$0 USD





"Create locks and place them anywhere you’d like to lock content. Users can purchase memberships as NFT keys that grant access to content, tickets and anything else you’d like to monetize."


"Unlock is an open source, Ethereum-based protocol designed to streamline membership benefits for online communities." "Unlock is meant to help creators find ways to monetize without relying on a middleman. It’s a protocol — and not a centralized platform that controls everything that happens on it."


"Unlock’s mission is about taking back subscription and access from the domain of middlemen — from a million tiny silos and a handful of gigantic ones — and transforming it into a fundamental business model for the web."


"The Unlock Protocol can be applied to publishing (paywalls), newsletters, software licenses or even the physical world, such as transportation systems. The web revolutionized all of these areas - Unlock will make them economically viable."


"[A] vulnerability was introduced in a UDT contract upgrade on August 2nd 2021 and discovered on October 14th around 1045AM ET."


"The UDT contract did not originally included a burn function. However, in order to support governance functions, we had to perform an upgrade to our contract on August 2nd 2021. Even though we only used OpenZeppelin's library for the UDT contract (and did not write any logic ourselves), the upgrade required some very specific work to support changes in the contract storage between the version we deployed in November 2020 and the ERC20 version used for governance. Specifically, we had to flatten the OpenZeppelin library in order to apply some patches to avoid storage slot conflicts."


"In a nutshell, the vulnerability allowed anyone to burn tokens from any other address. Even though this could not have resulted in funds being transferred, and we could have recovered any "burned" tokens through a contract upgrade, we believe it could have impacted the price and behavior of the protocol in ways that would have been hard to recover from."


"Fixing the vulnerability was trivial: we just rendered the burn function non operating by removing the internal call to _burn. In a subsequent deployment, we completely removed the burn function so that calling it will result in errors." "A patch was successfully deployed on the same day at about 1PM ET. The vulnerability was not exploited."


"We will add a new testing framework to test our changes as upgrades (on top of unit tests). We already leverage hardhat's amazing "local fork" feature and we will increase our use of this. We will additionally perform these tests as part of our CI cycle."


"We will perform an audit for the UDT contract. We have always considered, and this is still the case, that the funds at risk on the Unlock and PublicLock contracts (the core protocol) were in fact smaller than the cost of auditing (especially as the protocol still evolves quickly). However, this is not the case for the UDT contract. We have contacted a few firms and we will share results once we have them."


"Even though no funds were stolen, the signature issue we identified means that a lot of people who have claimed tokens for the airdrop did not actually delegate their votes. We have identified the list of all accounts that have been affected. We are pondering a way to cover the gas cost of them issuing a 2nd delegation and we'll have something to offer soon."

The Unlock Protocol is a smart contract utility which allows services to create membership systems easily. Unlock Protocol patched a critical vulnerability that could allow anyone to burn tokens from arbitrary addresses. The vulnerability was not exploited, and no funds were lost.

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.