Liquid Staking Derivative Finance (LSDFi) protocol unshETH disclosed in a Wednesday Twitter update that the private keys for one of its deployer contracts had been compromised.

The team said that it had paused unshETH withdrawals out of an abundance of caution but its security model ensured that all deposits secured in a multisig and timelock wallet were not at risk.          

However, the development resulted in some of the ancillary protocol contracts being compromised as well. The unshETH team said it was working with security experts from Coinbase, Stargate, Paladin Blockchain Security and Github to limit the scope of impact.

The team has also said that it has attempted to negotiate with the hacker on the return of funds, but did not disclose the amount that was potentially at risk.

“As of now, we are still ok with you returning 90% of the funds, and contract ownership…by 1:00 June 1st UTC. Take a nice payday for yourself, walk away clean, and we won’t come after you anymore,” said the unshETH team in a message to the hacker.

According to analysis from on-chain sleuth “@ZoomerAnon” the attacker gained ownership over the protocol’s farm contract by accessing the private key of an Externally Owned Accunt (EOA) that was the contract’s previous owner.

Some users also pointed out that a Chinese white hat hacker had uncovered that the private key was mistakenly pasted on the protocol’s latest Github repository and quickly reported it to the team.

The protocol’s native token USH dropped 24% since the news of the private key leak made was made public on social media.