On December 30, 2025, Unleash Protocol, a decentralized finance (DeFi) platform built on Story Protocol, was the target of a significant security breach resulting in a loss of $3.9 million. The incident involved an attacker who compromised the project”s multisig governance, enabling them to execute an unauthorized contract upgrade that drained multiple user assets.
Following the exploit, the attacker successfully bridged 1,337.1 ETH to the Ethereum network and subsequently laundered the stolen funds through the Tornado Cash mixing service to obscure the trail of the illicit transactions. The protocol”s security team first detected the unauthorized activity, which prompted further investigation into the compromised smart contracts.
The investigation revealed that the attacker did not exploit a flaw in the underlying code but instead manipulated the internal permission system of Unleash Protocol. The assets affected by this breach included WIP, USDC, WETH, stIP, and vIP. Notably, the rapid deposits into Tornado Cash varied significantly, indicating a premeditated exit strategy by the attacker.
This incident highlights ongoing vulnerabilities within decentralized governance frameworks. Unleash Protocol acknowledged that the unauthorized upgrade occurred outside their established governance and operational protocols. However, it is important to note that there is no evidence suggesting that the underlying infrastructure or contracts of Story Protocol were compromised during this incident.
The implications of this exploit have raised alarms regarding the security of multisig governance structures and the risks associated with centralized administrative controls in DeFi. In response to the breach, Unleash Protocol has paused all operations and is actively collaborating with investigators to reassess its governance practices. The team has issued a warning to users, advising them to refrain from any interactions with Unleash Protocol contracts until further notice.
In light of the breach, users are urged to take precautionary measures by revoking permissions granted to Unleash Protocol for their wallets. Since active approvals allow applications to transfer assets, compromised administrative control could lead to additional unauthorized withdrawals. Employing revocation tools or blockchain explorers can help users sever the connection between their funds and the affected contracts, thereby mitigating further losses even if the protocol remains at risk.
