Unleash Protocol Smart Contract Disclosure of Unauthorized Activity, Some User Funds Moved

BlockBeats News, December 30th, Unleash Protocol, an IPFi platform in the Story ecosystem, announced that its smart contract experienced unauthorized activity, resulting in user funds being drained and transferred.

A preliminary investigation indicates that an external address obtained management permissions through Unleash's multisig governance mechanism and executed an unauthorized contract upgrade, triggering unauthorized asset withdrawals. The assets confirmed to be affected currently include WIP, USDC, WETH, stIP, vIP. The related assets were subsequently transferred to an external address via third-party cross-chain infrastructure.

Unleash stated that the incident stemmed from its own governance and permission framework, with no evidence suggesting impact on Story Protocol's contracts, validators, or underlying infrastructure. The impact seems to be limited to Unleash's related contracts and management permissions only. All protocol operations have been temporarily paused.

In today's early morning news, as per CertiK monitoring, an address starting with 0xc946 deposited 1337.1 ETH (about $3.9 million) into Tornado Cash. The address's fund source may involve Wrapped ETH and Story tokens suspiciously withdrawn from the compromised multisig account.