Unleash Protocol has disclosed unauthorized activity involving its smart contracts that led to withdrawal and transfers of user funds. Investigations from CertiK Alert revealed deposits of Ethereum into Tornado Cash, following the Unleash Protocol exploit.
Unleash Protocol investigates multisig exploit
CertiK Alert disclosed on X that it detected deposits of 1,337.1 ETH, valued at about $3.9 million, transferred into Tornado Cash. The platform linked the transfer from the wallet address, 0xc946981F5dFBFA10cf858B95d51Fc06DCD15BfE3.
CertiK Alert added that the funds trace back to suspicious withdrawals of Wrapped ETH and Story tokens from a possibly compromised multisig.
The report comes shortly after Unleash Protocol announced it is investigating an exploit that led to the loss of users’ funds.
The Unleash Protocol team said initial investigation indicated that an externally owned address gained administrative control via its multisig governance.
Following the attack, the exploiters carried out an unauthorized contract upgrade that enabled unauthorized asset withdrawals. This occurred outside Unleash’s intended governance and operational procedures.
The assets identified as affected include WIP, USDC, WETH, stIP and vIP. After the withdrawals, the exploiters bridged these assets using third-party infrastructure before sending them to external addresses.
How Unleash is managing the exploit
In its announcement, the Unleash Protocol team said there was no evidence of compromise to Story Protocol contracts, validators or underlying infrastructure. They also added that the impact appears limited to Unleash-specific contracts and administrative controls.
The team, however, assured users that the investigation is still ongoing, and all conclusions will be confirmed before final disclosure.
To prevent further risk, they have suspended all Unleash Protocol operations. The team also noted that they are working closely with independent security experts and forensic investigators to determine the root cause.
This is in addition to conducting a full review of multisig signer activity, key management practice and governance processes.
Users are, therefore, advised to refrain from interacting with Unleash Protocol contracts and follow only official Unleash communication channels for accurate updates.
Notably, the Unleash multisig exploit is only the latest among recent crypto thefts. As noted in a U.Today report, a crypto user recently lost 50 million USDT to an address spoofing scam.
Before this attack, some attackers explored a security flaw in XWiki and DELMIA Apriso. As a result, the exploiters mined the Monero (XMR) cryptocurrency without permission.
In another recent scheme, bad actors stole $773,000 worth of crypto from the DeFi project Hyperdrive.
Source: https://u.today/scam-alert-unleash-protocol-faces-multisig-exploit
