Unleash Protocol has verified that there was a major security breach due to unauthorized action on its smart contracts, and the user’s money was withdrawn and transferred. This incident was identified earlier today and has already led to the automatic suspension of all Unleash Protocol operations as the team attempts to contain the problem and determine its cause.
In one official incident notification issued by the Unleash team, the attack was initiated into the protocol governance and permission structure. First indications indicate an externally owned address also attained administrative control by the multisig governance structure of Unleash. With this access, the attacker made an unauthorized contract upgrade that has allowed withdrawals beyond the governance and operational processes of the project.
Unauthorized Contract Upgrade Enabled Asset Withdrawals
The hacked upgrade was said to enable the extraction of various resources stored in Unleash Protocol smart contracts. The assets that are considered impacted at this point in the investigation are WIP, USDC, WETH, and tokens pertaining to staking, which are stIP and vIP. The withdrawals were bridged by the third-party infrastructure, after which the assets were moved to external addresses, making it difficult to recover them immediately.
Unleash also underscored that such moves were not sanctioned by the core team but took place within the governance controls, entirely unintended. According to the leadership of the protocol, the incident can be described as a critical failure of the administrative protection mechanisms, but not a larger infrastructure attack.
Scope of Impact Appears Limited
In their first evaluation, the Unleash Protocol team wrote that no evidence of compromise can be found in Story Protocol contracts, validators, or underlying infrastructure at the moment. The effect seems to be limited to Unleash-specific contracts and administrative restrictions and indicates that the problem did not extend to the broader ecosystem.
The team, however, warned that the investigation was still underway and that before any conclusion was disclosed, all the findings would be confirmed. The incident on-chain data is being maintained to facilitate the forensic investigation to be used in the subsequent reporting.
Emergency Response and Ongoing Investigation
Unleash Protocol ceased all operations as a response measure to ensure the exposure of its users and other assets was not further jeopardized. The team is now collaborating hand in hand with independent security experts and forensic investigators to establish how administrative control was obtained and whether there exist other vulnerabilities.
Multisig signer activity, important management practices, and governance processes are being reviewed fully. Unleash Protocol also verified that it has synchronized with the ecosystem partners and infrastructure providers, especially bridging and transaction routing, in order to trace fund flows and identify potential mitigation measures.
User Guidance and Safety Measures
Unleash has encouraged users to avoid engaging with any Unleash Protocol contracts until further notice. The team also emphasized that individuals should only depend on official communication channels to get updated and not to fall into the trap of misinformation or impersonation that usually follows high-profile incidents.
More guidelines to the affected users will be available after the investigation results are confirmed and the correct measures are identified. Unleash has yet to announce any particular remediation or compensation programs at this point, as this remains a consideration.
Commitment to Transparency and Accountability
The Unleash Protocol team released a statement to admit that the incident affected users and partners and that the situation is being taken with the highest level of seriousness. The staff reaffirmed its desire to have an open channel of communication and responsible disclosure as more information becomes available.
Although the incident underscores continued vulnerabilities of governance and administrative controls of decentralized protocol, Unleash has packaged this response as a vital measure in reinforcing trust and its security posture. Further developments will be made with the course of the investigation.