On April 30, 2026, Wasabi Protocol suffered a devastating security breach. An attacker, having obtained the deployer's externally owned account (EOA) admin private key, drained approximately $4.5 million to $5.5 million from the protocol's perpetual vaults and liquidity pools across Ethereum, Base, and Blast blockchains. The incident underscores the critical risk of centralized admin keys in upgradeable proxy architectures.
Attack Breakdown: Two Hours, Three Chains
Security firm Hypernative flagged high-severity alerts across all three chains shortly after the exploit began at 07:48 UTC. Blockaid, Cyvers, and DeFimonalerts also detected the activity in real time. The compromised address, 0x5c629f8c…, was the sole admin controlling Wasabi's PerpManager contracts. The attacker used it to grant the ADMIN_ROLE to a malicious helper contract, then executed unauthorized UUPS proxy upgrades on WasabiVault proxies and the WasabiLongPool. A malicious contract called strategyDeposit() on seven to eight WasabiVault proxies, passing a fake strategy that triggered a drain() function, returning all collateral to the attacker. The WasabiLongPool on Ethereum and Base was subsequently upgraded to a malicious implementation that swept remaining balances.
Assets Drained: WETH and More
The largest single loss was 840.9 WETH, worth over $1.9 million at the time. Other drained assets included sUSDC, sREKT, PEPE, MOG, NEIRO, ZYN, bitcoin, and Base-chain assets such as VIRTUAL, AERO, and cbBTC. According to DefiLlama, Wasabi's total value locked (TVL) stood at roughly $8.5 million before the exploit, meaning the attacker captured the vast majority of the protocol's liquidity.
Root Cause: Key Management Failure, Not Smart Contract Bug
This was a pure key-management failure, not a reentrancy or logic exploit. The attacker likely obtained the private key through phishing, malware, or direct theft, then abused the upgradeable proxy architecture to drain funds without triggering conventional security checks. Wasabi had previously undergone audits by Zellic and Sherlock, but those audits could not protect against compromised admin keys.
Industry Impact: April 2026 Becomes Record Month for DeFi Hacks
Virtuals Protocol, which powered margin deposits through Wasabi, froze all margin deposits immediately after the breach and confirmed its own security remained fully intact. Trading, withdrawals, and agent operations continued without disruption. Virtuals warned users to avoid signing any Wasabi-related transactions.
The Wasabi breach is part of a devastating trend. April 2026 has seen more than $600 million drained from DeFi protocols across roughly a dozen confirmed incidents. The month opened with a $285 million attack on Drift Protocol via governance manipulation and oracle abuse. Around April 18, a LayerZero bridge exploit hit KelpDAO for $292 million, triggering over $10 billion in downstream contagion on platforms like Aave. Smaller attacks hit Silo Finance, Cow Swap, Grinex, and others.
The common thread across these incidents is not code-level bugs but admin key compromises, bridge weaknesses, and upgradeable proxy risks, exposing centralized control points that audits alone cannot cover.
Urgent User Action Required
As of the latest data, Wasabi Protocol has not issued a public statement or incident post. Security experts advise all users to immediately revoke all Wasabi approvals on Ethereum, Base, and Blast using tools like Revoke.cash, Etherscan, or Basescan. Any remaining LP positions should be withdrawn without delay, and no Wasabi-related transactions should be signed until the team confirms key rotation and full contract integrity.
The Wasabi attack serves as a stark reminder: upgradeable proxy contracts paired with centralized admin keys create a single point of failure that bypasses even well-audited code. When one key controls upgrade permissions across multiple chains, a single compromise becomes a protocol-wide catastrophe.

