DeFi can’t stop bleeding, and Wasabi Protocol is the latest to find out why.
Wasabi Protocol, a perpetuals trading platform built on Ethereum and Base, was drained of approximately $4.55 million on Thursday after attackers compromised the protocol’s deployer key, security firm Blockaid said in an X post.
The hack is the latest in a month that has produced over $605 million in DeFi losses across at least 12 incidents.
The mechanic was an externally owned account, or EOA, called wasabideployer.eth held the sole ADMIN_ROLE in Wasabi’s permission system.
An EOA is a wallet controlled by a private key, as opposed to a smart contract. Whoever holds the key controls the wallet. Once the attacker had access to the deployer key, they called grantRole on the permission contract to give themselves admin privileges with zero delay.
Their helper contract then upgraded Wasabi’s perp vaults and LongPool to malicious implementations that drained the balances, Blockaid said.
The exploit relied on UUPS upgradeability, a pattern where a smart contract can swap out its underlying code while keeping the same address.
UUPS is widely used because it lets developers fix bugs without migrating users. It also means that if an attacker controls admin permissions, they can replace the contract’s logic with anything they want, including code designed to steal funds.
Wasabi had no timelock or multisig protecting the admin role, Blockaid said. A timelock forces a delay between when an admin action is announced and when it executes, giving users time to react. A multisig requires multiple signers to approve a change. Wasabi had neither, leaving a single key holding full control over the protocol.
🚨 Blockaid’s exploit detection system identified an on-going admin-key compromise exploit on @wasabi_protocol across Ethereum and Base. The Wasabi: Deployer EOA was used to grant ADMIN_ROLE to an attacker helper contract, which then UUPS-upgraded the perp vaults and LongPool to…
— Blockaid (@blockaid_) April 30, 2026
Compromised contracts include Wasabi’s wWETH, sUSDC, wBITCOIN, wPEPE, and Long Pool vaults on Ethereum, plus its sUSDC, wWETH, sBTC, sVIRTUAL, sAERO, and sBRETT vaults on Base, per Blockaid.
Users holding Wasabi LP tokens were urged to revoke any active approvals to the vault contracts, since the underlying assets backing those tokens had either been drained or remained at risk.
The Wasabi attack closely mirrors the Drift Protocol exploit on April 1, when North Korea-linked attackers used a compromised admin key to drain $285 million from the Solana-based perpetuals exchange.
In that case, the attackers also exploited a single-key admin setup with no governance timelock, listing a fake token as collateral and raising withdrawal limits to drain real assets in roughly 12 minutes.
Three weeks later, on April 19, Kelp DAO lost $292 million when an attacker exploited a single-verifier configuration in the protocol’s LayerZero bridge, releasing 116,500 unbacked rsETH that was then used as collateral to borrow real ether from Aave.
The cumulative DeFi loss total for 2026 has now passed $770 million across more than 30 reported incidents. April alone accounts for the majority of that figure.
Smaller breaches this month have hit CoW Swap ($1.2 million), Grinex ($13.74 million), Resolv Labs ($23 million), Volo Protocol ($3.5 million), among others.
What ties them together is not a new vulnerability. Each incident produces the same post-mortem language about lessons learned, but the next exploit usually arrives before the lessons get implemented.
Wasabi has not yet issued a public statement on the incident.
Leave a Reply