Security

Custody Model

PolyZig is non-custodial. Your Polygon wallet is issued by Magic.link and its private key is held in their secure enclave on your device — not on our servers. PolyZig never sees, stores, or has the ability to retrieve your private key. If PolyZig shut down tomorrow, your funds would still be accessible through Magic.link directly.

Deposits are sent to your own wallet address. Withdrawals are signed client-side by you via Magic.link. We cannot move your funds without your authorization.

Four Approvals

To enable copy trading we ask for four standard Polymarket approvals, each issued once and then reused for every trade:

1. USDC → CTF Exchange — lets the exchange pull USDC from your wallet when you buy a position.
2. USDC → Neg-Risk CTF Exchange — same authorization for the negative-risk variant used by multi-outcome markets.
3. CTF tokens → CTF Exchange — lets the exchange sell your outcome tokens when you exit a position (setApprovalForAll).
4. CTF tokens → Neg-Risk CTF Exchange — same authorization for neg-risk markets.

These approvals follow the standard ERC-20 and ERC-1155 patterns. You can revoke them at any time on-chain if you leave the platform.

Infrastructure

• Backend runs on 4 replicas in EU-West (Netherlands, europe-west4), roughly 25–30 ms from the Polymarket CLOB API — low latency is how we keep your fill price close to the target trader's.
• TLS 1.3 end-to-end. Auth sessions use HttpOnly, SameSite cookies.
• Secrets and API keys stored in managed secret storage, never in source control, rotated on a regular schedule.
• Database is PostgreSQL with encryption at rest; backups are encrypted and retained on a rolling window.
• All deploys are immutable container images; the production image is the exact artifact built from the tagged commit.

Known Risks

We want you to make an informed decision. The following risks are inherent to the space and are mitigated but not eliminated:

• Smart-contract risk — Polymarket and CTF contracts may contain bugs or be subject to exploits. We do not operate those contracts.
• Polygon chain risk — chain halts, reorgs, or validator outages can delay or invalidate trades.
• Oracle / resolution risk — market outcomes are decided by Polymarket's UMA oracle. Disputed or miscalled resolutions are final and outside our control.
• Front-running & MEV — copy trading by definition follows someone else's order. We take steps (private RPC, tight slippage bounds, fast detection) to reduce adversarial front-running but cannot guarantee the target's price.
• Third-party outages — Magic.link, Alchemy, Vercel, or Resend may experience downtime that affects login, RPC, site availability, or email.

Incident Contact

If you suspect a security incident affecting your account or the platform, email security@polyzig.com or message @polyzig_support on Telegram. Include your account email, an approximate timestamp, and as much detail as you can share.

Responsible Disclosure

We welcome reports from security researchers. If you believe you have found a vulnerability in PolyZig:

• Email security@polyzig.com first — please do not post publicly before we've had a chance to respond.
• We aim to acknowledge within 72 hours and to triage, fix, and respond within 90 days.
• Do not access other users' accounts or data, run destructive tests on production, or attempt to exfiltrate data. Good-faith research is welcome.
• We do not currently run a paid bug bounty, but credit you (with permission) once a fix is deployed.

User Hygiene

• Use a strong, unique password on the email account you sign in with — Magic.link treats email-inbox access as login authorization.
• Enable 2FA on your email provider. We recommend a hardware key or authenticator app over SMS.
• Never share your seed phrase, session link, or one-time codes. PolyZig support will never ask for them.
• Verify the URL is polyzig.com before signing in. Bookmark it.
• Revoke old token approvals you no longer use at a tool like revoke.cash.