Dec 24, 2025 β Polymarket, a decentralized prediction market platform, confirmed that a security vulnerability in a third-party authentication provider led to unauthorized access and fund transfers from user accounts. The breach primarily affected users who registered via Magic Labs, a service providing one-click email-based wallet creation for Ethereum accounts.
Multiple users reported sudden balance drains despite having enabled two-factor authentication on their email accounts. Analysis of on-chain transactions revealed that attackers leveraged the authentication flaw to bypass login controls, executing smart contract calls that moved Ether and ERC-20 tokens to attacker-controlled addresses.
Polymarketβs engineering team identified the root cause in the Magic Labs integration layer and deployed a patch on December 23. In an official Discord announcement, the company stated that the vulnerability was contained and no further incidents have been detected. Polymarket did not disclose the total number of affected accounts or the volume of assets compromised but emphasized that the core trading protocol and smart contracts remain secure.
The platform plans to migrate to its own Ethereum Layer 2 network, POLY, and retire the third-party login service to eliminate similar dependencies. Impacted users will receive direct communication outlining recovery options, though Polymarket stopped short of committing to compensation for losses.
Industry experts highlight the incident as a cautionary tale about the risks of outsourcing critical authentication mechanisms. As Web3 projects increasingly rely on external SDKs for user onboarding, rigorous security audits and fallback controls are essential to prevent systemic vulnerabilities.
β CryptoReporter.
Comments (0)