Unleash Protocol Hack: 3,9 miljoner dollar stulna på grund av kompromiss kring multisig-styrning

The Unleash protocol, which positions itself as a universal solution for intellectual property (IP) management and money market based on Story Protocol, suffered a hacker attack with losses amounting to approximately $3.9 million. This was reported by the project team in an official announcement on the X platform, and confirmed by independent analysts from PeckShield.

According to the investigation data, the attacker gained administrative control over Unleash's smart contracts through a multisig wallet, which allowed them to perform an unauthorized contract upgrade. This opened the way for the withdrawal of assets, including WIP, USDC, WETH, stIP, and vIP. After the attack, the funds were bridged through third-party infrastructure and transferred to external addresses. In particular, the hacker transferred 1337.1 ETH to the Tornado Cash protocol for transaction anonymization, which complicates further tracking.

The Unleash team immediately suspended all protocol operations to prevent further risks and began collaborating with independent security and forensics experts. They emphasized that the incident was limited solely to Unleash contracts and did not affect the underlying Story Protocol infrastructure, validators, or other related elements.

"We are treating this incident with the utmost seriousness and acknowledge the impact on our users and partners. Our priority is a full understanding of the situation, transparent communication, and determining recovery measures," the official statement reads.

PeckShield's indicates that the attack occurred due to a vulnerability in the governance and permissions system, particularly in the multisig mechanism, which was intended to ensure decentralized decision-making. This is not the first case where multisig becomes a weak point: similar exploits have been recorded in other DeFi projects, where key compromises led to significant losses. According to industry reports, in 2025, total losses from DeFi hacks have already exceeded $1 billion, with a focus on vulnerabilities in governance and contract upgrades.

The community reacted ambiguously: some users on X are calling the incident a "scam" and doubting the project's reliability, while others are calling for strengthened security measures in governance. At the time of writing the news, the protocol's token did not show a significant drop, as Unleash does not have its own liquid token on open markets, but this could affect trust in the Story Protocol ecosystem overall.

The team promises to provide updates after the investigation is completed and advises users to refrain from interacting with Unleash contracts until the official announcement. This case once again reminds us of the importance of audits, key rotation in multisig, and the use of tools like Revoke.cash for managing permissions to minimize risks in DeFi.