Overview
- PeckShieldAlert first flagged suspicious withdrawals, which Unleash later confirmed as a breach.
- Attackers gained control of the multisig governance to push an unauthorized contract upgrade that enabled direct asset withdrawals.
- About $3.9 million was drained across WIP, USDC, WETH, stIP, and vIP, according to on-chain analysis and reporting.
- The stolen assets were bridged to Ethereum, with roughly 1,337.1 ETH deposited into Tornado Cash in segmented transfers.
- Unleash paused operations, preserved on-chain evidence, engaged independent security and forensic teams, and urged users to avoid its contracts pending further updates.