Unleash Protocol was hit by an exploit that drained approximately $3.9 million in user assets, with the attacker ultimately routing funds through Tornado Cash to blur the transaction trail. The incident quickly shifted the protocol into crisis mode as on-chain outflows surfaced and the team moved to contain exposure.
At the center of the breach was governance, not a typical isolated bug. A compromise of Unleash’s multisignature governance enabled an unauthorized contract upgrade and the removal of key administrative controls, creating the opening to extract funds. (A multisig requires multiple private keys to approve sensitive actions; Tornado Cash is a mixing service designed to obscure transaction history.)
#PeckShieldAlert @UnleashProtocol on @StoryProtocol reported an unauthorized drain, resulting in a ~$3.9M loss.
The exploiter then bridged the stolen funds to #Ethereum and deposited them (1,337.1 $ETH) into Tornado Cash. https://t.co/KHVBm0DWBr pic.twitter.com/Lc8qMzkJGV
— PeckShieldAlert (@PeckShieldAlert) December 30, 2025
What happened on-chain
The attacker reportedly secured admin-level influence through a manipulated multisig path. An externally owned address gained administrative control, pushed an unauthorized upgrade, and withdrew a mix of tokens including WIP, USDC, WETH, stIP, and vIP. After moving assets across chains, the attacker bridged to Ethereum and deposited 1,337.1 ETH into Tornado Cash to obfuscate the trail.
Detection was fast once funds started moving. Blockchain security monitors flagged the suspicious outflows quickly, with PeckShieldAlert and CertiK among the first to surface the activity publicly. Those early signals helped crystallize the incident as a governance-control failure with real-time asset flight.
What Unleash has said so far
Unleash responded by prioritizing containment and external validation. The protocol suspended operations to limit further exposure and brought in independent security experts and forensic investigators to establish root cause and scope. Initial findings indicate the exploit was limited to Unleash-specific contracts and administrative controls, and there is no evidence so far of compromise to Story Protocol’s underlying infrastructure, validators, or broader contracts. The team has not yet provided details on recovery options or any compensation plan.
The bigger takeaway is about operational resilience. This breach underscores how multisignature governance only reduces risk if signer security and key management remain intact, because a compromised signer set can turn the safety layer into the attack path. For market participants with exposure to protocol treasuries or tokenized IP assets, the near-term priority is monitoring Unleash’s disclosures on governance remediation and recovery planning to reassess risk and expected outcomes.