Unlock Protocol Private Key Breach: Difference between revisions
(Created page with "{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/unlockprotocolprivatekeybreach.php}} thumb|Unlock ProtocolThe Unlock Protocol is a smart contract utility which allows services to create membership systems easily. Two of the bridges providing liquidity against xDAI and Polygon were run using an exposed private key from one of the founders. The key enabled the attacker tp upgrade the smart contract and remove 50,000 to...") |
No edit summary |
||
| Line 1: | Line 1: | ||
{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/unlockprotocolprivatekeybreach.php}} | {{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/unlockprotocolprivatekeybreach.php}} | ||
{{Unattributed Sources}} | |||
[[File:Unlockprotocol.jpg|thumb|Unlock Protocol]]The Unlock Protocol is a smart contract utility which allows services to create membership systems easily. Two of the bridges providing liquidity against xDAI and Polygon were run using an exposed private key from one of the founders. The key enabled the attacker tp upgrade the smart contract and remove 50,000 tokens worth of liquidity. The attacker foolishly left 30,000 tokens in the contract, and took the other 20,000 out. The 30,000 tokens were frozen and returned with the help of the Polygon and xDAI teams. | [[File:Unlockprotocol.jpg|thumb|Unlock Protocol]]The Unlock Protocol is a smart contract utility which allows services to create membership systems easily. Two of the bridges providing liquidity against xDAI and Polygon were run using an exposed private key from one of the founders. The key enabled the attacker tp upgrade the smart contract and remove 50,000 tokens worth of liquidity. The attacker foolishly left 30,000 tokens in the contract, and took the other 20,000 out. The 30,000 tokens were frozen and returned with the help of the Polygon and xDAI teams. | ||
This is a global/international case not involving a specific country. | This is a global/international case not involving a specific country. | ||
<ref name="insuraceblog-6155" /><ref name="unlockprotocol-6314" /><ref name="coinmarketcap-6315" /><ref name="blockscout-6316" /><ref name="polygonscan-6317" /><ref name="blockscout-6318" /><ref name="unlockprotocol-6319" /><ref name="expandcontract-6320" /><ref name="youtube-6321" /><ref name="unlockprotocol-6888" /> | |||
== About Unlock Protocol == | == About Unlock Protocol == | ||
| Line 109: | Line 111: | ||
== References == | == References == | ||
[https://blog.insurace.io/security-incidents-in-november-e4bcb39dd7f9 https://blog.insurace.io/security-incidents-in-november-e4bcb39dd7f9] (Feb 1) | <references><ref name="insuraceblog-6155">[https://blog.insurace.io/security-incidents-in-november-e4bcb39dd7f9 https://blog.insurace.io/security-incidents-in-november-e4bcb39dd7f9] (Feb 1, 2022)</ref> | ||
[https://unlockprotocol.notion.site/unlockprotocol/Sunday-November-21st-2021-Incident-Update-a8e05ba111284d5ba43872fa5f00bccb Notion – The all-in-one workspace for your notes, tasks, wikis, and databases.] (Feb 9) | <ref name="unlockprotocol-6314">[https://unlockprotocol.notion.site/unlockprotocol/Sunday-November-21st-2021-Incident-Update-a8e05ba111284d5ba43872fa5f00bccb Notion – The all-in-one workspace for your notes, tasks, wikis, and databases.] (Feb 9, 2022)</ref> | ||
[https://coinmarketcap.com/currencies/unlock-protocol/historical-data/ https://coinmarketcap.com/currencies/unlock-protocol/historical-data/] (Feb 9) | <ref name="coinmarketcap-6315">[https://coinmarketcap.com/currencies/unlock-protocol/historical-data/ https://coinmarketcap.com/currencies/unlock-protocol/historical-data/] (Feb 9, 2022)</ref> | ||
[https://blockscout.com/xdai/mainnet/tx/0x12f0a54b0d5eb595c217377ff0432069f9bee8c3a1a60f8e55459047d008bda8 Transaction 0x12f0a54b0d5eb595c217377ff0432069f9bee8c3a1a60f8e55459047d008bda8 - Gnosis Chain Explorer] (Feb 9) | <ref name="blockscout-6316">[https://blockscout.com/xdai/mainnet/tx/0x12f0a54b0d5eb595c217377ff0432069f9bee8c3a1a60f8e55459047d008bda8 Transaction 0x12f0a54b0d5eb595c217377ff0432069f9bee8c3a1a60f8e55459047d008bda8 - Gnosis Chain Explorer] (Feb 9, 2022)</ref> | ||
