Hackers have drained around 3.9 million dollars (about ₹32–33 crore) in crypto assets from Unleash Protocol after seizing control of the project’s multisig governance system and pushing an unauthorized smart contract upgrade. The attack has forced the platform to halt operations and triggered yet another debate on the security of DeFi governance models.
Multisig Takeover Enables Rogue Upgrade
Unleash Protocol confirmed that an “externally owned address” managed to obtain sufficient signing power on its multisig governance wallet, effectively giving the attacker admin-level control over the smart contracts that run the platform. Using this control, the attacker executed a contract upgrade that was never approved through the project’s normal governance or operational process, but which silently enabled unauthorized withdrawals.
Unleash describes itself as an on-chain operating system for intellectual property, where IP is tokenised and turned into collateral for DeFi lending and other financial use cases. The protocol’s smart contracts also automate the distribution of licensing and royalty revenues to rights holders, making contract integrity central to both investor funds and creator payouts.
₹35 Crores in WIP, USDC and WETH Drained
Once the backdoored upgrade went live, the attacker systematically withdrew a range of assets locked in the protocol’s contracts. The loot included WIP (wrapped IP), USDC, WETH (wrapped Ether), stIP (staked IP) and vIP (voting-escrowed IP) tokens, with blockchain analytics firm PeckShieldAlert estimating total losses at roughly 3.9 million dollars.
After emptying the targeted contracts, the hacker bridged the stolen assets through third‑party infrastructure to multiple external addresses in an apparent attempt to blur the on-chain trail. Investigators say this cross-chain movement complicates attribution and recovery efforts, especially when combined with obfuscation tools.
Funds Washed Through Tornado Cash
PeckShieldAlert reports that the attacker ultimately funneled the haul into Tornado Cash, depositing the equivalent of 1,337 ETH into the sanctioned crypto-mixing service. Tornado Cash, which was blacklisted by the U.S. in 2022 and later delisted from major platforms for facilitating laundering by North Korean state-backed hacking groups, is designed to break the link between sending and receiving addresses on public blockchains.
While mixers like Tornado Cash are marketed as privacy tools, they have become a preferred exit route for hackers seeking to cash out, making law-enforcement tracking and asset freezes significantly more difficult. The Unleash incident again highlights how quickly stolen funds can move beyond the reach of traditional seizure mechanisms once they hit such services.
Operations Paused, Users Warned to Stay Away
In its public statement, Unleash Protocol said it has paused all operations and is working with external blockchain security experts to piece together the exact attack path and identify any remaining vulnerabilities. The team is also assessing potential remediation and recovery strategies, though clawing back funds that have already passed through a mixer is expected to be challenging.
Until further notice, users have been explicitly advised not to interact with any Unleash Protocol contracts or interfaces and to wait for a clear green signal on the project’s official channels before resuming activity. For Indian crypto users and DeFi projects watching from the sidelines, the case serves as a sharp reminder that governance keys, multisig structures and upgrade paths can be just as attractive a target as the funds locked in a protocol’s pools.
