Liquid Staking Derivative Finance (LSDFi) protocol unshETH disclosed in a Wednesday Twitter update that the private keys for one of its deployer contracts had been compromised.
At approximately 14:00 UTC (6 hrs ago), one of the deployer private keys for unshETH contracts was compromised.
Out of an abundance of caution, we emergency paused withdrawals on unshETH Ether. Given our security model, unshETH Ether deposits ($35m tvl) are secured with…
— unshETH (@unsheth_xyz) May 31, 2023
The team said that it had paused unshETH withdrawals out of an abundance of caution but its security model ensured that all deposits secured in a multisig and timelock wallet were not at risk.
However, the development resulted in some of the ancillary protocol contracts being compromised as well. The unshETH team said it was working with security experts from Coinbase, Stargate, Paladin Blockchain Security and Github to limit the scope of impact.
The team has also said that it has attempted to negotiate with the hacker on the return of funds, but did not disclose the amount that was potentially at risk.
“As of now, we are still ok with you returning 90% of the funds, and contract ownership…by 1:00 June 1st UTC. Take a nice payday for yourself, walk away clean, and we won’t come after you anymore,” said the unshETH team in a message to the hacker.
According to analysis from on-chain sleuth “@ZoomerAnon” the attacker gained ownership over the protocol’s farm contract by accessing the private key of an Externally Owned Accunt (EOA) that was the contract’s previous owner.
Some users also pointed out that a Chinese white hat hacker had uncovered that the private key was mistakenly pasted on the protocol’s latest Github repository and quickly reported it to the team.
Huge shout out to @greysign1, a chad Chinese white hat, who first noticed @unsheth_xyz vdAMM owner private key was carelessly copy pasted to their latest GitHub repo, reported to the team immediately preventing another major defi loss in the already chilly defi winter 🙏🙏🙏 https://t.co/wFA2jSUk9e
— Dovey "Rug the fiat" Wan (hiring) (@DoveyWan) June 1, 2023
The protocol’s native token USH dropped 24% since the news of the private key leak made was made public on social media.