Security Incident November 21st 2021

On November 21st, a stolen seed phrase was used by an attacker to access our Unlock contract on both xDAI and Polygon. The Unlock Governance Tokens that were stored on both of these contracts were stolen and the attacker was able to sell 20,000 of them on Uniswap after bridging them back to Ethereum’s mainnet. You can read more about the details in this document and this one.

To the best of our knowledge, Unlock is currently fully operational and safe to use on all networks. You can deploy locks as well as use your governance tokens on any network.

Here is the breakdown of all the measures we have taken:

• Redeployed the Unlock contract on the XDAI chain, owned by a multisig wallet
• Redeployed the Unlock contract on the Polygon chain, owned by a multisig wallet
• Re-enabled the UDT bridge from mainnet to Polygon,
• Captured back the 30,000 tokens stolen on Polygon (tx1, tx2)
• Re-deployed (with the help of the xDAI team) the UDT bridge from xDAI to mainnet. The old bridge, on which 10,000 stolen tokens are still available is “discontinued” and the tokens there cannot be transferred back to mainnet.

We are finalizing a migration script for any lock on xDAI or Polygon to be “cloned” over the new Unlock deployment. This migration is optional but recommended and our dashboard UI will soon show a button to indicate that a lock can be migrated.

For now, the Unlock contracts on xDAI and Polygon are not yielding UDT tokens for key purchases. We will soon re-enable that by transferring some of Unlock Inc’s tokens to these contracts. We are taking all the necessary measures (audits) to make sure this is safe, which is why we’re not rushing to do that.

Finally, we have contracted with a forensics firm to track the stolen assets that we have not yet recovered (or proceeds of the sale of the stolen assets), in order to try to recapture them, if possible. We know it is generally hard, but we think it is worth trying.

I once again want to reiterate an apology for this event. Our goal is to build a better business model for the internet and we’re aiming for a way to do that in a safe, secure, and inclusive environment. This means we (and I specifically) need to have higher standards when it comes to security. We are working toward that goal.

As some people asked how we were able to recapture the funds from Polygon, here is an explainer.

The attacker had deposited the tokens on the Polygon bridge after they stole them from the Unlock contract (tx1, tx2), but they had not withdrawn them in time, so we were able to submit a first upgrade to the UDT contract that blocked all transfers from the Polygon bridge (the tx would just fail).

The Polygon team helped us understand that the “withdrawal” transaction on the bridge can actually be triggered by anyone but the funds can only go to the address that deposited them.

So we performed a 2nd upgrade of the token. That second one re-enabled transfers from the bridge to all addresses, but the addresses of the attacker. For these addresses, the funds would be simply “re-routed” back to the Unlock multisig as visible on line 25.

Today, we were able to issue the transactions to actually “withdraw” the funds from the bridge, and, as they were sent to the attacker’s address, the token contract simply “diverted” these funds.

cool and brilliant job done by the team.

Another thing I learned here is timeliness matters

Also being able to stay alert to current things on the Smart contract is key to moving to action on time. I think Openzeppelin just introduce something in that regard which the team may checkout for future things