According to an official announcement, Unleash Protocol, deployed on @StoryProtocol, was hit today by an unauthorized contract upgrade that led to the malicious transfer of user assets.
The attacker exploited control over the protocol’s multisig governance permissions to execute the upgrade, resulting in the theft and cross-chain transfer of assets including WIP, USDC, WETH, stIP, and vIP to external addresses. The confirmed loss currently stands at approximately $3.9 million.
Unleash has suspended all operations and initiated a full investigation and audit, urging users to refrain from interacting with its contracts for now. Story Protocol itself was not affected.
