- Unauthorized contract upgrade allowed direct withdrawals from the protocol
- Funds were bridged to Ethereum and laundered through Tornado Cash
- Affected assets include WIP, USDC, WETH, stIP and vIP
A governance failure at Unleash Protocol led to a major security breach that allowed an attacker to steal approximately $3.9 million of user funds.
The incident was first reported by the blockchain security firm PeckShieldAlert and was later confirmed by the Unleash team.
Although the exploit did not impact the broader Story Protocol ecosystem, it highlights once again how governance mechanisms can become critical single points of failure in decentralized finance applications.
Unleash Protocol is a decentralized application built on Story Protocol.
The project stated that the incident was confined to its own contracts and governance controls, and there is no indication that Story Protocol’s validators or core infrastructure were compromised.
Still, the event demonstrates how application-level vulnerabilities can lead to significant losses despite an otherwise intact base layer.
Bypassing governance controls
On-chain analysis shows the attacker targeted Unleash Protocol’s multisignature governance system.
By exploiting weaknesses in the enforcement of administrator privileges, the attacker gained unauthorized access to functions normally reserved for approved signers.
That access was used to push an unapproved contract upgrade.
The unauthorized upgrade changed how the protocol handled withdrawals. With the standard governance checks effectively bypassed, the attacker was able to move funds directly out of the protocol.
According to Unleash, these actions occurred outside the intended governance process and went unnoticed until the funds had already been removed.
Bridging and mixing the funds
After extracting the assets, the attacker bridged the funds to Ethereum and then split them across multiple transactions — a common tactic to hinder tracing.
Blockchain records show 1,337.1 ETH was deposited into Tornado Cash. Deposits ranged from very small transfers to batches as large as 100 ETH.
This pattern indicates a deliberate effort to obscure transaction trails and reduce the effectiveness of on-chain monitoring tools.
Affected tokens
In its official incident notice, Unleash Protocol confirmed several assets were impacted during the exploitation.
These assets include WIP, USDC, WETH, stIP and vIP.
The team emphasized that the withdrawals occurred via the unauthorized contract upgrade rather than through normal user interactions with the protocol.
The clarification that Story Protocol itself was not breached is important.
It indicates the compromise was caused by Unleash’s internal governance design rather than a vulnerability in the underlying blockchain or its validator set.
Emergency measures taken
After confirming the breach, Unleash Protocol temporarily shut down platform operations to prevent further losses.
The team said it is working with independent security experts and forensic investigators to determine how governance enforcement was bypassed and whether any additional vulnerabilities remain.
Users were advised to avoid interacting with Unleash Protocol contracts until further notice.
The project stated that future updates will be communicated only through official channels while the investigation continues.