How a governance failure led to the Unleash Protocol hack

• An unauthorized contract upgrade allowed direct exits from the protocol.
• The funds were bridged to Ethereum and laundered via Tornado Cash.
• Assets affected were WIP, USDC, WETH, stIP and vIP.

A governance failure in the Unleash protocol has led to a major security breach in which attackers siphoned off around $3.9 million in user funds.

The incident was initially reported by the Blockchain security company PeckShieldAlert identified and later confirmed by the Unleash team.

Although the exploit did not impact the entire story ecosystem, it has renewed attention on how governance mechanisms can become a critical failure point in decentralized finance.

Unleash Protocol is a decentralized platform which is on the Story Protocol based.

The project said the incident was limited to its own contracts and administrative controls, with no signs of compromises to the Story Protocol’s validators or core infrastructure.

Nevertheless, the event shows how application-level vulnerabilities can still result in significant losses.

Governance controls bypassed

On-chain analysis shows that the attacker targeted Unleash Protocol’s multi-signature governance system.

By exploiting vulnerabilities in admin privilege enforcement, the attacker gained unauthorized access normally reserved for approved signers.

This access was then used to push through a contract upgrade that had not been approved by the core team.

The unauthorized upgrade changed how the protocol handled withdrawal symptoms. Because standard governance checks were effectively bypassed, the attacker was able to move the funds directly out of the protocol.

According to Unleash, these actions took place outside the established governance framework and were only discovered after the funds had already been withdrawn.

Washing through bridges and mixing plants

After extracting the assets, the attacker bridged the funds Ethereum. From there, the assets were split into multiple transactions, a strategy often used to make tracking more difficult.

Blockchain data shows that later 1,337.1 ETH in Tornado Cash were paid in. The deposits were made in varying sizes, from small transfers to batches of up to 100 ETH.

This pattern suggests a deliberate attempt to obscure transaction traces and reduce the effectiveness of on-chain monitoring tools.

Affected tokens

In an official incident report, Unleash Protocol confirmed that several assets were affected during the exploit.

These included WIP, USDC, WETH, stIP and viP.

The team reiterated that all affected withdrawals occurred through the unauthorized contract upgrade and not through normal user interactions.

The clarification that the Story Protocol itself has not been compromised is significant.

It suggests that the breach came from Unleash’s internal governance design and not from flaws in the underlying blockchain or its validator set.

Emergency measures taken

After confirming the breach, Unleash Protocol paused all platform operations to prevent further losses.

The team said it is working with independent security experts and forensic investigators to determine how governance protections were bypassed and whether additional vulnerabilities exist.

Users have been advised not to use Unleash Protocol contracts until further updates are released.

The project has stated that future communications will only be shared through official channels while the investigation continues.