Unleash Protocol, a lending and IP management platform built on Story Protocol, suffered a critical security breach today resulting in the loss of approximately $3.9 million. The attackers compromised the protocol’s governance structure to authorize malicious contract upgrades, subsequently draining user assets and routing the proceeds through privacy mixer Tornado Cash.
The Vector: Malicious Upgrade
The exploit was not a code bug, but a governance hijack. According to an official statement from the Unleash team, an external wallet gained administrative control over the protocol’s multisig. This access allowed the intruder to execute an unauthorized contract upgrade, effectively unlocking user vaults.
On-chain data confirms the theft included a basket of assets: WIP, USDC, WETH, stIP, and vIP. Security firm PeckShield tracked the flow of funds, noting the attacker immediately bridged the stolen assets to the Ethereum mainnet. Approximately 1,337.1 ETH (valued at ~$3.9M) was then deposited into Tornado Cash in a bid to obscure the trail.
Segregation of Fault
While Unleash operates on Story Protocol, the damage appears contained. The exploit leveraged Unleash-specific permission controls rather than a vulnerability in the underlying Story Layer 1 blockchain. The Unleash team emphasized this distinction:
“The incident is limited solely to Unleash contracts and did not affect the underlying Story Protocol infrastructure, validators, or other related elements.”
Market Impact & Response
Unleash has paused all contract interactions to prevent further withdrawals. Security firm CertiK identified the suspect address as 0xc946…15BfE3, which remains active. Unlike many DeFi exploits where a governance token plummets immediately, Unleash does not currently have a liquid token trading on open markets, limiting the contagion to depositors within the protocol itself.
