TLDR
- Wasabi Protocol was exploited for more than $5 million.
- Attackers gained control of Wasabi’s privileged admin key.
- Affected chains include Ethereum, Base, Berachain and Blast.
- Stolen assets included WETH, USDC, PEPE, MOG and cbBTC.
- Wasabi warned users not to interact with contracts during the probe.
Wasabi Protocol, a perpetuals trading platform operating across Ethereum, Base, Berachain, and Blast, has been exploited for more than $5 million after attackers gained control of a privileged admin key.
The attack affected multiple vaults and liquidity pools linked to the protocol. Blockchain security firms said the attacker used the compromised deployer wallet to grant admin permissions, upgrade contracts to malicious versions, and drain assets from Wasabi’s systems.
The Wasabi team said it was investigating the incident and warned users not to interact with its contracts until further notice. Virtuals Protocol also froze margin deposits powered by Wasabi as a precaution, while stating that its own security remained intact.
Wasabi Protocol Admin Key Compromise Led to Contract Takeover
Security firm Blockaid said the exploit began through an externally owned account known as wasabideployer.eth, which held the sole admin role in Wasabi’s permission system.
After gaining access to the deployer key, the attacker granted themselves privileged access without delay. They then used a helper contract to upgrade Wasabi’s perpetual vaults and pool contracts into malicious implementations designed to drain balances.
#PeckShieldAlert @wasabi_protocol has been exploited for $5M+ across multiple chains, including Ethereum, Base, Berachain, & Blast. pic.twitter.com/zkWjEkZMMp
— PeckShieldAlert (@PeckShieldAlert) April 30, 2026
The exploit involved the Universal Upgradeable Proxy Standard, a common smart contract upgrade method. UUPS allows developers to update contract logic while keeping the same contract address. However, if admin control is compromised, attackers can replace legitimate code with malicious code.
Blockaid said Wasabi did not have a timelock or multisig protecting the admin role. A timelock would have delayed sensitive changes, while a multisig would have required multiple approvals before contract upgrades could take effect.
Multiple Chains and Assets Were Affected
The compromised contracts included Wasabi vaults on Ethereum and Base, including wWETH, sUSDC, wBITCOIN, wPEPE, sBTC, sVIRTUAL, sAERO, and sBRETT.
Other security firms said the exploit also touched Berachain and Blast. Stolen assets reportedly included WETH, PEPE, MOG, USDC, ZYN, REKT, cbBTC, AERO, and VIRTUAL.
Cyvers said the attacker consolidated stolen funds into ETH, bridged assets to Ethereum, and distributed funds across several addresses. BlockSec noted that some accounts involved in the activity appeared to have been funded through Tornado Cash.
Users holding Wasabi LP-share tokens were warned that the underlying assets backing those tokens may have been drained or remain at risk. Security researchers advised users to revoke active approvals tied to affected vault contracts.
DeFi Key Management Risks Remain in Focus
The Wasabi exploit adds to a difficult month for decentralized finance security. More than $600 million has been lost across multiple attacks in recent weeks, including large incidents involving Drift Protocol and Kelp DAO.
The Wasabi incident shares similarities with other admin-key compromise attacks. In such cases, the code may function as designed, but operational control is too concentrated in one private key.
Security experts said the absence of delay mechanisms and multi-party approval systems remains a major risk for protocols managing user funds across several chains.
The Wasabi team has not yet released a full post-mortem. Further updates are expected after forensic review of the compromised deployer wallet, contract upgrades, affected vaults, and fund movements.
