Unleash Protocol Loses 3.9 Million USD: Multisig Attack and the Journey of the Escaped Funds

Recently, blockchain security company PeckShield has discovered a serious security incident at Unleash Protocol—a decentralized application platform built on the Story Protocol infrastructure. According to reports, approximately $3.9 million of user funds were stolen by an attacker, and then the funds were siphoned to Ethereum before continuing to “exit” through anonymous tools.

How the Attack Was Carried Out

PeckShield revealed that the attacker targeted Unleash Protocol’s multisig governance system directly. By gaining control of the governance keys, the intruder was able to deploy a smart contract upgrade without approval from the core team. This represents a critical design flaw in the protocol’s protective mechanisms.

After upgrading the contract, the attacker proceeded to withdraw assets directly from Unleash Protocol. The total value of assets taken reached $3.9 million.

Covering Tracks and Exiting Funds

A notable detail in this attack is how the attacker handled the stolen funds. Blockchain data shows that the funds were transferred to the Ethereum network, and subsequently a large amount—specifically 1,337.1 ETH—was sent to Tornado Cash, a mixing service known for its ability to anonymize blockchain transactions.

The attacker’s “exit” strategy was executed in small batches, from sending a few ETH to multiple transactions of 100 ETH. This step-by-step approach was designed to reduce detection and on-chain tracking.

Affected Assets

In an official statement regarding the incident, Unleash Protocol publicly listed the tokens and assets withdrawn from the protocol:

• WIP
• USDC
• WETH
• stIP
• vIP

All these withdrawals occurred outside the pre-approved governance rules, without any internal permission from the team.

Story Protocol Remains Secure

An important point emphasized by Unleash Protocol is that the attack only affected Unleash’s own contracts and governance system. There is no evidence that the core infrastructure of Story Protocol, validation nodes, or any other components were compromised. This limits the scope of damage and indicates that the issue lies at the application layer rather than at the infrastructure level.

Response and Remediation Measures

As soon as irregularities were detected, Unleash Protocol decided to suspend all protocol operations to prevent further damage. The team is currently working with independent security experts to conduct a thorough forensic investigation.

Users are advised to avoid interacting with any Unleash Protocol contracts until an official announcement is made.

Frequently Asked Questions

Why was Unleash Protocol’s multisig compromised?
The report did not disclose specific causes but indicated that the attacker gained control of the governance keys, possibly through misconfiguration, security oversight, or unknown attack vectors.

Can users recover their funds?
It’s currently unclear. The funds have been sent to Tornado Cash, complicating tracking and recovery efforts. Recovery will depend on the outcome of the forensic investigation.

Are other platforms affected?
No. The attack is limited to Unleash Protocol. Story Protocol and other contracts on this platform remain operational.

What should Unleash users do?
Cease all interactions with any Unleash contracts until further official updates. If you have funds locked in the protocol, wait for announcements from the team regarding compensation or recovery options.