Wasabi Protocol, a decentralized finance (DeFi) platform offering perpetual futures vaults and liquidity pools, suffered a major security breach on April 30, 2026. An attacker compromised the deployer's admin key and drained an estimated $4.5 million to $5.5 million across Ethereum, Base, and Blast blockchains.
Attack Details: Private Key Compromise, Not Code Exploit
The attack began at approximately 07:48 UTC and lasted roughly two hours. The compromised address—0x5c629f8c0b5368f523c85bfe79d2a8efb64fb0c8—was the sole admin key controlling Wasabi's Perpmanager contracts. The attacker used it to grant ADMIN_ROLE to a malicious helper contract, then executed unauthorized UUPS proxy upgrades on Wasabivault proxies and the Wasabilongpool. This allowed the attacker to sweep collateral and pool balances across all three chains.
Security firms Hypernative, Blockaid, Cyvers, and Defimonalerts detected the activity in real time. Hypernative, though not a Wasabi customer, issued high-severity alerts and pledged a full technical analysis. The breach was a textbook key-management failure—no reentrancy or logic exploits were involved. The attacker likely obtained the private key through phishing, malware, or direct theft, then abused the upgradeable proxy architecture to bypass conventional security checks.
Assets Drained: WETH, MEME Coins, and Cross-Chain Holdings
The largest single loss was 840.9 WETH, worth over $1.9 million at the time. Other drained assets included sUSDC, sREKT, PEPE, MOG, NEIRO, ZYN, and bitcoin, along with Base-chain assets such as VIRTUAL, AERO, and cbBTC. According to DefiLlama data, Wasabi's total value locked (TVL) stood at roughly $8.5 million before the exploit, meaning over half of its locked value was stolen.
Virtuals Protocol, which relied on Wasabi for margin deposits, acted swiftly after the breach. It froze all margin deposits, confirmed its own security remained intact, and warned users to avoid signing Wasabi-related transactions. Trading, withdrawals, and agent operations on Virtuals continued without disruption.
Broader Context: DeFi Losses Surpass $600M in April 2026
The Wasabi incident did not occur in isolation. April 2026 has seen more than $600 million drained from DeFi protocols across roughly a dozen confirmed incidents, making it one of the worst months on record. On April 1, attackers drained approximately $285 million from Drift Protocol on Solana in under 20 minutes using governance manipulation and oracle abuse. Around April 18, a Layerzero bridge exploit hit KelpDAO on Ethereum, draining roughly $292 million in rsETH and triggering over $10 billion in downstream contagion across lending platforms including Aave. Smaller hits landed on Silo Finance, Cow Swap, Grinex, Rhea Finance, and Aftermath Finance.
The pattern across nearly every incident points away from code-level bugs and toward admin key compromises, bridge weaknesses, and upgradeable proxy risks—exposing centralized control points that audits alone cannot protect against.
No Official Statement Yet from Wasabi
As of the latest available data, Wasabi Protocol had not issued a public statement or incident post. The protocol previously communicated quickly during unrelated incidents and holds audits from Zellic and Sherlock, but this attack bypassed those protections entirely.
Users with exposure are advised to revoke all Wasabi approvals across Ethereum, Base, and Blast immediately using tools like Revoke.cash, Etherscan, and Basescan. Any remaining LP positions should be withdrawn without delay, and no Wasabi-related transactions should be signed until the team confirms key rotation and full contract integrity.

