Bitcoin 
Ethereum 
Tether 
BNB 
XRP 
USDC 
Solana 
TRON 
Lido Staked Ether 
Figure Heloc 
Ryan Moore 
A quiet admin takeover turns into a costly DeFi lesson
Unleash Protocol just learned the hard way that governance security can be just as dangerous as buggy code. Earlier this week, attackers drained roughly $3.9 million from the DeFi project after gaining unauthorized control over its multisig governance setup. Instead of exploiting a smart contract flaw, the attacker simply gave themselves the keys and let the system do the rest.
Unleash runs as a decentralized application on Story Protocol, but the issue never reached the base network. Once inside the multisig, the attacker pushed through a malicious contract upgrade, opening the door to withdraw user funds. Security watchers noticed strange activity first, and the Unleash team later confirmed something was seriously wrong.
Not a code bug, a permissions problem
According to Unleash’s own incident report, the exploit didn’t rely on broken code. The attacker went straight after the protocol’s internal permission system. In other words, everything technically worked, just not in the way it was supposed to.
Several assets were drained in the process, including WIP, USDC, WETH, stIP, and vIP. After that, the attacker moved fast. Funds were bridged out to Ethereum and then washed through Tornado Cash. About 1,337 ETH passed through the mixer, starting with small test transactions before escalating to much larger deposits. That kind of pattern usually points to a planned exit, not a spur-of-the-moment attack.
Story Protocol stays in the clear
One bit of good news is that the damage appears contained. Unleash said there’s no sign that Story Protocol’s core contracts, validators, or infrastructure were affected. The breach seems limited to Unleash’s own governance setup, which matters a lot in shared ecosystems where a single failure can sometimes ripple outward.
A familiar DeFi weak spot
If this story sounds familiar, that’s because it is. Multisig and admin-based attacks keep popping up across DeFi. These setups are meant to add security, but when access controls fail or keys are compromised, they can quickly turn into single points of failure.
Unleash has paused the protocol entirely while it works with investigators and reviews what went wrong. The team has also told users to stay away from the contracts until further notice, a standard move after incidents like this.
What users should do now
If you’ve ever interacted with Unleash Protocol, there’s one practical step worth taking right away: revoke permissions. Any wallet approvals you’ve given the protocol should be canceled using common approval management tools or blockchain explorers. Active approvals let smart contracts move funds, and cutting those links helps limit potential damage if anything else goes sideways.
In the end, the Unleash exploit is a reminder that DeFi risks don’t always come from clever hackers breaking code. Sometimes, it’s governance itself that breaks first. For users, it’s another nudge to stay cautious. For builders, it’s a clear warning that admin controls deserve just as much attention as smart contract audits.
About the Author
David Rich 
John Wood 
Timothy Young