Unleash Protocol Hit: $3.9M Vanishes in Multisig Exploit, PeckShield Confirms
A major crypto protocol just got its pockets turned inside out. Security sleuths at PeckShield flagged a critical vulnerability in a multi-signature wallet setup—the digital equivalent of a vault with multiple locks. The result? A cool $3.9 million walked out the door.
The Anatomy of a Heist
This wasn't a smash-and-grab. The exploit targeted the protocol's governance mechanism, specifically the logic governing how transaction approvals are validated across multiple private keys. Attackers found a flaw in the smart contract's conditional checks, allowing them to bypass the intended security consensus and authorize a massive withdrawal. It's a stark reminder that complex code can create unintended backdoors, even in systems designed for maximum security.
The Ripple Effect
Incidents like this send shockwaves through DeFi. They don't just drain treasuries; they erode the foundational trust in automated, code-governed systems. Every major hack forces a sector-wide audit of similar contract architectures, as developers scramble to patch vulnerabilities before they become headlines. For investors, it's another lesson in the non-negotiable need for rigorous, third-party code audits—preferably before you deposit your funds.
While the team behind the protocol is now in damage-control mode, tracing funds and promising reimbursements, the crypto market barely flinched. Another day, another multimillion-dollar 'learning experience' funded by anonymous liquidity providers. The relentless pace of innovation in DeFi continues to be matched, dollar for dollar, by the ingenuity of those looking to exploit it.
Blockchain security firm PeckShieldAlert reported a major hack involving Unleash Protocol, a decentralized platform built on Story Protocol, where an attacker drained around $3.9 million in user funds.
Here’s how the hack happened. PeckShieldAlert report revealed.
How the Unleash Protocol Hack Happened?
According to PeckShieldAlert, the attacker targeted Unleash Protocol’s multi-signature governance system.
By doing so, the attacker gained unauthorized admin access and pushed through a contract upgrade that had not been approved by the Core team. This change opened the door for funds to be withdrawn directly from the protocol.
After withdrawing the funds, the attacker bridged the assets to ethereum and began breaking them into smaller chunks.
On-chain data shows 1,337.1 ETH was deposited into Tornado Cash, a privacy tool often used to hide transaction trails.
The repeated deposits, from small amounts to batches of 100 ETH, seem designed to hide the source of the stolen funds.
What Assets Were Affected in the Breach
In its official incident notice, Unleash Protocol confirmed that several assets were impacted during the exploit. These include WIP, USDC, WETH, stIP, and vIP. The team stressed that the withdrawals happened outside normal governance rules and were not approved internally.
Importantly, Unleash clarified that there is no evidence of any compromise to Story Protocol, its validators, or its CORE infrastructure. The issue appears limited strictly to Unleash-specific contracts and admin controls.
Unleash Protocol Immediate Response
Following the discovery, Unleash Protocol immediately paused all operations to prevent further damage. The team is now working with independent security experts and forensic investigators to identify the root cause.
Users have been advised to avoid interacting with Unleash Protocol contracts until further updates are shared through official channels.