[https://polygonscan.com/tx/0xe3b852c9570588f475cff7c1d5f9d57ecfb9faaa65676da9e3ac87abf314a1a3 Polygon Transaction Hash (Txhash) Details | PolygonScan] (Feb 9) | <ref name="polygonscan-6317">[https://polygonscan.com/tx/0xe3b852c9570588f475cff7c1d5f9d57ecfb9faaa65676da9e3ac87abf314a1a3 Polygon Transaction Hash (Txhash) Details | PolygonScan] (Feb 9, 2022)</ref> | ||
[https://blockscout.com/xdai/mainnet/tx/0x6e9cbe9508f6d21e921aff0b6765a7bfecee5dd6eca43460a24d84a87fa13904 Transaction 0x6e9cbe9508f6d21e921aff0b6765a7bfecee5dd6eca43460a24d84a87fa13904 - Gnosis Chain Explorer] (Feb 9) | <ref name="blockscout-6318">[https://blockscout.com/xdai/mainnet/tx/0x6e9cbe9508f6d21e921aff0b6765a7bfecee5dd6eca43460a24d84a87fa13904 Transaction 0x6e9cbe9508f6d21e921aff0b6765a7bfecee5dd6eca43460a24d84a87fa13904 - Gnosis Chain Explorer] (Feb 9, 2022)</ref> | ||
[https://unlockprotocol.notion.site/November-22nd-2021-update-a579a5cca8cf499db293d7895ef1b7e9 Notion – The all-in-one workspace for your notes, tasks, wikis, and databases.] (Feb 9) | <ref name="unlockprotocol-6319">[https://unlockprotocol.notion.site/November-22nd-2021-update-a579a5cca8cf499db293d7895ef1b7e9 Notion – The all-in-one workspace for your notes, tasks, wikis, and databases.] (Feb 9, 2022)</ref> | ||
[https://expandcontract.org/t/unlock-protocol-hacked-founders-private-key-stolen/175 Unlock Protocol hacked - founder's private key stolen - unlock-protocol - Expand / Contract] (Feb 9) | <ref name="expandcontract-6320">[https://expandcontract.org/t/unlock-protocol-hacked-founders-private-key-stolen/175 Unlock Protocol hacked - founder's private key stolen - unlock-protocol - Expand / Contract] (Feb 9, 2022)</ref> | ||
[https://www.youtube.com/watch?v=6XmPcIZQV74 Unlock Protocol Hacked, What's Next and What To Expect ? - YouTube] (Feb 9) | <ref name="youtube-6321">[https://www.youtube.com/watch?v=6XmPcIZQV74 Unlock Protocol Hacked, What's Next and What To Expect ? - YouTube] (Feb 9, 2022)</ref> | ||
[https://unlockprotocol.notion.site/Sunday-November-21st-2021-Incident-Update-a8e05ba111284d5ba43872fa5f00bccb Notion – The all-in-one workspace for your notes, tasks, wikis, and databases.] (Mar 7) | <ref name="unlockprotocol-6888">[https://unlockprotocol.notion.site/Sunday-November-21st-2021-Incident-Update-a8e05ba111284d5ba43872fa5f00bccb Notion – The all-in-one workspace for your notes, tasks, wikis, and databases.] (Mar 7, 2022)</ref></references> | ||
Revision as of 17:58, 27 February 2023
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
The Unlock Protocol is a smart contract utility which allows services to create membership systems easily. Two of the bridges providing liquidity against xDAI and Polygon were run using an exposed private key from one of the founders. The key enabled the attacker tp upgrade the smart contract and remove 50,000 tokens worth of liquidity. The attacker foolishly left 30,000 tokens in the contract, and took the other 20,000 out. The 30,000 tokens were frozen and returned with the help of the Polygon and xDAI teams.
This is a global/international case not involving a specific country. [1][2][3][4][5][6][7][8][9][10]
About Unlock Protocol
"Create locks and place them anywhere you’d like to lock content. Users can purchase memberships as NFT keys that grant access to content, tickets and anything else you’d like to monetize."
"Unlock is an open source, Ethereum-based protocol designed to streamline membership benefits for online communities." "Unlock is meant to help creators find ways to monetize without relying on a middleman. It’s a protocol — and not a centralized platform that controls everything that happens on it."
"Unlock’s mission is about taking back subscription and access from the domain of middlemen — from a million tiny silos and a handful of gigantic ones — and transforming it into a fundamental business model for the web."
