Unlock Protocol Private Key Breach

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Unlock Protocol

The Unlock Protocol is a smart contract utility which allows services to create membership systems easily. Two of the bridges providing liquidity against xDAI and Polygon were run using an exposed private key from one of the founders. The key enabled the attacker tp upgrade the smart contract and remove 50,000 tokens worth of liquidity. The attacker foolishly left 30,000 tokens in the contract, and took the other 20,000 out. The 30,000 tokens were frozen and returned with the help of the Polygon and xDAI teams.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10]

About Unlock Protocol

"Create locks and place them anywhere you’d like to lock content. Users can purchase memberships as NFT keys that grant access to content, tickets and anything else you’d like to monetize."

"Unlock is an open source, Ethereum-based protocol designed to streamline membership benefits for online communities." "Unlock is meant to help creators find ways to monetize without relying on a middleman. It’s a protocol — and not a centralized platform that controls everything that happens on it."

"Unlock’s mission is about taking back subscription and access from the domain of middlemen — from a million tiny silos and a handful of gigantic ones — and transforming it into a fundamental business model for the web."

"The Unlock Protocol can be applied to publishing (paywalls), newsletters, software licenses or even the physical world, such as transportation systems. The web revolutionized all of these areas - Unlock will make them economically viable."

"One of Julien’s (Unlock Founder & CEO) private keys was stolen." "The attacker was able to access one of Julien (our founder and CEO) seed phrases and used it to take control of the Unlock contract on xDAI and Polygon."

"It is still unclear how that seed phrase was compromised but we suspect it might have been accidentally made public as part of a code push as it needs to be included in scripts used to deploy contracts. We are still trying to clarify if that was the case, but it is possible that this seed phrase has been leaked a long time ago (some forwarding contracts used in the attack have been deployed months ago)."

"With that private key, the hacker upgraded the Unlock contracts on both xDAI and Polygon to add a function that seems to have enabled them to transfer ownership of the tokens held by these contracts."

"Someone was able to steal one of Julien's (Unlock Founder & CEO) private keys. This key had been used to deploy the Unlock contract on xDAI and Polygon previously and still "owned" the contracts and was able to upgrade them."

"With that private key, they were able to steal ownership of the Unlock contract on xDAI and Polygon."

"They upgraded the contracts on both xDAI and Polygon to add a function that seem to have enabled (we need to confirm that but the next events seem to indicate that this is what happened) them to transfer ownership of the tokens held by these contracts."

"UDT tokens (Unlock's governance token) were stolen and dumped on Uniswap."

"We have been working very closely with both the xDAI and Polygon teams. Both teams have been incredibly cooperative. With their help, we have a plan to unblock transfers of UDT to and from Polygon and xDAI, without allowing the attacker to release back to mainnet the 40,000 tokens that are still in their possession. It will require another upgrade to the UDT contract, like the one we did yesterday, but we are confident that we can get resolved in the next 2 weeks."

"There has been a lot of discussion about what to do with the token supply on mainnet. First we want to re-iterate that no user of the protocol (or token holders) have seen their balance of tokens affected. The only change is that another 2% of supply has been made liquid."

"Since the attack, these 20,000 tokens have been bought and sold many times by many addresses. We understand that a lot of these purchases and sale were opportunistic. We also noticed that currently about 4,406 addresses hold tokens, which is only slightly higher than what it was prior to the hack (4,328) hinting that a lot of existing token holders have bought tokens themselves."

"As a conclusion, we will *not* issue a reset of the contracts to the prior token balances."

"We are still considering other ways to recognize token holders based on their pre-hack balances. Once the audits of the UDT contract have been conducted successfully we will also transfer its ownership to the DAO, who could then decide to change its behavior."

"We are preparing to re-deploy the Unlock contract on xDAI and Polygon as well as offer an easy gas-less upgrade path for anyone who has locks on these contracts. There again, we are working day and night to ship this in the next few weeks."

"In the meantime, even if we believe locks deployed on xDAI and Polygon are safe, please use an abundance of caution and make sure you withdraw funds from them regularly."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Unlock Protocol Private Key Breach
Date Event Description
November 21st, 2021 10:30:15 AM MST Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost has been estimated at $5,011,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

The total amount recovered has been estimated at $3,006,000 USD.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. https://blog.insurace.io/security-incidents-in-november-e4bcb39dd7f9 (Feb 1, 2022)
  2. Notion – The all-in-one workspace for your notes, tasks, wikis, and databases. (Feb 9, 2022)
  3. https://coinmarketcap.com/currencies/unlock-protocol/historical-data/ (Feb 9, 2022)
  4. Transaction 0x12f0a54b0d5eb595c217377ff0432069f9bee8c3a1a60f8e55459047d008bda8 - Gnosis Chain Explorer (Feb 9, 2022)
  5. Polygon Transaction Hash (Txhash) Details | PolygonScan (Feb 9, 2022)
  6. Transaction 0x6e9cbe9508f6d21e921aff0b6765a7bfecee5dd6eca43460a24d84a87fa13904 - Gnosis Chain Explorer (Feb 9, 2022)
  7. Notion – The all-in-one workspace for your notes, tasks, wikis, and databases. (Feb 9, 2022)
  8. Unlock Protocol hacked - founder's private key stolen - unlock-protocol - Expand / Contract (Feb 9, 2022)
  9. Unlock Protocol Hacked, What's Next and What To Expect ? - YouTube (Feb 9, 2022)
  10. Notion – The all-in-one workspace for your notes, tasks, wikis, and databases. (Mar 7, 2022)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Unlock_Protocol_Private_Key_Breach&oldid=4310"