Skip to content
Est. MMXXVIVol. VI · № 287RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 257Governance Attack

Unleash Protocol Multisig Governance Hijack

An attacker seized Unleash Protocol's multisig admin controls, pushed an unauthorized contract upgrade, and drained roughly $3.9M from the Story-based IP platform.

Date
Victim
Unleash Protocol
Chain(s)
Story
Status
Funds Stolen

On December 30, 2025, Unleash Protocol — an on-chain intellectual-property platform built on Story — was drained for approximately $3.9 million after an attacker hijacked its multisig governance controls and pushed an unauthorized contract upgrade that opened the door to asset withdrawals.

What happened

Unleash detected unauthorized activity involving its smart contracts on December 30, 2025. According to PeckShield, the attacker obtained enough signing power to act as an administrator of the protocol's multisig governance system, exploiting weaknesses in how admin permissions were enforced. With that access, the attacker pushed through a contract upgrade that the core team had never sanctioned, and the upgraded logic enabled withdrawals outside the project's intended governance procedures. Several assets were swept in the process, including WIP, USDC, WETH, stIP, and vIP. The pattern — seize administrative control, then ram a malicious upgrade through to drain the treasury — mirrors the Atlantis Loans governance takeover, where a captured admin role was turned into an instant withdrawal path.

Aftermath

The attacker bridged the stolen funds to Ethereum and routed 1,337.1 ETH into Tornado Cash, the OFAC-sanctioned mixer, to obscure the trail — the same rapid laundering hop seen in the TesseraDAO exit. Unleash Protocol paused operations and launched a forensic investigation, stressing that the incident was confined to its own contracts and administrative controls: there was no sign of compromise across the wider Story ecosystem, its validators, or core infrastructure. No funds had been recovered in the immediate aftermath.

Why it matters

The Unleash Protocol case is another reminder that upgrade authority and multisig admin keys are a protocol's single most dangerous privilege. Audited token logic offers little protection once an attacker can reassign administrative control and replace the contract code itself. As governance and admin compromises increasingly eclipse pure smart-contract bugs as the dominant loss vector, the lesson is the same one that recurs across the catalogue: the threshold and key hygiene around upgradeability deserve at least as much scrutiny as the contracts they govern.

Sources & on-chain evidence

  1. [01]coinjournal.nethttps://coinjournal.net/news/how-a-governance-failure-led-to-the-unleash-protocol-hack/
  2. [02]thestreet.comhttps://www.thestreet.com/crypto/markets/ip-platform-loses-millions-in-end-of-year-hack
  3. [03]coinmarketcap.comhttps://coinmarketcap.com/academy/article/unleash-protocol-loses-dollar39m-in-governance-exploit
  4. [04]coinpedia.orghttps://coinpedia.org/news/unleash-protocol-hack-drains-3-9m-after-multisig-exploit-peckshield-reveals/

Related filings