Key Highlights:
- Unleash Protocol suffered a $3.9M hack via multisig exploit.
- The stolen funds were moved to Ethereum and 1,337.1 ETH have been deposited to Tornado Cash.
- The platform has paused all of its operations as of now.
Unleash Protocol, a DeFi platform that is built on Story Protocol’s system, posted on social media platform X today, December 30, 2025, and confirmed that there has been a security breach, and unauthorized activity in the smart contract has managed to drain user funds.
The official notice also explains that an outside address exploited the project’s multi-signature (multisig) governance setup so that they could gain the admin control. With this move, the attacker made an unapproved contract upgrade and withdrew assets without the team’s permission.
This hack highlights that there are several similar ongoing risks in DeFi governance, where multisig wallets, meant as a safety measure, fail if the keys are stolen or tricked. Unleash stressed that the issue came only from its own permission setup, with no sign of problems in Story Protocol’s contracts, validators or systems.
Affected Assets and Fund Movements
Early checks indicate that several tokens were lost which include WIP (Unleash’s own token), USDC, WETH, stIP, and vIP. These tokens were taken from Unleash’s contracts and they were quickly moved through third-party cross-chain services to outside addresses, making it harder to recover them.
On-chain records show that the attacker used Unleash’s multisig, then upgraded a key contract, and started the transfers.
According to PeckShield, Unleash Protocol suffered an unauthorized drain of around $3.9 million. The attacker then moved the stolen funds to the Ethereum network and deposited 1,337.1 ETH into Tornado Cash. Once any amount is deposited into Tornado Cash, the platform makes it difficult to trace or recover the stolen assets.
Users holding these tokens are now unsure what will happen next to them, the platform has paused all its operations as of now so that any further damage can be prevented.
Immediate Response and Investigation
Unleash protocol responded very quickly and as stated above, it stopped all protocol functions as soon as the breach was discovered. The team is currently working with security experts and forensics investigators to figure out what went wrong.
The investigators are also checking all the multisig signer actions, key management, and governance processes as well. They are also preserving on-chain data and coordinating with partners and bridge providers.
The notice that was issued on X states “There is no evidence of compromise to Story Protocol contracts, validators, or underlying infrastructure,” which reassures users that the Story Protocol itself is safe.
Plans to fix the problem, including possible recovery options, will be shared after verification. The team promises to give updates only through official channels.
User Guidance and Ecosystem Fallout
The platform has urged the users to avoid using Unleash contracts and be on a watchout for any updates from the platform. The hack also shows that even a strong multisig can have a fallout without careful checks.
In crypto, such situations raise worries about governance attacks that are similar to past multisig hacks like Euler Finance or Multichain. With more and more institutions entering the DeFi space, such events could damage the reputation of the space and the platform along with hurting the trust of the institutional users. The platform with this incident also faces serious questions about security.
Also Read: $27M Hack Hits Whale Multisig Wallet, Highlights Security Flaws
Source: https://www.cryptonewsz.com/unleash-protocol-hack-drains-multisig-exploit/
