Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
The Unleash Protocol project deployed on Story Protocol suffered an unauthorized contract upgrade, followed by the malicious transfer of user assets. The attacker manipulated the project’s multisig governance privileges to perform the upgrade, resulting in the theft and cross-chain transfer of assets including WIP, USDC, WETH, stIP, and vIP to external addresses. The currently confirmed loss is approximately USD 3.9 million. Unleash has suspended all operations and initiated a full investigation and audit process, urging users to refrain from interacting with its contracts. Story Protocol itself remains unaffected. Attack method (per SlowMist): Privilege compromise. Reported loss: $ 3,900,000.
- chain
- —
- protocol
- Unleash Protocol
- bug_class
- access-control
- date_occurred
- 2025-12-30
- loss_usd
- $3,900,000
- source_id
- sm:unleash-protocol::2025-12-30