Quick recap on the recent security breach that took place on May 31st.

First and foremost, no user funds were at risk and the scope was fairly limited. The bad actor took control of ~2 wks of undistributed farm rewards and sold it for DAI equating to ~$375k. With the help from security experts from Paladin, Coinbase, Github, Chainalysis and the esteemed crypto recovery specialist Ogle, we quickly profiled the fraudulent actor and retrieved all ownership within ~12 hrs, and referred the matter to appropriate experts.

The issue was not smart contract related, but rather poor DevOps - we accidentally leaked one of the deployer private keys, which owned a number of auxiliary contracts. There is no mechanism for the owner of the contracts to steal any user deposits (ETH deposited in unshETH, unshETH deposited into staking contracts, USH deposited in vdUSH etc.)  Nonetheless, we took immediate action by emergency pausing withdrawals from unshETH.  

All protocol operations were back to normal within 24 hrs and we have resumed focus on growing unshETH, most recently by expanding to Arbitrum.  

Moving Forward: 

Security is the  #1 priority and we have taken the following recent actions to improve the security, governance, and centralization risks to unshETH:

• Improved DevOps practices by adding a formal CI/CD pipeline with dual key required for all changes, not just critical changes

• All smart contracts, even farm contracts are secured by multisig

• Multisig that can make configuration changes to core unshETH vault has been expanded to a 3/4 multisig and now includes an external party (Ogle)

• Comprehensive audit with Paladin Blockchain Security is now finalized inclusive of latest upgrades to unshETH, which can be found here.