How a governance failure led to the Unleash Protocol hack

The post How a governance failure led to the Unleash Protocol hack appeared on BitcoinEthereumNews.com.

An unauthorised contract upgrade enabled direct withdrawals from the protocol. Funds were bridged to Ethereum and laundered through Tornado Cash. Assets affected included WIP, USDC, WETH, stIP, and vIP. A governance failure at Unleash Protocol has resulted in a major security breach, with attackers draining around $3.9 million in user funds. The incident was first identified by blockchain security firm PeckShieldAlert and later confirmed by the Unleash team. While the exploit did not affect the wider Story ecosystem, it has renewed attention on how governance mechanisms can become a critical point of failure in decentralised finance. Unleash Protocol is a decentralised platform built on Story Protocol. The project said the incident was limited to its own contracts and administrative controls, with no signs of compromise across Story Protocol’s validators or core infrastructure. Even so, the event shows how vulnerabilities at the application level can still lead to significant losses. Governance controls bypassed On-chain analysis indicates the attacker targeted Unleash Protocol’s multi-signature governance system. By exploiting weaknesses in how admin permissions were enforced, the attacker gained unauthorised access normally reserved for approved signers. This access was then used to push through a contract upgrade that had not been sanctioned by the core team. The unauthorised upgrade altered how the protocol handled withdrawals. With standard governance checks effectively bypassed, the attacker was able to move funds directly out of the protocol. According to Unleash, these actions occurred outside its established governance framework and were not detected until after the funds had already been removed. Laundering through bridges and mixers After extracting the assets, the attacker bridged the funds to Ethereum. From there, the assets were broken into multiple transactions, a strategy often used to make tracking more difficult. Blockchain data shows that 1,337.1 ETH was later deposited into Tornado Cash. The deposits…

Leave a Reply

Your email address will not be published. Required fields are marked *

Filed under: News - @ December 30, 2025 2:34 pm