The Unleash Protocol, an intellectual property finance platform built on the Story ecosystem, has disclosed a significant security breach resulting in the loss of approximately $3.9 million in user funds. Blockchain security firms CertiK Alert and PeckShield confirmed the exploit, detecting that the attacker deposited 1,337.1 ETH (worth about $3.9 million) into the crypto mixing service Tornado Cash to obscure the transaction trail.
According to the protocol's investigation, an externally owned address gained unauthorized administrative control through Unleash's multisignature governance system. This access enabled the attacker to perform an unauthorized contract upgrade, which then allowed for the withdrawal of assets outside of approved governance procedures. The affected assets include WIP, USDC, WETH, stIP, and vIP tokens. Following the withdrawals, the stolen funds were bridged using third-party infrastructure before being sent to external addresses.
In response, the Unleash Protocol team has suspended all operations to prevent further risk. They are working with independent security experts and forensic investigators to determine the root cause and are conducting a full review of multisig signer activity, key management practices, and governance processes. The team emphasized that there is no evidence of compromise to the underlying Story Protocol contracts, validators, or infrastructure, suggesting the impact is limited to Unleash-specific administrative controls.
Users have been advised to refrain from interacting with Unleash Protocol contracts and to follow only official communication channels for updates. This incident highlights ongoing security challenges within DeFi, particularly around multisig and governance vulnerabilities.
