Polymarket — one of the most prominent prediction market platforms in the crypto ecosystem — has faced an incident that exposed a fundamental weakness of Web3: even non-custodial services remain vulnerable when they rely on third-party infrastructure. Reported by minfin.com.ua
This week, the company confirmed that a number of user accounts were compromised, resulting in financial losses. Crucially, the issue did not originate from Polymarket’s core architecture, but from a vulnerability in an external authentication provider.
The Attack Scenario: No Phishing, Full Access
The first reports surfaced on X (formerly Twitter) and Reddit. Affected users described nearly identical attack patterns: the system detected a series of suspicious login attempts, followed shortly by the disappearance of funds from their wallets.
The key detail is that many victims had two-factor authentication enabled and did not interact with any phishing links. This effectively rules out classic social engineering attacks and points to a deeper, infrastructure-level breach.
Magic Labs and the Cost of “Convenient Web3”
The community quickly identified a common thread: most of the affected users had registered on Polymarket via Magic Labs — a service that enables the creation of non-custodial Ethereum wallets using only an email address.
Magic Labs markets itself as a tool to lower the barrier to entry into crypto, especially for newcomers. However, that very convenience appears to have become the weakest link in the security chain.
In effect, the incident highlights a core Web3 dilemma: the smoother the onboarding, the larger the attack surface.
Polymarket’s Response: A Contained Incident, a Systemic Risk
Polymarket acknowledged the incident promptly, stating that the vulnerability has been addressed and that the scope of the issue was limited.
“We identified and resolved a security issue that impacted a small number of users. The incident was caused by a vulnerability introduced by a third-party authentication provider,” the company said in an official statement.
At the same time, Polymarket has not disclosed the exact number of affected users or the total financial losses. The team stated it would reach out directly to those whose accounts were compromised.
Why This Matters for the Entire Industry
This case goes far beyond a single platform. It underscores a broader shift in Web3 risk profiles: vulnerabilities are increasingly found not in smart contracts, but in peripheral infrastructure — login systems, onboarding tools, and key management services.
For users, the message is clear: two-factor authentication and non-custodial wallets do not guarantee absolute security if access control is delegated to third parties.
For the industry, it is a reminder that trust in Web3 is built not only on code, but on the entire dependency chain. And any weak link in that chain can translate into real financial losses.