An externally owned address gained administrative control of Unleash Protocol's multisig, allowing an unauthorized contract upgrade and withdrawals of user funds. CertiK traced 1,337.1 ETH (~$3.9M) from the compromised wallet to Tornado Cash. Affected assets include WIP, USDC, WETH, stIP, vIP and Story tokens; some assets were bridged and sent to external addresses. Unleash has suspended operations, says core Story Protocol contracts and validators show no evidence of compromise, and is working with independent security and forensic teams while reviewing multisig signer activity, key management and governance. Users are warned to avoid interacting with Unleash contracts and follow official channels.

Summary states an external address gained admin control of the multisig, enabling an unauthorized contract upgrade and withdrawals; CertiK traced 1,337.1 ETH (~$3.9M) sent to Tornado Cash; multiple tokens (WIP, USDC, WETH, stIP, vIP, Story) were withdrawn/bridged; Unleash suspended operations and engaged forensic teams.