Wasabi admin key compromised; attacker drains ~$5M

An attacker seized the deployer admin key for Wasabi Protocol on April 30, 2026, and drained an estimated $4.5 million to $5.5 million from perpetual vaults and liquidity pools on Ethereum, Base and Blast. The breach began at about 07:48 UTC and lasted roughly two hours.

The compromised address, 0x5c629f8c0b5368f523c85bfe79d2a8efb64fb0c8, was the single externally owned account that managed Perpmanager contracts. The attacker granted ADMIN_ROLE to helper contracts under their control on each chain. Those contracts then executed unauthorized UUPS proxy upgrades on multiple WasabiVault proxies and on the Wasabilongpool, enabling withdrawals of collateral and sweeps of pool balances.

The attacker called strategyDeposit() on several vault proxies with a fake strategy that triggered a drain() function. Assets were converted to ETH where convenient, bridged as needed, and moved across multiple addresses to consolidate and obfuscate proceeds.

On-chain records show the largest single take was 840.9 WETH, worth more than $1.9 million at the time. Other assets removed included sUSDC, sREKT, PEPE, MOG, NEIRO, ZYN, bitcoin and Base-chain tokens such as VIRTUAL, AERO and cbBTC. Wasabi’s total value locked was about $8.5 million across chains before the exploit. Early traces linked some transfers to mixer-like services.

Security monitors detected the activity in real time. Hypernative issued high-severity alerts across the three chains and intends to conduct a full technical analysis. Other security firms also flagged the incident. Virtuals Protocol, which handles margin deposits through Wasabi, froze margin deposits immediately and confirmed its own systems remained secure; trading and withdrawals on Virtuals continued without interruption.

Wasabi holds audits from Zellic and Sherlock. On-chain evidence indicates the attacker used the deployer private key to bypass administrative controls and upgrade trusted proxy implementations. Investigators are examining phishing, malware or direct theft as possible ways the private key was obtained.

Users with exposure have been urged to revoke Wasabi-related approvals on Ethereum, Base and Blast using tools such as Revoke.cash, Etherscan and Basescan, and to avoid signing any Wasabi transactions until the protocol confirms key rotation and contract integrity. Remaining liquidity positions should be withdrawn where possible.

The Wasabi exploit is one of several DeFi incidents in April 2026 that together drained more than $600 million from multiple protocols. Investigations into the Wasabi breach and the movement of stolen funds are ongoing. Wasabi had not posted a public incident statement at the time of reporting.