Polymarket third-party vulnerability exposes breach! Magic Labs users' accounts emptied

Decentralized prediction market platform Polymarket confirmed this week that a recent security vulnerability involving a third-party identity verification provider affected multiple users. According to social media reports, users registered via Magic Labs became primary victims, waking up to find their accounts emptied. Polymarket acknowledged the issue on its official Discord, attributing it to a vulnerability introduced by the third-party identity verification provider.

Users Wake Up to Zeroed Accounts as Disaster Spreads

(Source: Relay)

Earlier this week, reports of Polymarket account hacks appeared on X and Reddit, with affected users detailing their losses on social media. One Reddit user wrote: “This morning I woke up to three login attempts on Polymarket. My device wasn’t compromised, Google didn’t find anything suspicious, and other services are normal. When I opened Polymarket, I found all my trades had been closed, and my balance was only $0.01.”

Another user in the comments claimed to have experienced a similar attack. Despite not clicking any links and having two-factor authentication enabled, they received three login attempt notifications before their funds were stolen. This situation—where security measures still cannot prevent breaches—has sparked serious doubts about the platform’s security architecture.

According to user reports on social media, the issue seems concentrated among Polymarket users who registered via Magic Labs. Magic Labs is a service that allows users to log in with an email address and create a non-custodial Ethereum wallet, making it a popular registration choice for crypto newcomers without digital asset wallets. However, this incident exposes the potential risks of relying on third-party authentication services.

Common traits among victims include: all registered via Magic Labs, all enabled two-factor authentication, and all received multiple login attempt notifications before their funds were stolen. This pattern suggests that attackers may have found a way to bypass Magic Labs’ verification mechanism, rather than directly hacking user devices through phishing or malware.

Polymarket Official Response Raises More Questions

On Tuesday, Polymarket acknowledged the security issue on its official Discord channel. The platform stated: “We recently discovered and addressed a security issue affecting a small number of users. The issue was caused by a vulnerability introduced by a third-party identity verification provider.” Polymarket claims the problem has been resolved, with no ongoing risk, and that affected users will be contacted.

However, the response has raised more questions than answers. First, the platform did not specify how many users were affected. How many is “a small number”? 10 people or 100? This vague wording prevents the community from assessing the true scale of the incident. Second, the platform did not disclose the total amount stolen, leaving users unable to gauge the severity of the losses. Third, Polymarket did not clearly identify the third-party provider involved—although the community widely suspects Magic Labs, there has been no official confirmation.

Three Major Omissions in the Official Statement

Unclear scope of victims: Only mentions “a small number of users” affected, without specific figures or percentages

Loss amounts undisclosed: The community cannot evaluate the severity or potential compensation

Vague third-party provider identity: Fails to confirm whether Magic Labs was the source of the vulnerability, seemingly shifting responsibility

Even more concerning, Polymarket claims the issue is “resolved” but does not explain what specific fixes were implemented. Did Magic Labs patch the vulnerability? Did Polymarket change its integration method? Or did they simply disable the login option temporarily? The lack of these critical details leaves users uncertain about whether continuing to use the platform is safe.

The Block has contacted Polymarket for further information but has not received a response as of press time. This opaque communication contrasts sharply with the transparency values emphasized by decentralized platforms.

Third-Party Vulnerabilities Have Been the Biggest Breach Point Twice in Six Months

This latest security flaw mirrors previous incidents, highlighting systemic issues in Polymarket’s third-party integration security. In September 2024, multiple users logging in via Google reported their wallets being drained. Attackers exploited “proxy” function calls to transfer USDC funds to phishing addresses. Polymarket investigated these events, suspecting targeted attacks related to the third-party identity verification provider.

Last month, a phishing campaign in the platform’s comment section led to over $500,000 in losses. Scammers posted links disguised as official, directing users to fake websites to steal login credentials. Although this was a social engineering attack rather than a technical vulnerability, it still exposed multiple security weaknesses in Polymarket’s defenses.

These recurring security issues raise fundamental questions about Polymarket’s security architecture. Why do third-party verification services repeatedly become attack vectors? Are these services thoroughly vetted before integration? What measures have been taken after discovering vulnerabilities to prevent similar incidents? To date, satisfactory answers remain elusive.

One of the core values of decentralized prediction markets is “non-custodial,” meaning users theoretically control their assets entirely. However, reliance on third-party identity verification services undermines this decentralization. Magic Labs offers “non-custodial wallets,” but security flaws in its verification layer can still allow attackers to gain account control. This reveals the eternal tension between convenience and security—an issue that Web3 platforms committed to user-friendliness must confront.

For Polymarket users, the safest current approach is to avoid using third-party login options and instead connect with wallets where users control their private keys. Although this raises the barrier to entry, it remains the only way to ensure asset safety until the platform demonstrates it can secure third-party integrations effectively.