Key Highlights
- Unleash Protocol suffered a $3.9 million loss after an attacker compromised its multisig governance setup.
- The attacker used unauthorized administrative access to upgrade contracts and drain user assets.
- Stolen funds were bridged to Ethereum and laundered through the Tornado Cash mixing service.
On Tuesday, an attacker reportedly drained $3.9 million from Unleash Protocol, a decentralized finance (DeFi) project built on Story Protocol. The attacker seemingly gained unauthorized control over the project’s multisig governance, allowing a harmful contract upgrade that allowed the withdrawal of several user assets.
After seizing the funds, the attacker transferred the money across third-party bridges to the Ethereum network, eventually laundering 1,337.1 ETH through the Tornado Cash mixing service to cover their tracks. Security monitors first identified the breach, and the Unleash team confirmed it after noticing unusual activity involving their smart contracts.
Attack method and asset impact
According to the project’s incident report, the intruder targeted Unleash Protocol’s internal permission system instead of exploiting a flaw in the code itself. The affected assets at this point include WIP, USDC, WETH, stIP, and vIP. There were rapid deposits into Tornado Cash; amounts ranged from 0.1 ETH test transactions to multiple 100 ETH transfers. This shows a pre-planned exit strategy.
This incident shows ongoing weaknesses in decentralized governance structures. Unleash Protocol stated that the unauthorized upgrade “occurred outside our intended governance and operational procedures.” While the loss is huge for the Unleash ecosystem, the Story Protocol seems to be unaffected.
The team stated that “there is no evidence of compromise to Story Protocol contracts, validators, or underlying infrastructure.” This shows that the security failure was limited to the dApp, not the network it operates on.
Systemic risks and protocol response
The exploit has raised concerns about the security of multisig setups and the dangers of centralized administrative setups in DeFi. In response to the incident, Unleash Protocol has paused all operations and is working with investigators to review its management practices.
The team is committed to assessing recovery and remediation measures, but they have warned users to “refrain from interacting with Unleash Protocol contracts until further notice.” This event serves as a reminder of how quickly administrative features can be misused if governance keys are compromised.
User security and permission revocation
Following the breach, users are advised to safeguard their wallets by revoking smart contract permissions previously granted to Unleash Protocol. Since active approvals allow applications to move assets, a compromised administrative control could potentially lead to further unauthorized withdrawals.
By using revocation tools or blockchain explorers to cancel these allowances, users can break the link between their funds and the affected contracts. This helps in preventing additional losses even if the protocol remains compromised.
Also Read: Koinly Reports Email Data Leak After Third-Party Vendor Breach
