An unauthorised contract upgrade enabled direct withdrawals from the protocol.
\nFunds were bridged to Ethereum and laundered through Tornado Cash.
\nAssets affected included WIP, USDC, WETH, stIP, and vIP.<\/p>\n
A governance failure at Unleash Protocol has resulted in a major security breach, with attackers draining around $3.9 million in user funds.<\/p>\n
The incident was first identified by blockchain security firm PeckShieldAlert<\/span><\/span><\/a> and later confirmed by the Unleash team<\/a>.<\/p>\n While the exploit did not affect the wider Story ecosystem, it has renewed attention on how governance mechanisms can become a critical point of failure in decentralised finance.<\/p>\n Unleash Protocol is a decentralised platform built on Story Protocol<\/span><\/span>.<\/p>\n The project said the incident was limited to its own contracts and administrative controls, with no signs of compromise across Story Protocol\u2019s validators or core infrastructure.<\/p>\n Even so, the event shows how vulnerabilities at the application level can still lead to significant losses.<\/p>\n On-chain analysis indicates the attacker targeted Unleash Protocol\u2019s multi-signature governance system.<\/p>\n By exploiting weaknesses in how admin permissions were enforced, the attacker gained unauthorised access normally reserved for approved signers.<\/p>\n This access was then used to push through a contract upgrade that had not been sanctioned by the core team.<\/p>\n The unauthorised upgrade altered how the protocol handled withdrawals. With standard governance checks effectively bypassed, the attacker was able to move funds directly out of the protocol.<\/p>\n According to Unleash, these actions occurred outside its established governance framework and were not detected until after the funds had already been removed.<\/p>\n After extracting the assets, the attacker bridged the funds to Ethereum<\/span><\/span>. From there, the assets were broken into multiple transactions, a strategy often used to make tracking more difficult.<\/p>\n Blockchain data shows that 1,337.1 ETH was later deposited into Tornado Cash<\/span><\/span>. The deposits were made in varying sizes, ranging from small transfers to batches of up to 100 ETH.<\/p>\n This pattern suggests a deliberate attempt to obscure transaction trails and reduce the effectiveness of on-chain monitoring tools.<\/p>\n In an official incident notice, Unleash Protocol confirmed that several assets were affected during the exploit.<\/p>\n These included WIP, USDC, WETH, stIP, and vIP.<\/p>\n The team reiterated that all affected withdrawals took place through the unauthorised contract upgrade rather than through normal user interactions.<\/p>\n The clarification that Story Protocol itself was not compromised is significant.<\/p>\n It indicates that the breach stemmed from Unleash\u2019s internal governance design, not from flaws in the underlying blockchain or its validator set.<\/p>\n Following confirmation of the breach, Unleash Protocol paused all platform operations to prevent further losses.<\/p>\n The team said it is working with independent security experts and forensic investigators to determine how the governance safeguards were bypassed and whether additional vulnerabilities remain.<\/p>\n Users have been advised to avoid interacting with Unleash Protocol contracts until further updates are issued.<\/p>\n The project has stated that future communications will be shared only through official channels as the investigation continues.<\/p>\n The post How a governance failure led to the Unleash Protocol hack<\/a> appeared first on CoinJournal<\/a>.<\/p>","protected":false},"excerpt":{"rendered":" An unauthorised contract upgrade enabled direct withdrawals from the protocol. Funds were bridged to Ethereum and laundered through Tornado Cash. Assets affected included WIP, USDC, WETH, stIP, and vIP. A governance failure at Unleash Protocol has resulted in a major security breach, with attackers draining around $3.9 million in user funds. The incident was first […]<\/p>\n","protected":false},"author":0,"featured_media":5923,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"tdm_status":"","tdm_grid_status":"","footnotes":""},"categories":[101],"tags":[],"class_list":{"0":"post-5924","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-blockchain"},"acf":[],"_links":{"self":[{"href":"https:\/\/digkrypton.com\/index.php\/wp-json\/wp\/v2\/posts\/5924","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/digkrypton.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/digkrypton.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/digkrypton.com\/index.php\/wp-json\/wp\/v2\/comments?post=5924"}],"version-history":[{"count":0,"href":"https:\/\/digkrypton.com\/index.php\/wp-json\/wp\/v2\/posts\/5924\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/digkrypton.com\/index.php\/wp-json\/wp\/v2\/media\/5923"}],"wp:attachment":[{"href":"https:\/\/digkrypton.com\/index.php\/wp-json\/wp\/v2\/media?parent=5924"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/digkrypton.com\/index.php\/wp-json\/wp\/v2\/categories?post=5924"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/digkrypton.com\/index.php\/wp-json\/wp\/v2\/tags?post=5924"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Governance controls bypassed<\/h2>\n
Laundering through bridges and mixers<\/h2>\n
Tokens impacted<\/h2>\n
Emergency measures taken<\/h2>\n