- An unauthorised contract upgrade enabled direct withdrawals from the protocol.
- Funds were bridged to Ethereum and laundered through Tornado Cash.
- Assets affected included WIP, USDC, WETH, stIP, and vIP.
A governance failure at Unleash Protocol has resulted in a major security breach, with attackers draining around $3.9 million in user funds.
The incident was first identified by blockchain security firm PeckShield and later confirmed by the Unleash team.
While the exploit did not affect the wider Story ecosystem, it has renewed attention on how governance mechanisms can become a critical point of failure in decentralised finance.
Unleash Protocol is a decentralised platform built on Story Protocol.
The project said the incident was limited to its own contracts and administrative controls, with no signs of compromise across Story Protocol’s validators or core infrastructure.
Even so, the event shows how vulnerabilities at the application level can still lead to significant losses.
Governance controls bypassed
On-chain analysis indicates the attacker targeted Unleash Protocol’s multi-signature governance system.
By exploiting weaknesses in how admin permissions were enforced, the attacker gained unauthorised access normally reserved for approved signers.
This access was then used to push through a contract upgrade that had not been sanctioned by the core team.
The unauthorised upgrade altered how the protocol handled withdrawals. With standard governance checks effectively bypassed, the attacker was able to move funds directly out of the protocol.
According to Unleash, these actions occurred outside its established governance framework and were not detected until after the funds had already been removed.
Laundering through bridges and mixers
After extracting the assets, the attacker bridged the funds to Ethereum. From there, the assets were broken into multiple transactions, a strategy often used to make tracking more difficult.
Blockchain data shows that 1,337.1 ETH was later deposited into Tornado Cash. The deposits were made in varying sizes, ranging from small transfers to batches of up to 100 ETH.
This pattern suggests a deliberate attempt to obscure transaction trails and reduce the effectiveness of on-chain monitoring tools.
Tokens impacted
In an official incident notice, Unleash Protocol confirmed that several assets were affected during the exploit.
These included WIP, USDC, WETH, stIP, and vIP.
The team reiterated that all affected withdrawals took place through the unauthorised contract upgrade rather than through normal user interactions.
The clarification that Story Protocol itself was not compromised is significant.
It indicates that the breach stemmed from Unleash’s internal governance design, not from flaws in the underlying blockchain or its validator set.
Emergency measures taken
Following confirmation of the breach, Unleash Protocol paused all platform operations to prevent further losses.
The team said it is working with independent security experts and forensic investigators to determine how the governance safeguards were bypassed and whether additional vulnerabilities remain.
Users have been advised to avoid interacting with Unleash Protocol contracts until further updates are issued.
The project has stated that future communications will be shared only through official channels as the investigation continues.