"The Unlock Protocol can be applied to publishing (paywalls), newsletters, software licenses or even the physical world, such as transportation systems. The web revolutionized all of these areas - Unlock will make them economically viable."
"One of Julien’s (Unlock Founder & CEO) private keys was stolen." "The attacker was able to access one of Julien (our founder and CEO) seed phrases and used it to take control of the Unlock contract on xDAI and Polygon."
"It is still unclear how that seed phrase was compromised but we suspect it might have been accidentally made public as part of a code push as it needs to be included in scripts used to deploy contracts. We are still trying to clarify if that was the case, but it is possible that this seed phrase has been leaked a long time ago (some forwarding contracts used in the attack have been deployed months ago)."
"With that private key, the hacker upgraded the Unlock contracts on both xDAI and Polygon to add a function that seems to have enabled them to transfer ownership of the tokens held by these contracts."
"Someone was able to steal one of Julien's (Unlock Founder & CEO) private keys. This key had been used to deploy the Unlock contract on xDAI and Polygon previously and still "owned" the contracts and was able to upgrade them."
"With that private key, they were able to steal ownership of the Unlock contract on xDAI and Polygon."
"They upgraded the contracts on both xDAI and Polygon to add a function that seem to have enabled (we need to confirm that but the next events seem to indicate that this is what happened) them to transfer ownership of the tokens held by these contracts."
"UDT tokens (Unlock's governance token) were stolen and dumped on Uniswap."
"We have been working very closely with both the xDAI and Polygon teams. Both teams have been incredibly cooperative. With their help, we have a plan to unblock transfers of UDT to and from Polygon and xDAI, without allowing the attacker to release back to mainnet the 40,000 tokens that are still in their possession. It will require another upgrade to the UDT contract, like the one we did yesterday, but we are confident that we can get resolved in the next 2 weeks."
"There has been a lot of discussion about what to do with the token supply on mainnet. First we want to re-iterate that no user of the protocol (or token holders) have seen their balance of tokens affected. The only change is that another 2% of supply has been made liquid."
"Since the attack, these 20,000 tokens have been bought and sold many times by many addresses. We understand that a lot of these purchases and sale were opportunistic. We also noticed that currently about 4,406 addresses hold tokens, which is only slightly higher than what it was prior to the hack (4,328) hinting that a lot of existing token holders have bought tokens themselves."
"As a conclusion, we will *not* issue a reset of the contracts to the prior token balances."
"We are still considering other ways to recognize token holders based on their pre-hack balances. Once the audits of the UDT contract have been conducted successfully we will also transfer its ownership to the DAO, who could then decide to change its behavior."
"We are preparing to re-deploy the Unlock contract on xDAI and Polygon as well as offer an easy gas-less upgrade path for anyone who has locks on these contracts. There again, we are working day and night to ship this in the next few weeks."
"In the meantime, even if we believe locks deployed on xDAI and Polygon are safe, please use an abundance of caution and make sure you withdraw funds from them regularly."
This is a global/international case not involving a specific country.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| November 21st, 2021 10:30:15 AM | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
Total Amount Lost
The total amount lost has been estimated at $5,011,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
The total amount recovered has been estimated at $3,006,000 USD.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Prevention Policies
Which policies could have prevented this event from happening?
References
- ↑ https://blog.insurace.io/security-incidents-in-november-e4bcb39dd7f9 (Feb 1, 2022)
- ↑ Notion – The all-in-one workspace for your notes, tasks, wikis, and databases. (Feb 9, 2022)
- ↑ https://coinmarketcap.com/currencies/unlock-protocol/historical-data/ (Feb 9, 2022)
- ↑ Transaction 0x12f0a54b0d5eb595c217377ff0432069f9bee8c3a1a60f8e55459047d008bda8 - Gnosis Chain Explorer (Feb 9, 2022)
- ↑ Polygon Transaction Hash (Txhash) Details | PolygonScan (Feb 9, 2022)
- ↑ Transaction 0x6e9cbe9508f6d21e921aff0b6765a7bfecee5dd6eca43460a24d84a87fa13904 - Gnosis Chain Explorer (Feb 9, 2022)
- ↑ Notion – The all-in-one workspace for your notes, tasks, wikis, and databases. (Feb 9, 2022)
- ↑ Unlock Protocol hacked - founder's private key stolen - unlock-protocol - Expand / Contract (Feb 9, 2022)
- ↑ Unlock Protocol Hacked, What's Next and What To Expect ? - YouTube (Feb 9, 2022)
- ↑ Notion – The all-in-one workspace for your notes, tasks, wikis, and databases. (Mar 7, 2022)