We have been made aware that some UDT tokens (Unlock's governance token) were stolen and dumped on Uniswap.

Before we start, we want to apologize to the Unlock community for what happened. We take full responsibility and we will do everything we can to recover from this situation in the best way.

Here is an update with what we know as of now. Please do not speculate and understand that this is what we know now, but may evolve in the future. In any case, we will communicate regularly with everyone to provide full transparency.

First some facts that we strongly believe to be true:

Then, what we know happened:

  1. Someone was able to steal one of Julien's (Unlock Founder & CEO) private keys. This key had been used to deploy the Unlock contract on xDAI and Polygon previously and still "owned" the contracts and was able to upgrade them.
  2. With that private key, they were able to steal ownership of the Unlock contract on xDAI and Polygon
  3. They upgraded the contracts on both xDAI and Polygon to add a function that seem to have enabled (we need to confirm that but the next events seem to indicate that this is what happened) them to transfer ownership of the tokens held by these contracts.

Now, details by chain with the tokens

On xDAI:

As of now, the attacker still controls about 10,020 tokens on xDAI. For that reason we have deployed an emergency upgrade to the UDT contract to block all transfers from the xDAI bridge.

On Polygon