Wasabi Protocol Loses $5M After Attacker Seizes Deployer Admin Key Across 3 Chains

Key Takeaways:

• An attacker drained $4.5M to $5.5M from Wasabi Protocol by compromising the deployer EOA admin key on April 30, 2026.
• Virtuals Protocol froze margin deposits immediately after the breach, though its own security remained fully intact.
• Wasabi Protocol has not issued a public statement; users must revoke all approvals across Ethereum, Base, and Blast.

DeFi Protocol Wasabi Loses $5M in Admin Key Hack

The compromised address, 0x5c629f8c0b5368f523c85bfe79d2a8efb64fb0c8, was the sole admin key controlling Wasabi’s Perpmanager contracts. The attacker reportedly used it to grant the ADMIN_ROLE to a malicious helper contract, then executed unauthorized UUPS proxy upgrades on Wasabivault proxies and the Wasabilongpool before sweeping collateral and pool balances.

Security firm Hypernative flagged the incident with high-severity alerts across all three chains. Blockaid, Cyvers, and Defimonalerts also detected the activity in real time. Hypernative confirmed it is not a Wasabi customer but detected the breach independently and pledged a full technical analysis.

The attack began around 07:48 UTC and ran for approximately two hours. The deployer granted ADMIN_ROLE to attacker-controlled contracts on Ethereum, Base, and Blast. A malicious contract then called strategyDeposit() on seven to eight WasabiVault proxies, passing a fake strategy that triggered a drain() function returning all collateral to the attacker.

The Wasabilongpool on Ethereum and Base was then upgraded to a malicious implementation that swept remaining balances. Funds were consolidated into ETH, bridged where needed, and distributed across multiple addresses. Early reports noted some activity linked to Tornado Cash.

The largest single loss was reportedly 840.9 WETH, worth more than $1.9 million at the time of the attack. Other drained assets included sUSDC, sREKT, PEPE, MOG, NEIRO, ZYN, and bitcoin, along with Base-chain assets such as VIRTUAL, AERO, and cbBTC. Wasabi’s total value locked (TVL) stood at roughly $8.5 million across chains before the exploit, according to Defillama data.

This was a key-management failure, not a smart contract vulnerability. No reentrancy or logic exploits were involved. The attacker likely obtained the private key through phishing, malware, or direct theft, then abused the upgradeable proxy architecture to drain funds without triggering conventional security checks.

Virtuals Protocol, which powered margin deposits through Wasabi, moved quickly after the breach was detected. The team froze all margin deposits and confirmed its own security was fully intact. Trading, withdrawals, and agent operations on Virtuals continued without disruption. The team warned users to avoid signing any Wasabi-related transactions.

Wasabi Protocol had not issued a public statement or incident post as of the latest available data. The protocol has previously communicated quickly during unrelated incidents and holds audits from Zellic and Sherlock, but this attack bypassed those protections entirely.

Users with exposure are advised to revoke all Wasabi approvals across Ethereum, Base, and Blast immediately. Tools like Revoke.cash, Etherscan, and Basescan can help identify active approvals. Any remaining LP positions should be withdrawn without delay, and no Wasabi-related transactions should be signed until the team confirms key rotation and full contract integrity.

The incident fits a pattern seen across DeFi in 2026: upgradeable proxy contracts paired with centralized admin keys create a single point of failure that bypasses even well-audited code. When one key controls upgrade permissions across multiple chains, a single compromise becomes a protocol-wide event.

The Wasabi breach did not happen in isolation. April 2026 has seen more than $600 million drained from DeFi protocols across roughly a dozen confirmed incidents, making it one of the worst months on record for the sector. The month opened on April 1 with attackers draining approximately $285 million from Drift Protocol on Solana in under 20 minutes using governance manipulation and oracle abuse.

A second major blow came around April 18 when a Layerzero bridge exploit hit KelpDAO on Ethereum, draining roughly $292 million in rsETH and triggering over $10 billion in downstream contagion across lending platforms, including Aave. Smaller hits landed throughout the month on Silo Finance, Cow Swap, Grinex, Rhea Finance, and Aftermath Finance, among others.

The pattern across nearly every incident points away from code-level bugs and toward admin key compromises, bridge weaknesses, and upgradeable proxy risks, exposing centralized control points that audits alone cannot protect against.

The Wasabi situation remains active. Users should monitor the official @wasabi_protocol account and security firm feeds for updates.