TL;DR:
- Wasabi Protocol suffered an apparent admin-key compromise that drained roughly $4.55 million from perp vaults and liquidity pools across multiple chains.
- The attacker reportedly used a compromised deployer address to grant ADMIN_ROLE, upgrade Wasabi contracts and sweep balances without a conventional smart-contract bug.
- Virtuals froze margin deposits, users were warned to avoid Wasabi transactions, and the next priorities are approvals, key rotation and a detailed technical post-mortem across affected chains.
Wasabi Protocol became another bruising entry in DeFi’s April security ledger after an apparent admin-key compromise drained roughly $4.55 million from its trading infrastructure across multiple chains. The attack hit perp vaults and liquidity pools tied to Ethereum, Base and Blast, turning a privileged deployer wallet into the center of a protocol-wide failure. What makes the episode so unsettling is the simplicity of the control point: one compromised admin pathway appears to have been enough to convert upgrade permissions into direct fund extraction, in a month already marked by more than $600 million in DeFi losses.
🚨 Blockaid's exploit detection system identified an on-going admin-key compromise exploit on @wasabi_protocol across Ethereum and Base. The Wasabi: Deployer EOA was used to grant ADMIN_ROLE to an attacker helper contract, which then UUPS-upgraded the perp vaults and LongPool to…
— Blockaid (@blockaid_) April 30, 2026
Admin Keys Become DeFi’s Weakest Link
The mechanics point to an operational failure rather than a conventional smart-contract bug. The compromised deployer address reportedly controlled Wasabi’s Perpmanager contracts and was used to grant ADMIN_ROLE to a malicious helper contract. From there, the attacker executed unauthorized UUPS proxy upgrades on WasabiVault proxies and the WasabiLongPool, replacing legitimate logic with code that could sweep balances. In plain terms, the attack weaponized governance authority, using the protocol’s own upgrade architecture to move collateral, pool funds and user exposure into attacker-controlled flows without relying on reentrancy, oracle manipulation or an exotic code-level exploit.
Security monitors detected the incident as it unfolded, with Hypernative flagging high-severity alerts across three chains and Blockaid, Cyvers and Defimonalerts also identifying suspicious activity. The attack reportedly began around 07:48 UTC and lasted about two hours, during which funds were consolidated into ETH, bridged where necessary and distributed across several addresses. The largest reported single loss was 840.9 WETH, worth more than $1.9 million at the time. For users, the blast radius extended beyond one vault, touching assets including sUSDC, PEPE, MOG, NEIRO, ZYN, bitcoin, VIRTUAL, AERO and cbBTC before approvals became the urgent issue.
The incident also put related infrastructure on alert. Virtuals Protocol froze margin deposits after the breach while saying its own systems remained intact, and users were warned to avoid signing Wasabi-related transactions. With no public incident statement from Wasabi at the time of the latest available update, the next focus is key rotation, approval revocation and a technical post-mortem. The uncomfortable takeaway is audits did not neutralize key-management risk, because when upgradeable contracts depend on centralized admin access, one private-key failure can become a multi-chain liquidity event with consequences far beyond one protocol dashboard.
