Polymarket Wallet Draining Linked to Third-Party Authentication Vulnerability
Polymarket has reported that recent wallet drains experienced by some users were caused by a security vulnerability in a third-party authentication provider. The issue, identified as related to the onboarding and authentication service provided by a third-party—believed to be Magic Labs, although Polymarket has not publicly named the provider—has been fixed, with no ongoing risk to users.
Users reported receiving suspicious login notification emails, followed in some cases by their accounts being drained, positions closed hours later, and balances approaching zero. Some community members have suggested that weaknesses in Polymarket's one-time password (OTP) system, specifically claims that 3-digit codes were susceptible to brute-force attacks, may have contributed to the incident. There are unconfirmed reports noting that OTP codes were later increased to six digits after the security breach.
This security incident is not isolated, as Polymarket previously faced security concerns in September 2024, when users logging in via Google experienced wallet drains and unauthorized proxy transactions. Additionally, the platform has been targeted by phishing campaigns resulting in significant losses through fake login pages.
The incident at Polymarket reflects a wider trend of risks stemming from third-party infrastructure within the cryptocurrency sector. Other examples include warnings from Koinly about a Mixpanel data breach potentially exposing user emails, which led Koinly to discontinue use of Mixpanel without sharing wallet or transaction data. Similarly, SwissBorg reported a $41.5 million loss this year due to an API provider compromise, underscoring the vulnerability of external vendors across crypto platforms.
Polymarket stated it will contact affected users directly but has not disclosed details regarding reimbursement or recovery options. The number of users impacted and the total funds lost remain undisclosed.
