Wasabi Protocol Loses $5M in Admin Key Hack Across Three Chains: DeFi Security Under Threat

Wasabi Protocol Loses $5M in Admin Key Hack Across Three Chains: DeFi Security Under Threat

N
News Editor 01
2026-07-08 14:20:16
On April 30, 2026, Wasabi Protocol suffered a $4.5M-$5.5M loss after an attacker seized its deployer admin key on Ethereum, Base, and Blast. The hack exploited proxy upgrade vulnerabilities via compromised private keys. Users are urged to revoke all approvals immediately. This incident adds to over $600M in DeFi losses in April 2026.
DeFi securityprivate key compromiseproxy upgrade vulnerabilitycrypto hackWasabi Protocol

Wasabi Protocol, a decentralized finance (DeFi) platform offering perpetual futures vaults and liquidity pools, suffered a major security breach on April 30, 2026. An attacker compromised the deployer's admin key and drained an estimated $4.5 million to $5.5 million across Ethereum, Base, and Blast blockchains.

Attack Details: Private Key Compromise, Not Code Exploit

The attack began at approximately 07:48 UTC and lasted roughly two hours. The compromised address—0x5c629f8c0b5368f523c85bfe79d2a8efb64fb0c8—was the sole admin key controlling Wasabi's Perpmanager contracts. The attacker used it to grant ADMIN_ROLE to a malicious helper contract, then executed unauthorized UUPS proxy upgrades on Wasabivault proxies and the Wasabilongpool. This allowed the attacker to sweep collateral and pool balances across all three chains.

Security firms Hypernative, Blockaid, Cyvers, and Defimonalerts detected the activity in real time. Hypernative, though not a Wasabi customer, issued high-severity alerts and pledged a full technical analysis. The breach was a textbook key-management failure—no reentrancy or logic exploits were involved. The attacker likely obtained the private key through phishing, malware, or direct theft, then abused the upgradeable proxy architecture to bypass conventional security checks.

Assets Drained: WETH, MEME Coins, and Cross-Chain Holdings

The largest single loss was 840.9 WETH, worth over $1.9 million at the time. Other drained assets included sUSDC, sREKT, PEPE, MOG, NEIRO, ZYN, and bitcoin, along with Base-chain assets such as VIRTUAL, AERO, and cbBTC. According to DefiLlama data, Wasabi's total value locked (TVL) stood at roughly $8.5 million before the exploit, meaning over half of its locked value was stolen.

Virtuals Protocol, which relied on Wasabi for margin deposits, acted swiftly after the breach. It froze all margin deposits, confirmed its own security remained intact, and warned users to avoid signing Wasabi-related transactions. Trading, withdrawals, and agent operations on Virtuals continued without disruption.

Broader Context: DeFi Losses Surpass $600M in April 2026

The Wasabi incident did not occur in isolation. April 2026 has seen more than $600 million drained from DeFi protocols across roughly a dozen confirmed incidents, making it one of the worst months on record. On April 1, attackers drained approximately $285 million from Drift Protocol on Solana in under 20 minutes using governance manipulation and oracle abuse. Around April 18, a Layerzero bridge exploit hit KelpDAO on Ethereum, draining roughly $292 million in rsETH and triggering over $10 billion in downstream contagion across lending platforms including Aave. Smaller hits landed on Silo Finance, Cow Swap, Grinex, Rhea Finance, and Aftermath Finance.

The pattern across nearly every incident points away from code-level bugs and toward admin key compromises, bridge weaknesses, and upgradeable proxy risks—exposing centralized control points that audits alone cannot protect against.

No Official Statement Yet from Wasabi

As of the latest available data, Wasabi Protocol had not issued a public statement or incident post. The protocol previously communicated quickly during unrelated incidents and holds audits from Zellic and Sherlock, but this attack bypassed those protections entirely.

Users with exposure are advised to revoke all Wasabi approvals across Ethereum, Base, and Blast immediately using tools like Revoke.cash, Etherscan, and Basescan. Any remaining LP positions should be withdrawn without delay, and no Wasabi-related transactions should be signed until the team confirms key rotation and full contract integrity.

This article was originally published by Bit.Fan. For more cryptocurrency news and market insights, visit www.bit.fan.
300

Disclaimer:

The market information, project data, and third-party content displayed on this platform are for industry information sharing only and do not constitute any form of investment advice or return commitment.

Cryptocurrency trading carries high risks. Users should fully assess their risk tolerance and make independent decisions. All profits, losses, and legal responsibilities are borne by the users themselves.