unshETH Private Key Slip: $375,000 Loss from a Github Post

Project name: unshETH

Project type: Staking

Date of exploit: June 1, 2023

Asset loss: $375,000

Vulnerability: Private key leak

Date of audit report publishing: 03/23/2023

Conclusion: Out of audit scope

Details of the Exploit

Background

unshiETH is a staking platform that allows users to stake ETH and earn yield and swap fees. The exploited contract unshiETH Farm contains users’ unshiETH for farming.

Nature of the Vulnerability

The attacker compromised the private key of the unshiETH, which allows the attacker to withdraw the asset from the protocol.

CertiK Audit Overview

Conclusion

On Jun 01, 2023, the staking platform unshETH was attacked, leading to a loss of around $375,000. According to the unshETH team, they mistakenly leaked their private key to Github, which allows users to withdraw unshETH from the contract. It was due to a human error of the private key management, which should be out of the audit scope.

Reference

Other Resources:

• https://web3isgoinggreat.com/?id=unsheth-compromised-after-private-key-leaked-to-github
• https://beincrypto.com/unsheth-hack-negotiation-lost-funds/
• https://hacked.slowmist.io/en/?c=ETH&page=4