- Unauthorized contract upgrades allow direct withdrawals from the protocol.
- The funds were routed to Ethereum and laundered through Tornado Cash.
- Affected assets include WIP, USDC, WETH, stIP, and vIP.
Governance failures in the Unleash Protocol resulted in a serious security breach that led to attackers exfiltrating approximately $3.9 million in user funds.
The incident was first confirmed by a blockchain security company. PeckShieldWarning This was later confirmed by the Unleash team.
Although this exploit had no impact on the wider Story ecosystem, it reignited interest in how governance mechanisms can be a critical point of failure in decentralized finance.
Unleash Protocol is a decentralized platform built on: story protocol.
The project said the incident was limited to its own contracts and management controls and that there were no signs of compromise across the Story Protocol’s validators or core infrastructure.
Nonetheless, this event shows that application-level vulnerabilities can still lead to significant losses.
Bypass governance controls
On-chain analysis shows that the attackers targeted Unleash Protocol’s multi-signature governance system.
By exploiting a weakness in the way administrator privileges are enforced, attackers gained unauthorized access normally reserved for authorized signers.
This access was used to perform contract upgrades that were not approved by the core team.
The unauthorized upgrade changed the way the protocol handles withdrawals. By effectively bypassing standard governance checks, the attackers were able to move funds directly out of the protocol.
According to Unleash, these actions occurred outside the established governance framework and were not detected until the funds had already been removed.
Washing via bridge and mixer
After extracting the assets, the attackers linked the funds to: Ethereum. From there, assets were split into multiple transactions, a strategy often used to make tracking more difficult.
According to blockchain data, 1,337.1 ETH was later deposited. tornado cache. Deposits range in size from small transfers up to 100 ETH.
This pattern suggests a deliberate attempt to obscure transaction traces and reduce the effectiveness of on-chain monitoring tools.
Tokens Affected
In an official incident notice, Unleash Protocol confirmed that several assets were affected during the exploit.
These include WIP, USDC, WETH, stIP, and vIP.
The team reiterated that all affected withdrawals occurred through unauthorized contract upgrades and not through normal user interaction.
It is important to clarify that the story protocol itself is not broken.
This indicates that the breach resulted from Unleash’s internal governance design, rather than a flaw in the underlying blockchain or validator set.
Take emergency action
After the breach was confirmed, Unleash Protocol suspended all platform operations to prevent further losses.
The team said it is working with independent security experts and forensic investigators to determine how governance safeguards were bypassed and whether additional vulnerabilities remain.
Users are advised not to interact with the Unleash Protocol contract until further updates are issued.
The project said that as the investigation continues, future communications will only be shared through official channels.