Unleash Protocol Hack Deepens: $3.9 Million Multisig Breach Spurs Cross-Asset Drain and Tornado Cash Laundering

Investigators Trace Withdrawals From WIP, USDC, WETH, stIP, and vIP to Safe-Linked Account and 100 ETH Mixing Patterns

TL;DR

• Unleash Protocol’s losses are tied to a multisig compromise and unauthorized withdrawals spanning multiple assets, not just ETH.
• Stolen tokens including WIP, USDC, WETH, stIP, and vIP were bridged to Ethereum and routed into Tornado Cash, often in ~100 ETH-sized chunks.
• CertiK flagged early suspicious withdrawals to an externally owned account linked to Safe deployment infrastructure via SafeProxyFactory.

We’ve just launched the all-new COIN360 Perp DEX, built for traders who move fast!

Trade 130+ assets with up to 100× leverage, enjoy instant order placement and low-slippage swaps, and earn USDC passive yield while climbing the leaderboard. Your trades deserve more than speed — they deserve mastery.

Unleash Protocol has confirmed a major security breach with losses estimated at roughly $3.9 million, while some trackers round the total closer to $4 million depending on asset pricing at the time of the incident. Investigators have attributed the theft to unauthorized withdrawals enabled by a compromised multisig wallet—an operational and governance-layer failure rather than a user-facing smart-contract logic exploit. The incident surfaced in late December 2024 after on-chain monitors detected abrupt outflows from wallets associated with the protocol, triggering rapid attribution efforts by security firms and independent analysts tracking Ethereum-based DeFi infrastructure.

PeckShield’s assessment pointed to an attacker exploiting weaknesses in Unleash Protocol’s multisig approval setup, effectively sidestepping intended signer protections to drain protocol-controlled funds. The affected assets include WIP (WrappedIP), USDC, WETH, stIP, and vIP, indicating the breach impacted a wider set of protocol-related balances rather than a single token exposure. That multi-asset footprint matters because it changes the recovery math: stolen value can fragment across wrappers and bridged representations, creating more paths for obfuscation and more friction for tracing. Most of the stolen value, over 1,300 ETH at the time of publication, was then bridged to Ethereum and moved toward privacy tooling, a pattern investigators described as an attempt to obscure an audit trail and complicate recovery efforts.

On-chain data and security firm notes show the attacker shifting quickly from extraction to concealment. Multiple transactions routed funds into Tornado Cash, the Ethereum-based mixing service used to break transactional linkages between sending and receiving addresses. PeckShield noted the attacker appears to have sent many ~100 ETH chunks into the mixer, a batching pattern consistent with laundering workflows designed to reduce traceability while maintaining operational speed. Analysts also observed that the attacker leaned into Ethereum-native privacy infrastructure rather than immediately scattering assets across multiple chains, a choice that can reflect either confidence in mixer-based obfuscation or caution amid the increased scrutiny that often follows high-profile bridges and cross-chain hops.

CertiK, which was among the first to surface suspicious activity, highlighted early withdrawals involving Wrapped ETH and IP-related tokens that were sent to an externally owned account. CertiK reported the destination account appeared to have been set up using the SafeProxyFactory, a deployment component tied to the Safe (formerly Gnosis Safe) multisig ecosystem. That detail sharpened the focus on wallet infrastructure and signer security rather than contract math—suggesting the attacker’s edge may have come from compromised keys, manipulated signing, misconfigured thresholds, or other operational weaknesses that sit above smart-contract code. Unleash Protocol said the incident affected protocol treasury funds rather than individual user wallets, while specifics about the exact compromise pathway and any recovery or reimbursement measures were not established alongside the initial disclosure.

This article has been refined and enhanced by ChatGPT.