- An unauthorized contract upgrade allowed direct withdrawal from the protocol.
- Funds were moved to Ethereum and laundered through Tornado Cash.
- Assets affected included WIP, USDC, WETH, stIP, and vIP.
A governance failure at Unleash Protocol resulted in a serious security breach, enabling attackers to drain approximately $3.9 million in user funds.
The incident was first identified by blockchain security firm PeckShieldAlert and was later confirmed by the Unleash team.
Although this exploit did not affect the broader Story ecosystem, it highlighted once again how governance mechanisms can become a critical single point of failure in decentralized finance.
Unleash Protocol is a decentralized application built on the Story Protocol.
The project reported that the incident was limited to its own contracts and administrative controls, with no evidence that Story Protocol validators or core infrastructure were compromised.
Still, the event demonstrates how application-level vulnerabilities can lead to significant financial losses.
Governance controls bypassed
On-chain analysis shows the attacker targeted Unleash Protocol’s multisignature governance system.
By exploiting weaknesses in how administrative privileges were enforced, the attacker obtained unauthorized access normally reserved for approved signers.
That access was then used to push a contract upgrade that had not been authorized by the core team.
The unauthorized upgrade altered the protocol’s withdrawal logic. By effectively bypassing standard governance checks, the attacker was able to withdraw funds directly from the protocol.
According to Unleash, these actions occurred outside the established governance process and were not detected until after the funds had already been withdrawn.
Laundering via bridges and mixers
After taking the assets, the attacker moved funds to Ethereum. The assets were then split across multiple transactions, a common tactic to complicate tracking.
On-chain data shows 1,337.1 ETH was later deposited into Tornado Cash. Transfers varied in size—from small amounts to batches up to 100 ETH.
This pattern indicates a deliberate effort to obscure transaction trails and reduce the effectiveness of chain-monitoring tools.
Affected tokens
In its official incident disclosure, Unleash Protocol confirmed several assets were impacted during the exploit.
Those assets included WIP, USDC, WETH, stIP, and vIP.
The team emphasized that all affected withdrawals happened due to the unauthorized contract upgrade rather than standard user interactions.
Clarifying that the underlying Story Protocol was not compromised is important: the breach appears to have resulted from Unleash’s internal governance design, not flaws in the base blockchain or its validators.
Emergency actions taken
After confirming the drain, Unleash suspended all platform operations to prevent further loss.
The team said it is working with independent security experts and law enforcement investigators to determine how governance protections were bypassed and whether additional vulnerabilities remain.
Users are advised to avoid interacting with Unleash Protocol contracts until further updates are provided.
The project stated that all future communications will be issued only through official channels while the investigation continues.