Overview
- Unleash reported unauthorized smart‑contract activity on December 30 that enabled withdrawals of user funds.
- PeckShield estimates losses at about $3.9 million, with the attacker bridging assets to Ethereum before depositing 1,337.1 ETH into Tornado Cash in varied batches up to 100 ETH.
- Tokens affected in the exploit included WIP, USDC, WETH, stIP, and vIP, according to the protocol.
- Operations are paused as the team preserves on‑chain data and works with independent security and forensic investigators, and users are urged not to interact with contracts.
- Unleash and on‑chain analysts say the incident appears confined to Unleash’s governance and administrative controls, with no evidence of any compromise to Story Protocol’s core infrastructure.