Unleash Protocol Suffers $3.9 Million Exploit via Governance Failure
On December 30, 2025, Unleash Protocol was targeted in a security breach resulting in approximately $3.9 million stolen, according to PeckShield. The exploit stemmed from a governance failure where an externally owned address gained multisignature admin control, allowing an unauthorized contract upgrade and withdrawal of assets outside of approved governance procedures.
Affected assets included WIP, USDC, WETH, stIP, and vIP. The stolen funds were bridged through third-party infrastructure to external addresses. To obscure the transaction history, the attacker deposited 1,337.1 ETH into the privacy-focused mixer Tornado Cash.
Following the incident, Unleash Protocol has paused all operations and is engaging independent security experts and forensic investigators. Users have been advised not to interact with Unleash contracts and to monitor official channels for updates.
Analysts LookonChain and Unleash clarified that the exploit was due to governance failure rather than a vulnerability in Story Protocol itself.
