerability has since been resolved and emphasized that there is no ongoing risk to users.
Importantly, the company stated that its underlying smart contracts and prediction market protocol were not affected.
The incident was isolated to authentication, not settlement or market mechanics.
Polymarket has not disclosed how many users were impacted or the total value of funds lost, nor has it announced whether compensation will be offered.
The platform said it is able to directly contact affected users.
Early warnings began circulating between Dec. 22 and 23, when users reported unusual login notifications followed by sudden balance losses.
Some flagged abnormal access attempts tied to email-based logins, while others shared screenshots showing accounts wiped within minutes.
A recurring theme across reports was that affected users had relied on “magic link” or email-based authentication rather than connecting wallets directly.
The speed and consistency of the drains led many users to suspect a systemic issue rather than isolated phishing attempts—an assessment Polymarket later confirmed.
While alarming, the incident reflects a well-known tension in crypto platforms: convenience versus security.
Third-party authentication services make onboarding easier, especially for users unfamiliar with wallets and private keys.
But they also introduce supply-chain risk, where vulnerabilities outside a platform’s direct control can expose users to losses.
This was not Polymarket’s first brush with security concerns.
In November 2025, a phishing campaign exploited the platform’s comment sections, resulting in more than $500,000 in reported user losses.
That incident, however, relied on social engineering rather than technical flaws.
The latest breach appears distinct, rooted in authentication bypass rather than user error.
Polymarket characterized the incident as affecting a “small number” of users, though discussion across social media suggests wider unease among its user base.
While such events rarely derail major platforms on their own, they underscore a recurring lesson in crypto: even when core protocols are sound, integrations can become points of failure.
For users, the episode may prompt renewed caution around email-based logins and custodial conveniences. For platforms, it reinforces the challenge of balancing accessibility with the uncompromising security expectations of decentralized finance.
As Polymarket works to reassure users and tighten safeguards, the incident adds to a growing list of reminders that in Web3, trust often hinges on the weakest link—not the strongest one.