Wasabi Protocol Loses $5M+ in Admin-Key Exploit

What Happened

On-chain perpetual futures protocol Wasabi was hacked on April 30, 2026, with attackers draining over $5 million across Ethereum, Base, Berachain, and Blast, as blockchain security firm PeckShield reported.

The attacker gained ADMIN_ROLE through the protocol's deployer wallet — identified as wasabideployer.eth, the sole address holding that role in Wasabi's PerpManager AccessManager — then upgraded the vaults to a malicious implementation that siphoned user balances. Approximately $4.55 million had been extracted at initial count, with investigations still active.

Wasabi acknowledged the incident on X, urging users to avoid using the protocol while investigations are under way, and confirmed it had engaged professional on-chain security responders, including SEAL 911 and Blockaid.

How the Attack Was Executed

The attack was carried out through a mechanism known as a UUPS upgrade exploit. After compromising the deployer account, the attacker initiated a contract upgrade that replaced secure code with malicious logic, redirecting funds from vaults and liquidity pools into their own addresses. Because the protocol lacked a timelock mechanism, the changes were implemented instantly — leaving no window for developers or users to intervene.

Key technical details of the breach:

• The attacker called grantRole on the deployer EOA with zero delay, instantly converting their orchestrator contract into an admin.
• Wasabi and Spicy LP-share tokens from affected vaults are flagged as compromised, with redemption value approaching zero.
• Blockaid noted the same attacker address, orchestrator contract, and strategy bytecode tie this incident to earlier activity targeting Wasabi.
• There were no safeguards such as multi-signature authorization or time delays to prevent immediate execution of malicious actions.

April 2026: DeFi's Worst Month on Record

The Wasabi exploit did not occur in isolation. The hack caps off a brutal month for DeFi, marked by two major exploits and over twenty smaller incidents. The former head of DeFi at Monad noted on X that April 2026 resulted in approximately $635 million lost across 28 incidents in 30 days.

The month's two largest incidents were:

• Drift Protocol — On April 1, the Solana-based perpetuals exchange suffered roughly $270 million in outflows spanning more than 15 distinct token types, in what was reported as a North Korean state-linked operation six months in the making.
• Kelp DAO — On April 18, an attacker suspected of being North Korean state-backed exploited a LayerZero bridge, forging a cross-chain message that allowed minting of 116,500 rsETH with nothing locked on the source side. The attacker then deposited the unbacked rsETH into Aave as collateral and borrowed approximately $236 million in real WETH.

The response to the Kelp incident has included an unprecedented collective effort among DeFi protocols and individuals, dubbed DeFi United, which has raised over $300 million to restore the backing of Kelp's rsETH.

The AI-Hacker Theory

The frequency and precision of recent exploits has renewed debate about the tools attackers are using. Developer Vitto Rivabella publicly floated a theory that North Korea trained an in-house AI model on years of stolen DeFi data, suggesting it now operates as an autonomous exploiter draining protocols faster than human reviewers can patch them. While unverified, the hypothesis reflects a growing concern in the security community about the asymmetric advantage attackers may hold over protocol defense teams.

What Users Should Do Now

Security teams are urging affected individuals to revoke all smart contract permissions associated with the protocol as a critical first step. Tools such as Revoke.cash can help remove access previously granted to compromised contracts. Users should avoid interacting with suspicious links or unofficial recovery programs and monitor only verified official announcements.

Whether or not AI is accelerating the current wave of exploits, the Wasabi incident makes one structural problem unmistakably clear: single-key admin architectures without timelocks or multi-signature controls remain among the most exploitable vulnerabilities in DeFi today.

Published by Coinplurk.com