Third-party authentication vulnerability causes Polymarket users' funds to disappear, exposing Web3 login infrastructure risks

Incident Overview: Authentication Layer Breach, Millions of Funds Stolen

On December 24, 2025, Polymarket officially confirmed a large-scale account intrusion incident. The root cause of this event was not a smart contract attack but a security flaw introduced by a third-party authentication service provider. Many users reported unauthorized transfers of their account balances, with some USDC holdings being instantly emptied and automatically liquidated.

The incident was first exposed on December 22, 2025, on social platforms such as X, Reddit, and Discord. Users complained that after multiple login attempts, their account funds mysteriously disappeared. One victim stated that their balance dropped from a normal amount to $0.01, while others reported that even enabling email two-factor authentication did not prevent theft.

Third-Party Authentication Becomes a Vulnerable Link in the Crypto Ecosystem

Polymarket did not disclose the name of the involved third-party provider or the total stolen funds, but user reports pointed to common email login solutions like Magic Labs. The company stated on its Discord channel that the issue has been identified and fixed, and that the risk has been eliminated. However, Polymarket’s claim that this was an “isolated incident” and “only affected a few users” has raised doubts.

The key issue is: to facilitate quick onboarding, many DeFi platforms rely on third-party identity verification, wallet services, and login systems. When a security breach occurs at one provider, the chain reaction can impact multiple ecosystem applications. This architectural characteristic shifts potential risks from the smart contract layer to the identity verification layer—an often overlooked but equally critical weak point.

Hidden Risks of Email Wallet Login

Email-based “magic link” login methods are popular for their ease of use. Platforms create non-custodial Ethereum wallets for users during registration, lowering the barrier for crypto newcomers. But the cost is that the provider still controls the core mechanism for login recovery.

Victimized users reported that their funds were stolen despite not clicking any suspicious links. This indicates that the attack was not through traditional phishing but directly exploited backend vulnerabilities of the third-party authentication service. Once attackers breach this layer, they can impersonate legitimate users and authorize transfers or liquidations—without user intervention.

Historical Lessons: Recurrent Structural Risks

This is not an isolated case. In September 2024, Polymarket experienced a similar intrusion involving Google login methods. Attackers used a “proxy” function call to transfer USDC to a phishing address, which Polymarket characterized as a targeted attack related to third-party authentication.

In November 2025, scam comments also impacted the platform. Scammers posted fake links to lure users into entering their email login credentials, resulting in losses exceeding $500,000. These incidents collectively point to the same conclusion: authentication and session management have become high-value attack targets, and platforms’ defenses against them are clearly insufficient.

Deep Reflection: The Cost of Relying on Third Parties

Polymarket has yet to release a technical post-incident analysis or a complete timeline of events, nor disclosed any compensation plans. Affected users are increasingly turning to direct wallet connections (such as MetaMask), despite this being less user-friendly for newcomers.

This incident underscores a painful truth in the crypto ecosystem: to improve user experience, protocol layers are increasingly dependent on third-party services—services that should be auxiliary tools but are gradually becoming single points of failure in the system. When these critical pathways are compromised, even the most perfect smart contracts cannot protect user funds.

For the entire industry, vulnerabilities in third-party authentication are now as dangerous as protocol bugs. Polymarket needs not only technical patches but a thorough reassessment of its ecosystem dependency chain to ensure that third-party providers meet security standards aligned with its own requirements.