Since yesterday, we have mostly confirmed what we wrote then. The attacker was able to access one of Julien (our founder and CEO) seed phrases and used it to take control of the Unlock contract on xDAI and Polygon. The attacker stole the tokens on these contracts and was able to sell 20,000 of them. The rest (40,000) is now frozen on the bridges and we don't expect them to be able to return to mainnet.
It is still unclear how that seed phrase was compromised but we suspect it might have been accidentally made public as part of a code push as it needs to be included in scripts used to deploy contracts. We are still trying to clarify if that was the case, but it is possible that this seed phrase has been leaked a long time ago (some forwarding contracts used in the attack have been deployed months ago).
There has been a lot of discussion about what to do with the token supply on mainnet. First we want to re-iterate that no user of the protocol (or token holders) have seen their balance of tokens affected. The only change is that another 2% of supply has been made liquid.
Since the attack, these 20,000 tokens have been bought and sold many times by many addresses. We understand that a lot of these purchases and sale were opportunistic. We also noticed that currently about 4,406 addresses hold tokens, which is only slightly higher than what it was prior to the hack (4,328) hinting that a lot of existing token holders have bought tokens themselves.
As a conclusion, we will not issue a reset of the contracts to the prior token balances.
We are still considering other ways to recognize token holders based on their pre-hack balances. Once the audits of the UDT contract have been conducted successfully we will also transfer its ownership to the DAO, who could then decide to change its behavior.
We have been working very closely with both the xDAI and Polygon teams. Both teams have been incredibly cooperative. With their help, we have a plan to unblock transfers of UDT to and from Polygon and xDAI, without allowing the attacker to release back to mainnet the 40,000 tokens that are still in their possession. It will require another upgrade to the UDT contract, like the one we did yesterday, but we are confident that we can get resolved in the next 2 weeks.
We are preparing to re-deploy the Unlock contract on xDAI and Polygon as well as offer an easy gas-less upgrade path for anyone who has locks on these contracts. There again, we are working day and night to ship this in the next few weeks.
In the meantime, even if we believe locks deployed on xDAI and Polygon are safe, please use an abundance of caution and make sure you withdraw funds from them regularly.