Unleash Protocol has confirmed a $3.9 million exploit after an attacker gained unauthorized control over its governance system, allowing the malicious upgrade of contracts and the extraction of user funds.
The incident occurred on December 30, 2025, and involved the laundering of stolen assets through Tornado Cash.
How the Exploit Unfolded
According to the team’s disclosure, the attacker targeted weaknesses in Unleash’s multi-signature (multisig) governance setup. By compromising administrative controls, the attacker was able to push an unapproved contract upgrade, effectively granting themselves the ability to withdraw funds from protocol-controlled contracts.
#PeckShieldAlert @UnleashProtocol on @StoryProtocol reported an unauthorized drain, resulting in a ~$3.9M loss.
The exploiter then bridged the stolen funds to #Ethereum and deposited them (1,337.1 $ETH) into Tornado Cash. https://t.co/KHVBm0DWBr pic.twitter.com/Lc8qMzkJGV
— PeckShieldAlert (@PeckShieldAlert) December 30, 2025
This governance-level breach proved critical, as it bypassed standard safeguards and allowed the exploit to proceed without triggering immediate on-chain resistance.
Assets Drained and Fund Movements
The exploit resulted in the loss of approximately $3.9 million in assets. The stolen funds included a mix of ETH and protocol-related tokens such as WIP, USDC, WETH, stIP, and vIP.
After the initial drain, the attacker bridged the assets to the Ethereum network and deposited 1,337.1 ETH into Tornado Cash. The ETH was sent in multiple tranches, a tactic commonly used to obscure transaction trails and complicate forensic analysis.
Protocol Response and Containment
The Unleash Protocol team acknowledged the breach shortly after detection and immediately paused all platform operations. They stated that they are currently working alongside independent security firms and forensic investigators to determine the full scope of the attack and assess potential remediation paths.
Importantly, the team emphasized that the exploit was limited to Unleash-specific contracts and administrative controls. The underlying infrastructure of Story Protocol was not affected.
What Users Should Know
Unleash Protocol has urged users not to interact with any Unleash contracts until further notice, as investigations remain ongoing. No timeline has yet been provided for a potential relaunch or user recovery plan.
The incident adds to a growing list of governance-related exploits, highlighting how administrative access and multisig security remain critical attack surfaces in DeFi and tokenized IP platforms.
