Unleash Protocol, an intellectual property financing platform built on the Story ecosystem, lost about $3.9 million in a security breach, according to blockchain security firm PeckShield.
The attacker converted the stolen assets to Ethereum and deposited 1,337.1 ether into Tornado Cash, a crypto mixing service commonly used to hide transaction histories, according to PeckShield.
Unleash had reported the breach earlier, without specifying the amount.
“Earlier today, we detected unauthorized activity involving Unleash Protocol smart contracts, which led to the withdrawal and transfer of user funds,” the platform said in a post on X. “Our initial investigation indicates that an externally owned address gained administrative control through Unleash’s multi-signature governance system, which enabled an unauthorized contract upgrade of governance, which allowed approval of governance contracts.”
The affected assets include WIP, USDC, WETH, stIP and VIP, the protocol states. After the payouts, the funds were bridged using third-party infrastructure and transferred to external addresses.
Platforms like Unleash aim to bring intellectual property rights, such as media, brands and creative works, on-chain, enabling them to be tokenized, licensed or used as financial primitives in decentralized applications.
Both Unleash and onchain analytics firm LookonChain said the exploit appeared to stem from a governance error at Unleash rather than a vulnerability in the Story Protocol itself.
Unleash said it suspended all operations while the investigation continues and is working with independent security experts and forensic investigators to determine the cause. Users have been advised not to interact with Unleash Protocol contracts for now and to follow official channels for updates.
