Wasabi Protocol drained for $4.5 million in apparent admin key compromise
The exploit used a similar playbook as Drift's $285 million breach earlier this month — a compromised deployer key with no timelock or multisig that resulted in a drain of funds.
By Shaurya Malwa Apr 30, 2026, 10:37 a.m. 3 min readMake preferred on
What to know:
- Wasabi Protocol, a perpetuals trading platform on Ethereum and Base, was drained of about $4.55 million after attackers compromised its deployer admin key.
- The attacker used the compromised key to grant themselves admin privileges and UUPS-upgrade Wasabi’s vault contracts to malicious versions, draining assets from multiple pools on both chains.
- The incident, which lacked safeguards such as a timelock or multisig on the admin role, adds to more than $770 million in DeFi losses this year and echoes recent key-compromise exploits at Drift Protocol and Kelp DAO.
DeFi can't stop bleeding, and Wasabi Protocol is the latest to find out why.
Wasabi Protocol, a perpetuals trading platform built on Ethereum and Base, was drained of approximately $4.55 million on Thursday after attackers compromised the protocol's deployer key, security firm Blockaid said in an X post.
The hack is the latest in a month that has produced over $605 million in DeFi losses across at least 12 incidents.
The mechanic was an externally owned account, or EOA, called wasabideployer.eth held the sole ADMIN_ROLE in Wasabi's permission system.
An EOA is a wallet controlled by a private key, as opposed to a smart contract. Whoever holds the key controls the wallet. Once the attacker had access to the deployer key, they called grantRole on the permission contract to give themselves admin privileges with zero delay.
Their helper contract then upgraded Wasabi's perp vaults and LongPool to malicious implementations that drained the balances, Blockaid said.
The exploit relied on UUPS upgradeability, a pattern where a smart contract can swap out its underlying code while keeping the same address.
UUPS is widely used because it lets developers fix bugs without migrating users. It also means that if an attacker controls admin permissions, they can replace the contract's logic with anything they want, including code designed to steal funds.
Wasabi had no timelock or multisig protecting the admin role, Blockaid said. A timelock forces a delay between when an admin action is announced and when it executes, giving users time to react. A multisig requires multiple signers to approve a change. Wasabi had neither, leaving a single key holding full control over the protocol.
🚨 Blockaid's exploit detection system identified an on-going admin-key compromise exploit on @wasabi_protocol across Ethereum and Base. The Wasabi: Deployer EOA was used to grant ADMIN_ROLE to an attacker helper contract, which then UUPS-upgraded the perp vaults and LongPool to…
— Blockaid (@blockaid_) April 30, 2026
Compromised contracts include Wasabi's wWETH, sUSDC, wBITCOIN, wPEPE, and Long Pool vaults on Ethereum, plus its sUSDC, wWETH, sBTC, sVIRTUAL, sAERO, and sBRETT vaults on Base, per Blockaid.
Users holding Wasabi LP tokens were urged to revoke any active approvals to the vault contracts, since the underlying assets backing those tokens had either been drained or remained at risk.
The Wasabi attack closely mirrors the Drift Protocol exploit on April 1, when North Korea-linked attackers used a compromised admin key to drain $285 million from the Solana-based perpetuals exchange.
In that case, the attackers also exploited a single-key admin setup with no governance timelock, listing a fake token as collateral and raising withdrawal limits to drain real assets in roughly 12 minutes.
Three weeks later, on April 19, Kelp DAO lost $292 million when an attacker exploited a single-verifier configuration in the protocol's LayerZero bridge, releasing 116,500 unbacked rsETH that was then used as collateral to borrow real ether from Aave.
The cumulative DeFi loss total for 2026 has now passed $770 million across more than 30 reported incidents. April alone accounts for the majority of that figure.
Smaller breaches this month have hit CoW Swap ($1.2 million), Grinex ($13.74 million), Resolv Labs ($23 million), Volo Protocol ($3.5 million), among others.
What ties them together is not a new vulnerability. Each incident produces the same post-mortem language about lessons learned, but the next exploit usually arrives before the lessons get implemented.
Wasabi has not yet issued a public statement on the incident.
More For You
The Protocol: Mythos forces crypto industry to rethink security practices
By Margaux Nijkerk|Edited by Sheldon Reback19 hours ago
Also: Aave’s $300 million recovery effort, crypto for AI agents, and Bitcoin proposal for Satoshi-linked tokens.
What to know:
Welcome to The Protocol, CoinDesk's weekly wrap of the most important stories in cryptocurrency tech development. I’m Margaux Nijkerk, a reporter at CoinDesk.
In this issue:
- How Anthropic’s Mythos model is forcing the crypto industry to rethink everything about security
- Industry leaders are pouring hundreds of millions into a rescue...
XO Market bets on user-generated prediction markets to rival Polymarket and Kalshi
2 hours ago
Dogecoin zooms 10%, breaking away from bitcoin as open interest hits a yearly peak
3 hours ago
Trump-backed World Liberty Financial races toward 62 billion token unlock with near-unanimous vote
3 hours ago
Ouch. The U.S. 30-year Treasury yield just hit 5% and bitcoin may pay the price
4 hours ago
Bitcoin slides toward $75,000, ETH, SOL, XRP drop as oil hits four-year high
4 hours ago
Hyperliquid’s HYPE token could be its prediction market weapon, Arthur Hayes says
6 hours agoTop Stories
Jack Mallers' Twenty One Capital surges after majority holder Tether proposes 3-way merger
12 hours ago
Big Tech's multi-billion dollar AI bets are still on track as Mag 7 giants report earnings
13 hours ago
