UNLOCK PROTOCOL

DESCRIPTION OF EVENTS

"Create locks and place them anywhere you’d like to lock content. Users can purchase memberships as NFT keys that grant access to content, tickets and anything else you’d like to monetize."

"Unlock is an open source, Ethereum-based protocol designed to streamline membership benefits for online communities." "Unlock is meant to help creators find ways to monetize without relying on a middleman. It’s a protocol — and not a centralized platform that controls everything that happens on it."

"Unlock’s mission is about taking back subscription and access from the domain of middlemen — from a million tiny silos and a handful of gigantic ones — and transforming it into a fundamental business model for the web."

"The Unlock Protocol can be applied to publishing (paywalls), newsletters, software licenses or even the physical world, such as transportation systems. The web revolutionized all of these areas - Unlock will make them economically viable."

"One of Julien’s (Unlock Founder & CEO) private keys was stolen." "The attacker was able to access one of Julien (our founder and CEO) seed phrases and used it to take control of the Unlock contract on xDAI and Polygon."

"It is still unclear how that seed phrase was compromised but we suspect it might have been accidentally made public as part of a code push as it needs to be included in scripts used to deploy contracts. We are still trying to clarify if that was the case, but it is possible that this seed phrase has been leaked a long time ago (some forwarding contracts used in the attack have been deployed months ago)."

"With that private key, the hacker upgraded the Unlock contracts on both xDAI and Polygon to add a function that seems to have enabled them to transfer ownership of the tokens held by these contracts."

"Someone was able to steal one of Julien's (Unlock Founder & CEO) private keys. This key had been used to deploy the Unlock contract on xDAI and Polygon previously and still "owned" the contracts and was able to upgrade them."

"With that private key, they were able to steal ownership of the Unlock contract on xDAI and Polygon."

"They upgraded the contracts on both xDAI and Polygon to add a function that seem to have enabled (we need to confirm that but the next events seem to indicate that this is what happened) them to transfer ownership of the tokens held by these contracts."

"UDT tokens (Unlock's governance token) were stolen and dumped on Uniswap."

"We have been working very closely with both the xDAI and Polygon teams. Both teams have been incredibly cooperative. With their help, we have a plan to unblock transfers of UDT to and from Polygon and xDAI, without allowing the attacker to release back to mainnet the 40,000 tokens that are still in their possession. It will require another upgrade to the UDT contract, like the one we did yesterday, but we are confident that we can get resolved in the next 2 weeks."

"There has been a lot of discussion about what to do with the token supply on mainnet. First we want to re-iterate that no user of the protocol (or token holders) have seen their balance of tokens affected. The only change is that another 2% of supply has been made liquid."

"Since the attack, these 20,000 tokens have been bought and sold many times by many addresses. We understand that a lot of these purchases and sale were opportunistic. We also noticed that currently about 4,406 addresses hold tokens, which is only slightly higher than what it was prior to the hack (4,328) hinting that a lot of existing token holders have bought tokens themselves."

"As a conclusion, we will *not* issue a reset of the contracts to the prior token balances."

"We are still considering other ways to recognize token holders based on their pre-hack balances. Once the audits of the UDT contract have been conducted successfully we will also transfer its ownership to the DAO, who could then decide to change its behavior."

"We are preparing to re-deploy the Unlock contract on xDAI and Polygon as well as offer an easy gas-less upgrade path for anyone who has locks on these contracts. There again, we are working day and night to ship this in the next few weeks."

"In the meantime, even if we believe locks deployed on xDAI and Polygon are safe, please use an abundance of caution and make sure you withdraw funds from them regularly."

The Unlock Protocol is a smart contract utility which allows services to create membership systems easily. Two of the bridges providing liquidity against xDAI and Polygon were run using an exposed private key from one of the founders. The key enabled the attacker tp upgrade the smart contract and remove 50,000 tokens worth of liquidity. The attacker foolishly left 30,000 tokens in the contract, and took the other 20,000 out. The 30,000 tokens were frozen and returned with the help of the Polygon and xDAI teams.

https://blog.insurace.io/security-incidents-in-november-e4bcb39dd7f9 (Feb 1)
Notion – The all-in-one workspace for your notes, tasks, wikis, and databases. (Feb 9)
https://coinmarketcap.com/currencies/unlock-protocol/historical-data/ (Feb 9)
Transaction 0x12f0a54b0d5eb595c217377ff0432069f9bee8c3a1a60f8e55459047d008bda8 - Gnosis Chain Explorer (Feb 9)
Polygon Transaction Hash (Txhash) Details | PolygonScan (Feb 9)
Transaction 0x6e9cbe9508f6d21e921aff0b6765a7bfecee5dd6eca43460a24d84a87fa13904 - Gnosis Chain Explorer (Feb 9)
Notion – The all-in-one workspace for your notes, tasks, wikis, and databases. (Feb 9)
Unlock Protocol hacked - founder's private key stolen - unlock-protocol - Expand / Contract (Feb 9)
Unlock Protocol Hacked, What's Next and What To Expect ? - YouTube (Feb 9)
Notion – The all-in-one workspace for your notes, tasks, wikis, and databases. (Mar 7)

More case studies

Formation Finance Flash
Loan Vulnerability

Coinbase Bank
Fees z0mbiechris