Wasabi Protocol Loses $4.5M in Admin Key Compromise

A Wasabi Protocol admin key compromise on Thursday drained approximately $4.55 million from the perpetuals trading platform’s vaults on Ethereum and Base, security firm Blockaid confirmed. The attacker exploited a single-key permission setup with no timelock or multisig protection, upgraded Wasabi’s vault contracts to malicious code, and walked away with the funds. It is one more data point in what has become the worst month for DeFi security in 2026.

How the Wasabi Protocol Attack Worked

The entry point was a wallet called wasabideployer.eth, an externally owned account that held the sole ADMIN_ROLE in Wasabi’s permission system. An externally owned account, or EOA, is a wallet controlled by a private key rather than smart contract logic. One key, full control.

Once the attacker had that key, they called grantRole on the permission contract, giving their helper contract admin privileges with zero delay. No waiting period. No second signature required. The admin key compromise was over before most users even noticed anything was wrong.

From there, the attacker’s helper contract used UUPS upgradeability to swap out the logic inside Wasabi’s perp vaults and LongPool. UUPS stands for Universal Upgradeable Proxy Standard, a pattern that lets developers update a smart contract’s code while keeping the same on-chain address. Developers use it to patch bugs without forcing users to migrate. Attackers use it to replace working code with code designed to drain balances. In this case, the drain was complete before Blockaid’s on-chain detection system could trigger a block.

Blockaid’s exploit detection system identified an ongoing admin-key compromise exploit on @wasabi_protocol across Ethereum and Base. The Wasabi Deployer EOA was used to grant ADMIN_ROLE to an attacker helper contract, which then UUPS-upgraded the perp vaults and LongPool.

Which Vaults Were Hit?

According to Blockaid, the exploit touched a broad range of Wasabi Protocol vaults across both chains. On Ethereum, the compromised contracts included the wWETH, sUSDC, wBITCOIN, and wPEPE vaults along with the Long Pool. On Base, the attack hit the sUSDC, wWETH, sBTC, sVIRTUAL, sAERO, and sBRETT vaults.

Users holding Wasabi LP tokens across any of those vaults were warned to revoke active approvals immediately. The underlying assets backing the LP tokens had either been drained or remained at risk, Blockaid said. Waiting to act was not an option.

• Ethereum vaults hit: wWETH, sUSDC, wBITCOIN, wPEPE, Long Pool
• Base vaults hit: sUSDC, wWETH, sBTC, sVIRTUAL, sAERO, sBRETT
• LP token holders told to revoke approvals immediately
• Total drained: approximately $4.55 million

Why Did Wasabi Have No Timelock or Multisig?

This is the question worth sitting with. A timelock is a basic governance tool that forces a delay between when an admin action is announced and when it actually executes. That delay gives users and watchdogs time to notice, react, and exit if something looks wrong. A multisig requires more than one private key to approve a sensitive change. Together, they are the two most standard safeguards in DeFi protocol design.

Wasabi had neither. One wallet, one key, zero delay. The protocol handed a single point of failure full control over every vault on two chains.

This is not a new lesson. Security researchers have been writing about the single-key admin risk for years. It shows up in post-mortems constantly. And yet protocols keep shipping with it. The gap between knowing the fix and implementing it is clearly wider than the DeFi industry likes to admit.

Is the Wasabi Attack Similar to the Drift Protocol Exploit?

Yes, and the resemblance is uncomfortably close. The Drift Protocol exploit hit on April 1, when attackers linked to North Korea used a compromised admin key to drain $285 million from the Solana-based perpetuals exchange. That attack also exploited a single-key admin setup with no governance timelock. The attackers listed a fake token as collateral, raised withdrawal limits inside the protocol, and pulled out real assets in roughly 12 minutes.

Wasabi’s attack followed the same basic playbook: get the admin key, bypass the non-existent safeguards, drain the funds. The specific technical steps differ slightly because Ethereum and Solana handle smart contract upgrades differently. The root cause was identical.

Three weeks after Drift, on April 19, Kelp DAO lost $292 million when an attacker exploited a single-verifier configuration in the protocol’s LayerZero bridge. The attacker released 116,500 unbacked rsETH tokens, used them as collateral, and borrowed real ether from Aave. Different mechanism, same underlying theme: insufficient checks on a privileged role.

What Does April 2026 Tell Us About DeFi Security?

The cumulative DeFi loss total for 2026 has passed $770 million across more than 30 reported incidents. April alone accounts for the majority of that figure. The month is not over.

Smaller breaches this month hit CoW Swap for $1.2 million, Grinex for $13.74 million, Resolv Labs for $23 million, and Volo Protocol for $3.5 million. Each incident is different in its mechanics. What ties them together is not a new category of vulnerability. Single admin keys, missing timelocks, single-verifier bridges, and insufficient access controls are not novel attack surfaces. They are problems the industry documented years ago.

Every major exploit produces the same kind of post-mortem. Lessons learned. Security reviews planned. Governance improvements promised. Then the next exploit arrives before the previous post-mortem’s action items get implemented. Wasabi has not issued a public statement on the incident as of Thursday. That silence is itself a pattern worth noting.

The DeFi security crisis of April 2026 is not primarily a technical problem. The technical fixes exist and are well understood. It is a prioritization problem. Deploying fast beats deploying safely, and users pay the difference.

This article is for informational purposes only and does not constitute investment advice. Every investment and trading decision involves risk. Readers should conduct their own research before making any financial decisions.