Story Ecosystem IPFi Platform Hacked: Multi-Signature Governance Mechanism Breached, Millions in Assets Stolen

HashBandit · 2025-12-30T09:40:11+00:00

Unleash Protocol experienced a major security incident, where an external address gained management rights through a multi-signature governance mechanism, leading to unauthorized smart contract upgrades, resulting in large-scale withdrawals and transfers of assets such as WIP and USDC. Unleash has suspended all operations and acknowledged that the issue stems from its own governance and permission design.

HashBandit

2025-12-30 09:40:11

Abstract generation in progress

【BitPush】Unleash Protocol reports a major security incident. An external address infiltrated the backend through its multi-signature governance mechanism, successfully gained management permissions, and then executed an unauthorized upgrade of the smart contract—directly triggering a large asset withdrawal without approval.

The list of affected assets has been confirmed: WIP, USDC, WETH, stIP, vIP are all compromised. After being transferred to the external address, these assets were relayed through a third-party cross-chain infrastructure and ultimately disappeared into the darkness.

Currently, Unleash has hit the pause button—the entire protocol operations have been halted. The official statement indicates that the main responsibility for this incident lies in their governance and permission framework design. No signs of infiltration have been found in the Story Protocol’s own contracts, validators, or underlying infrastructure. In other words, the issue is primarily locked within Unleash’s own contracts and management permissions.

View Original

This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.

17 Likes

Reward
17
5
Repost
Share

Comment

0/400

NFTRegretful

· 6h ago

Multisig can be broken? This time I really can't hold it anymore haha --- It's another governance vulnerability, these developers are really... --- Millions just gone like that, I just want to ask who still dares to touch this kind of project --- Cross-chain bridges disappear in a flash, hackers are really skilled at this --- Unleash's recent handling was really poor, it should have been audited properly from the start --- The protocol being paused is a form of damage control, but the sheep have already run away --- Story Protocol itself is fine, the problem lies in the governance layer... listen to this explanation, it's really cleanly dismissed --- All assets in the list are compromised? That's ridiculous, multisig is essentially useless --- Why do some people still trust these new protocols, I really can't understand --- In the dark world, another few million dollars are gone, it never ends

View OriginalReply0

DeFi_Dad_Jokes

· 2025-12-31 16:27

What does multi-signature get broken? Is this going to make me laugh to death haha --- Another governance vulnerability, is this development team serious? --- Disappeared into the darkness... Just hearing this tells me the money is gone --- WIP, USDC, WETH all gone at once, this move is pretty fierce --- I just want to ask, if the multi-signature mechanism is so easily compromised, who approved the design plan? --- Pressed the pause button, but what about the money? Can it really be recovered? --- Blaming the governance framework design, to be nice about it, but essentially it’s just not holding up --- Cross-chain relay transfer, this operation is so smooth, hackers really know how to play

View OriginalReply0

RetroHodler91

· 2025-12-30 10:10

Multi-signature compromised, management permissions stolen, what a disastrous design... Millions just gone like that Another governance vulnerability... When will there be a reliable multi-signature solution These projects are really learning lessons as they design, users get unlucky It feels like cross-chain bridges are always hackers' ATM machines, assets once transferred can never be recovered Unleash, this needs a security audit, otherwise who dares to touch it The official shifts blame to governance design, but what’s the use of underlying security guarantees Millions just disappear, is this Web3? Multi-signature compromised... They can't even protect the most basic Again unauthorized upgrades... This trick is as old as it gets Pausing the protocol probably can't save assets that have already run away

View OriginalReply0

ChainDetective

· 2025-12-30 10:02

Can multi-signature be broken? This time it's really outrageous. --- It's again a problem with permission design. When will we learn our lesson? --- Millions just disappeared like that. Hackers are really ruthless. --- Cross-chain bridges vanish as soon as assets are connected. This is outrageous. --- What does it matter if Unleash is paused? What about users' funds? --- Multi-signature was supposed to be the last line of defense. Being breached means everything was pointless. --- The official is shifting blame onto itself? How sincere is this? --- USDC and WETH are both affected... Looks like there's no such thing as absolute security. --- Third-party cross-chain infrastructure is again blamed. When will this be fully resolved? --- If it weren't for the multi-signature issue this time, could it have been even worse?

View OriginalReply0

AltcoinHunter

· 2025-12-30 09:48

Is the multi-signature governance mechanism broken by just one address? That design is really clever, I need to study what’s going on carefully. It's another case of "our fault is not the underlying fault," just listen and don't take it seriously. Millions just disappeared like that, how desperate must the feeling of cutting losses be... The official shifts blame to the governance framework, what about the auditors before? Were they just wasting time? Multi-signature can be broken by a single point of attack, how outrageous is that permission design? Assets have already left, and you still have the nerve to shut down? Why didn't you do it earlier, brother? That's why I never go all-in on small projects, the risk is really outrageous. I need to check how much I still have in Unleash, feels like I might have to cut losses. It's truly outrageous that the multi-signature was hacked, luckily I didn't go all-in on this. This incident highlights one issue — evaluating a governance framework can't just be based on the name, you really need to dive into the code.

View OriginalReply0