Prediction market platform Polymarket said multiple user accounts recently suffered fund losses after attackers exploited a security vulnerability in a third-party authentication service, prompting concerns among users about account safety.
In a statement shared with users, Polymarket said the issue has now been fully resolved and that there is no ongoing risk to accounts on the platform.
The company added that the vulnerability did not originate from Polymarket’s core infrastructure but from an external authentication provider used for account access.
Reports of the incident first surfaced on social media, where several users claimed their balances were drained following what they described as abnormal or unauthorized login attempts. Some users said they noticed access to their accounts from unfamiliar locations shortly before funds were withdrawn.
While Polymarket did not publicly identify the authentication provider involved, user feedback online suggests that many of the affected accounts were registered using Magic Labs, a service that allows users to sign in with email-based credentials rather than traditional wallets. Polymarket has not confirmed this detail, nor has it disclosed how many users were impacted or the total amount of funds lost.
The platform said it acted quickly after detecting the issue, coordinating with the third-party provider to patch the vulnerability and prevent further unauthorized access. Polymarket emphasized that the problem has been contained and that additional safeguards have been implemented to strengthen account security.
The incident highlights ongoing security risks tied to third-party integrations in crypto and Web3 platforms, particularly those related to user authentication and custody workflows. While email-based login systems are often seen as more user-friendly, critics argue they can introduce attack vectors if not properly secured.
Polymarket has grown rapidly over the past year, attracting users with its on-chain prediction markets covering politics, economics, and global events. As activity increases, the platform, like many crypto-native services, faces heightened scrutiny over its security practices and reliance on external service providers.
The company has encouraged users to review their account activity, enable additional security measures where available, and contact support if they believe they were affected. For now, Polymarket says the vulnerability has been addressed, and normal operations have resumed.