On November 21st, a stolen seed phrase was used by an attacker to access our Unlock contract on both xDAI and Polygon. The Unlock Governance Tokens that were stored on both of these contracts were stolen and the attacker was able to sell 20,000 of them on Uniswap after bridging them back to Ethereum’s mainnet. You can read more about the details in this document and this one.
To the best of our knowledge, Unlock is currently fully operational and safe to use on all networks. You can deploy locks as well as use your governance tokens on any network.
Here is the breakdown of all the measures we have taken:
- Redeployed the Unlock contract on the XDAI chain, owned by a multisig wallet
- Redeployed the Unlock contract on the Polygon chain, owned by a multisig wallet
- Re-enabled the UDT bridge from mainnet to Polygon,
- Captured back the 30,000 tokens stolen on Polygon (tx1, tx2)
- Re-deployed (with the help of the xDAI team) the UDT bridge from xDAI to mainnet. The old bridge, on which 10,000 stolen tokens are still available is “discontinued” and the tokens there cannot be transferred back to mainnet.
We are finalizing a migration script for any lock on xDAI or Polygon to be “cloned” over the new Unlock deployment. This migration is optional but recommended and our dashboard UI will soon show a button to indicate that a lock can be migrated.
For now, the Unlock contracts on xDAI and Polygon are not yielding UDT tokens for key purchases. We will soon re-enable that by transferring some of Unlock Inc’s tokens to these contracts. We are taking all the necessary measures (audits) to make sure this is safe, which is why we’re not rushing to do that.
Finally, we have contracted with a forensics firm to track the stolen assets that we have not yet recovered (or proceeds of the sale of the stolen assets), in order to try to recapture them, if possible. We know it is generally hard, but we think it is worth trying.
I once again want to reiterate an apology for this event. Our goal is to build a better business model for the internet and we’re aiming for a way to do that in a safe, secure, and inclusive environment. This means we (and I specifically) need to have higher standards when it comes to security. We are working toward that goal.