Hacker Drains Nearly $4M From Unleash Protocol, Funds Sent to Tornado Cash

What Happened at Unleash Protocol?

Unleash Protocol disclosed a security breach that resulted in the loss of roughly 1,337 ETH, valued at close to $4 million, later than an attacker gained unauthorized control over the project’s multisig governance system. The incident was first flagged through onchain activity and later confirmed by the Unleash team, which said it has paused protocol operations and launched a forensic investigation.

According to the project, an externally owned address obtained administrative control through the multisig and executed an unauthorized contract upgrade. That upgrade allowed the attacker to withdraw assets outside Unleash’s intended governance and approval process.

“Our initial investigation indicates that an externally owned address gained administrative control via Unleash’s multisig governance and carried out an unauthorized contract upgrade,” Unleash wrote on X. “This upgrade enabled asset withdrawals that were not approved by the Unleash team and occurred outside our intended governance and operational procedures.”

In practical terms, the attacker was able to bypass internal checks and move user funds directly out of the protocol. While the exact method remains under review, the project said the breach may have involved social engineering or another form of security compromise targeting governance access.

Investor Takeaway

Where Did the Funds Go?

tracking the incident said the attacker bridged the stolen assets to ETH and began routing funds through Tornado Cash, a privacy protocol used to obscure transaction trails. PeckShield reported that the attacker sent the ETH in repeated 100 ETH increments, a pattern commonly viewn in laundering attempts.

CertiK separately flagged suspicious withdrawals of Wrapped ETH and IP-related tokens that were sent to an . The address appears to have been created using the secureProxyFactory, a tool frequently used to deploy multisig wallets.

The affected assets include WIP (Wrapped IP), USDC, WETH, stIP, and vIP. Most of those tokens were converted or bridged before being sent to Tornado Cash, reducing the likelihood of recovery and complicating any legal or technical intervention.

The use of Tornado Cash highlights a recurring challenge for post-exploit response. Once assets enter a mixing service, tracing ownership becomes far more hard, especially when funds are split across multiple transactions and addresses.

Was Story Protocol Affected?

Unleash emphasized that the breach was limited to its own contracts and administrative controls. The project said there is no indication that Story Protocol itself, its Block confirmers, or its underlying infrastructure were compromised.

“The incident originated within Unleash Protocol’s governance and permission framework,” the team said. “The impact appears limited to Unleash-specific contracts and administrative controls.”

Unleash is one of the more visible applications built on Story Protocol, a relatively new Layer 1 focused on tokenized intellectual property. PIP Labs, the core team behind Story, has raised $140 million to date, positioning the network as a specialized chain for IP-related use cases.

While Story’s base layer was not affected, the incident is likely to raise questions about application-level security practices on newer networks, particularly where governance controls rely on a small number of signers or offchain processes.

Investor Takeaway

What Comes Next?

The Unleash team has warned users not to interact with the protocol while the investigation continues. It said further updates on remediation steps and potential recovery efforts will be shared once more information becomes available.

At this stage, recovery prospects appear limited. The routing of , combined with cross-chain movements, reduces the chances of clawing back assets unless centralized chokepoints are identified later in the laundering process.

The incident adds to a growing list of attacks in which governance access, rather than contract bugs, has been exploited to drain funds. As DeFi protocols add layers of upgradability and administrative control, those systems increasingly resemble high-value targets for attackers.