- Unauthorized contract upgrades allowed funds to be withdrawn directly from the protocol.
- Stolen funds were bridged to Ethereum and laundered through Tornado Cash.
- Affected assets include WIP, USDC, WETH, stIP and vIP.
A governance failure at Unleash Protocol led to a major security breach, with the attacker extracting roughly $3.9 million in user funds.
The incident was first flagged by the blockchain security firm PeckShieldAlert and later confirmed by the Unleash team.
Although the exploit did not affect the broader Story Protocol ecosystem, it has renewed focus on how governance mechanisms can become single points of failure within decentralized finance.
Unleash Protocol is a decentralized application built on top of the Story Protocol.
The project stated the incident was confined to its own contracts and admin controls, with no signs of compromise across Story Protocol’s validators or core infrastructure.
Still, the event demonstrates how application-layer governance weaknesses can result in substantial losses.
Governance controls bypassed
On-chain analysis shows the attacker targeted Unleash Protocol’s multi-signature governance system.
By exploiting a flaw in how administrator permissions were enforced, the attacker gained unauthorized access normally reserved for approved signers.
That access was then used to perform an unauthorized contract upgrade.
The unauthorized upgrade changed how the protocol handled withdrawals. With the standard governance review effectively bypassed, the attacker was able to move funds directly out of the protocol.
According to Unleash, the actions occurred outside the established governance framework and were not detected until after the funds had been withdrawn.
Funds laundered via bridges and a mixer
After extracting the assets, the attacker bridged the funds to Ethereum. From there, the assets were split into many transactions, a common technique used to hinder tracking.
Blockchain records show that 1,337.1 ETH was subsequently deposited into Tornado Cash. Deposits were made in varying sizes, from small transfers to chunks of up to 100 ETH.
This pattern suggests a deliberate attempt to obfuscate the transaction trail and reduce the effectiveness of on-chain monitoring tools.
Affected tokens
In its official incident notice, Unleash Protocol confirmed several assets were impacted during the exploit.
These include WIP, USDC, WETH, stIP and vIP.
The team reiterated that all affected withdrawals occurred through an unauthorized contract upgrade rather than through normal user interactions.
Notably, the clarification that the Story Protocol itself was not compromised is important.
It indicates the breach stemmed from internal governance design within Unleash, not from a vulnerability in the underlying blockchain or its validator set.
Emergency measures taken
Following confirmation of the breach, Unleash Protocol paused all platform operations to prevent further loss.
The team said it is working with independent security experts and forensic investigators to determine how governance protections were bypassed and whether any additional vulnerabilities remain.
Users have been advised to avoid interacting with Unleash Protocol contracts until further notice.
The project stated that any future communications will be shared only through official channels while the investigation continues.