On April 30, 2026, decentralized finance protocol Wasabi Protocol suffered a critical security incident when an attacker seized the deployer EOA admin key, draining an estimated 4.5 to 5.5 million dollars from perp vaults and liquidity pools across three blockchains: Ethereum, Base, and Blast. This incident adds to a devastating month for DeFi, which has seen over 600 million dollars in losses across roughly a dozen confirmed exploits.
Attack Details and Timeline
The compromised address, 0x5c629f8c0b5368f523c85bfe79d2a8efb64fb0c8, was the sole admin key controlling Wasabi's Perpmanager contracts. The attack began around 07:48 UTC and lasted approximately two hours. First, the attacker granted the ADMIN_ROLE to a malicious helper contract. They then executed unauthorized UUPS proxy upgrades on Wasabivault proxies and the Wasabilongpool, before sweeping collateral and pool balances across all three chains.
Security firm Hypernative flagged the incident with high-severity alerts across all three chains in real time. Blockaid, Cyvers, and Defimonalerts also detected the activity. Hypernative confirmed it is not a Wasabi customer but detected the breach independently and pledged a full technical analysis.
Lost Assets Breakdown
The largest single loss was reportedly 840.9 WETH, worth over 1.9 million dollars at the time of the attack. Other drained assets included sUSDC, sREKT, PEPE, MOG, NEIRO, ZYN, and bitcoin, along with Base-chain assets such as VIRTUAL, AERO, and cbBTC. According to Defillama data, Wasabi's total value locked (TVL) stood at roughly 8.5 million dollars across chains before the exploit.
Root Cause: Key Management Failure, Not Code Vulnerability
This was a key-management failure, not a smart contract vulnerability. No reentrancy or logic exploits were involved. The attacker likely obtained the private key through phishing, malware, or direct theft, then abused the upgradeable proxy architecture to drain funds without triggering conventional security checks. Wasabi Protocol had previously undergone audits from Zellic and Sherlock, but this attack bypassed those protections entirely because it targeted the centralized control point.
Related Projects and Mitigation
Virtuals Protocol, which powered margin deposits through Wasabi, moved quickly after the breach was detected. The team froze all margin deposits and confirmed its own security remained fully intact. Trading, withdrawals, and agent operations on Virtuals continued without disruption. The team warned users to avoid signing any Wasabi-related transactions.
As of the latest available data, Wasabi Protocol had not issued a public statement or incident post. The protocol has previously communicated quickly during unrelated incidents.
Urgent Action Required for Users
Users with exposure are advised to revoke all Wasabi approvals across Ethereum, Base, and Blast immediately. Tools like Revoke.cash, Etherscan, and Basescan can help identify active approvals. Any remaining LP positions should be withdrawn without delay. No Wasabi-related transactions should be signed until the team confirms key rotation and full contract integrity.
Broader Context: April 2026 DeFi Attack Wave
The Wasabi breach did not happen in isolation. April 2026 has seen more than 600 million dollars drained from DeFi protocols across roughly a dozen confirmed incidents, making it one of the worst months on record. The month opened on April 1 with attackers draining approximately 285 million dollars from Drift Protocol on Solana in under 20 minutes using governance manipulation and oracle abuse. A second major blow came around April 18 when a Layerzero bridge exploit hit KelpDAO on Ethereum, draining roughly 292 million dollars in rsETH and triggering over 10 billion dollars in downstream contagion across lending platforms, including Aave. Smaller hits landed throughout the month on Silo Finance, Cow Swap, Grinex, Rhea Finance, and Aftermath Finance.
The pattern across nearly every incident points away from code-level bugs and toward admin key compromises, bridge weaknesses, and upgradeable proxy risks, exposing centralized control points that audits alone cannot protect against.
The Wasabi situation remains active. Users should monitor the official @wasabi_protocol account and security firm feeds for updates.

