May 24, 2026
May 24, 2026

Wasabi Protocol Drains $4.5M–$5.5M in Multi-Chain Exploit via Compromised Admin Key

Multi-Chain, April 30, 2026 – DeFi derivatives platform Wasabi Protocol suffered a devastating exploit on Thursday, with attackers draining an estimated $4.5 million to $5.5 million across Ethereum, Base, Berachain, and Blast by compromising a single deployer admin key.

 

Security firms including Blockaid, PeckShield, CertiK, and BlockSec confirmed the breach stemmed from a key management failure, not a smart contract vulnerability, marking it as one of April 2026’s high-profile DeFi incidents.

 

Attack Mechanics: Admin Key Hijack and Proxy Upgrades

 

The exploit targeted Wasabi’s PerpManager contracts via the deployer wallet 0x5c629f8c0b5368f523c85bfe79d2a8efb64fb0c8, which held sole ADMIN_ROLE control without timelock or multisig safeguards.

 

  • Attackers granted ADMIN_ROLE to a malicious helper contract.
  • Executed unauthorized UUPS proxy upgrades on vaults (e.g., wWETH, sUSDC, wPEPE, LongPool on Ethereum/Base) and liquidity pools.
  • Drained collateral including WETH, PEPE, MOG, USDC, cbBTC, AERO, VIRTUAL, consolidating funds into ETH and bridging to attacker addresses.

 

Blockaid noted the playbook mirrors the Drift Protocol’s $285M Solana hack earlier in April, highlighting risks in upgradeable proxies reliant on single keys.

 

Immediate Response and User Warnings

 

Wasabi Protocol paused operations and urged users to revoke all approvals on affected chains, treating LP tokens from compromised vaults as worthless.

 

Virtuals Protocol, which used Wasabi for margin deposits, froze inflows while confirming its core security intact; trading continued uninterrupted.

 

  • Team collaborated with SEAL-911 and Blockaid for forensics and fund tracing.
  • Removed all admin roles (e.g., ADMIN, roles 100–103) from the compromised key, sealing the vector.
  • No compensation plan announced yet; users advised against interacting with contracts.

 

Broader Implications for DeFi Security

 

This incident underscores persistent DeFi risks: centralized key reliance in “decentralized” protocols, multi-chain amplification, and phishing/malware targeting deployers.

 

April 2026 has seen a surge in exploits, with Wasabi joining victims like Drift, emphasizing needs for multisig, timelocks, and decentralized governance.

 

Wasabi, backed by Electric Capital and focused on leveraged memecoin/NFT trading, has not issued a full statement as investigations continue.

 

 

Disclaimers: All contents in this article are for informational purposes only and does not constitute any form of advice.Third-party websites and their content are provided for informational purposes and user convenience only. Rola News does not control, endorse, or assume responsibility for any Third-party websites, including their content, accuracy, privacy practices, or any subsequent changes or updates made to them. This article is AI-assisted and has been reviewed by our editorial team.