Sunday November 21st, 2021 Incident Update

We have been made aware that some UDT tokens (Unlock's governance token) were stolen and dumped on Uniswap.

Before we start, we want to apologize to the Unlock community for what happened. We take full responsibility and we will do everything we can to recover from this situation in the best way.

Here is an update with what we know as of now. Please do not speculate and understand that this is what we know now, but may evolve in the future. In any case, we will communicate regularly with everyone to provide full transparency.

First some facts that we strongly believe to be true:

No new UDT was minted on mainnet
No existing lock is compromised and all locks are safe (the core protocol is not affected to the best of our knowledge)
Mainnet contracts are safe : UDT, Unlock, locks and governance.

Then, what we know happened:

Someone was able to steal one of Julien's (Unlock Founder & CEO) private keys. This key had been used to deploy the Unlock contract on xDAI and Polygon previously and still "owned" the contracts and was able to upgrade them.
With that private key, they were able to steal ownership of the Unlock contract on xDAI and Polygon
They upgraded the contracts on both xDAI and Polygon to add a function that seem to have enabled (we need to confirm that but the next events seem to indicate that this is what happened) them to transfer ownership of the tokens held by these contracts.

Now, details by chain with the tokens

On xDAI:

20,000 Tokens were stolen from Unlock contract to 0xD543F7fCBc661C36801b1D318CA3A6Bd8c50609D tx
Out of the 20,000 tokens that were stolen, 19,980 UDT were transferred by the attacker to 0xf6A78083ca3e2a662D6dd1703c939c8aCE2e268d (the xDAI bridge) tx
Tokens are burnt on xDAI and transferred on mainnet to 0xd543f7fcbc661c36801b1d318ca3a6bd8c50609d tx after which they got swapped on Uniswap for $417,342.84 in Wrapped Eth.

As of now, the attacker still controls about 10,020 tokens on xDAI. For that reason we have deployed an emergency upgrade to the UDT contract to block all transfers from the xDAI bridge.

On Polygon

30,000 tokens were stolen from from the Unlock contract to 0xcc06dd348169d95b1693b9185ca561b28f5b2165: tx
10,000 UDT were transferred to the Polygon Bridge tx