Hackers Drain $3.9m From Unleash Protocol After Multisig Hijack

The decentralized intellectual property platform Unleash Protocol has lost around $3.9 million worth of cryptocurrency after someone executed an unauthorized contract upgrade that allowed asset withdrawals.

According to the team behind the blockchain project, the attacker obtained enough signing power to act as an administrator of Unleash’s multisig governance system.

"Our initial investigation indicates that an externally owned address gained administrative control via Unleash’s multisig governance and carried out an unauthorized contract upgrade," the company says in a public announcement.

"This upgrade enabled asset withdrawals that were not approved by the Unleash team and occurred outside our intended governance and operational procedures."

Unleash Protocol is described as an operating system for managing intellectual property (IP) by converting it into on-chain assets (tokens) that can be used as collateral within the DeFi ecosystem.

It provides a monetization layer through smart contracts and automatically distributes licensing and royalty revenue to predefined stakeholders according to on-chain rules.

By performing the unauthorized smart contract upgrade, the attacker unlocked the ability to perform withdrawals, leveraging it to steal WIP (wrapped IP), USDC, WETH (wrapped Ether), stIP (staked IP), and vIP (voting-escrowed IP) assets.

Blockchain security experts at PeckShieldAlert report that the unauthorized drain equates to losses of roughly $3.9 million.

After their withdrawal, the assets were bridged via third-party infrastructure and transferred to external addresses to reduce traceability.

PeckShieldAlert reports that the attacker has deposited the stolen amounts into the Tornado Cash cryptocurrency mixing service in the form of 1,337 ETH.

Source: BleepingComputer