Story Ecosystem IPFi Platform Hacked: Multi-Signature Governance Mechanism Breached, Millions in Assets Stolen

HashBandit · 2025-12-30T09:40:11+00:00

Unleash Protocol experienced a major security incident, where an external address gained management rights through a multi-signature governance mechanism, leading to unauthorized smart contract upgrades, resulting in large-scale withdrawals and transfers of assets such as WIP and USDC. Unleash has suspended all operations and acknowledged that the issue stems from its own governance and permission design.

HashBandit

2025-12-30 09:40:11

Abstract generation in progress

【BitPush】Unleash Protocol reports a major security incident. An external address infiltrated the backend through its multi-signature governance mechanism, successfully gained management permissions, and then executed an unauthorized upgrade of the smart contract—directly triggering a large asset withdrawal without approval.

The list of affected assets has been confirmed: WIP, USDC, WETH, stIP, vIP are all compromised. After being transferred to the external address, these assets were relayed through a third-party cross-chain infrastructure and ultimately disappeared into the darkness.

Currently, Unleash has hit the pause button—the entire protocol operations have been halted. The official statement indicates that the main responsibility for this incident lies in their governance and permission framework design. No signs of infiltration have been found in the Story Protocol’s own contracts, validators, or underlying infrastructure. In other words, the issue is primarily locked within Unleash’s own contracts and management permissions.

View Original

This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.

13 Likes

Reward
13
3
Repost
Share

Comment

0/400

RetroHodler91

· 6h ago

Multi-signature compromised, management permissions stolen, what a disastrous design... Millions just gone like that Another governance vulnerability... When will there be a reliable multi-signature solution These projects are really learning lessons as they design, users get unlucky It feels like cross-chain bridges are always hackers' ATM machines, assets once transferred can never be recovered Unleash, this needs a security audit, otherwise who dares to touch it The official shifts blame to governance design, but what’s the use of underlying security guarantees Millions just disappear, is this Web3? Multi-signature compromised... They can't even protect the most basic Again unauthorized upgrades... This trick is as old as it gets Pausing the protocol probably can't save assets that have already run away

View OriginalReply0

ChainDetective

· 6h ago

Can multi-signature be broken? This time it's really outrageous. --- It's again a problem with permission design. When will we learn our lesson? --- Millions just disappeared like that. Hackers are really ruthless. --- Cross-chain bridges vanish as soon as assets are connected. This is outrageous. --- What does it matter if Unleash is paused? What about users' funds? --- Multi-signature was supposed to be the last line of defense. Being breached means everything was pointless. --- The official is shifting blame onto itself? How sincere is this? --- USDC and WETH are both affected... Looks like there's no such thing as absolute security. --- Third-party cross-chain infrastructure is again blamed. When will this be fully resolved? --- If it weren't for the multi-signature issue this time, could it have been even worse?

View OriginalReply0

AltcoinHunter

· 7h ago

Is the multi-signature governance mechanism broken by just one address? That design is really clever, I need to study what’s going on carefully. It's another case of "our fault is not the underlying fault," just listen and don't take it seriously. Millions just disappeared like that, how desperate must the feeling of cutting losses be... The official shifts blame to the governance framework, what about the auditors before? Were they just wasting time? Multi-signature can be broken by a single point of attack, how outrageous is that permission design? Assets have already left, and you still have the nerve to shut down? Why didn't you do it earlier, brother? That's why I never go all-in on small projects, the risk is really outrageous. I need to check how much I still have in Unleash, feels like I might have to cut losses. It's truly outrageous that the multi-signature was hacked, luckily I didn't go all-in on this. This incident highlights one issue — evaluating a governance framework can't just be based on the name, you really need to dive into the code.

View OriginalReply0