The decentralized intellectual property platform Unleash Protocol has lost around $3.9 million worth of cryptocurrency after someone executed an unauthorized contract upgrade that allowed asset withdrawals.
According to the team behind the blockchain project, the attacker obtained enough signing power to act as an administrator of Unleash’s multisig governance system.
“Our initial investigation indicates that an externally owned address gained administrative control via Unleash’s multisig governance and carried out an unauthorized contract upgrade,” the company says in a public announcement.
“This upgrade enabled asset withdrawals that were not approved by the Unleash team and occurred outside our intended governance and operational procedures.”
Unleash Protocol is described as an operating system for managing intellectual property (IP) by converting it into on-chain assets (tokens) that can be used as collateral within the DeFi ecosystem.
It provides a monetization layer through smart contracts and automatically distributes licensing and royalty revenue to predefined stakeholders according to on-chain rules.
By performing the unauthorized smart contract upgrade, the attacker unlocked the ability to perform withdrawals, leveraging it to steal WIP (wrapped IP), USDC, WETH (wrapped Ether), stIP (staked IP), and vIP (voting-escrowed IP) assets.
Blockchain security experts at PeckShieldAlert report that the unauthorized drain equates to losses of roughly $3.9 million.
After their withdrawal, the assets were bridged via third-party infrastructure and transferred to external addresses to reduce traceability.
PeckShieldAlert reports that the attacker has deposited the stolen amounts into the Tornado Cash cryptocurrency mixing service in the form of 1,337 ETH.
The Tornado Cash service, which was sanctioned by the U.S. in 2022 and delisted in 2025 for its role in laundering funds for North Korean hacking groups, enables users to route cryptocurrency through obfuscation mechanisms before withdrawing it to new, unlinkable wallets.
While designed to provide transaction privacy on public blockchains, it has been abused by cybercriminals to evade law enforcement tracking and asset-freezing efforts.
In response to the incident, Unleash Protocol has paused all operations and launched an investigation with the help of external security experts to determine the root cause of the exploit. At the same time, they are evaluating remediation and recovery measures.
In the meantime, users are advised not to interact with Unleash Protocol contracts until the company announces publicly on its official channels that it is safe to do so.
Broken IAM isn’t just an IT problem – the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what “good” IAM looks like, and a simple checklist for building a scalable strategy.