Wasabi exploit drains up to $4.55M via deployer key compromise, raising concerns as team remains silent on user funds and protocol safety.
Author: Akshat Thakur
30th April 2026 – Wasabi Protocol lost up to $4.55 million on Wednesday after an attacker compromised its deployer key. The exploit drained liquidity from the multi-chain perpetuals platform across Ethereum and Base.
High Signal Summary For A Quick Glance
nairolf
@0xNairolf
@blockaid_ @wasabi_protocol dude stoppppp
🚨 Blockaid's exploit detection system identified an on-going admin-key compromise exploit on @wasabi_protocol across Ethereum and Base. The Wasabi: Deployer EOA was used to grant ADMIN_ROLE to an attacker helper contract, which then UUPS-upgraded the perp vaults and LongPool to
08:37 AM·Apr 30, 2026
Steady attention without excessive speculation.
Security firms CertiK and Blockaid flagged the exploit within minutes of each other. CertiK reported roughly $2.9 million drained, while Blockaid placed the total closer to $4.55 million. As of 18:00 UTC, Wasabi Protocol has not issued any public statement or acknowledged the incident.
The attack began at approximately 07:49 UTC. On-chain records show the attacker used the protocol’s own Deployer EOA to grant an ADMIN_ROLE to a custom helper contract. From there, the attacker executed UUPS upgrades on Wasabi’s perpetual vaults and LongPool contracts. The upgrades replaced legitimate logic with code designed to drain balances.
This was not a smart-contract bug like reentrancy or oracle manipulation. According to Blockaid, the attacker gained control of the Wasabi Deployer EOA, the wallet that originally deployed the protocol’s contracts.
With that access, the attacker granted administrative privileges to a helper contract. That contract then performed UUPS (Universal Upgradeable Proxy Standard) upgrades on the perpetual vaults and the LongPool.
In simple terms, UUPS allows a protocol to swap out contract logic behind a fixed address. The attacker swapped in malicious code that could withdraw all available liquidity.
The primary exploit transaction on Etherscan shows the creation of a malicious contract (0x36aa…ab42). The attacker then drained WETH, USDC, and memecoin positions. All funds flowed to the attacker-controlled address.
Similar drains occurred on Base, according to Cryptery Insights and Blockaid.
CertiK’s initial alert estimated roughly $2.9 million in losses. Blockaid’s detection system, which flagged the exploit slightly earlier, placed the figure at approximately $4.55 million across both chains.
The breakdown includes around $1.9 million in WETH and roughly $172,000 in USDC. The remainder came from smaller memecoin positions. The exact final amount remains unclear as some fund movements may still be in progress.
According to DefiLlama, Wasabi Protocol’s total value locked stood at $8.5 million before the exploit. That means the attacker drained between 34% and 54% of the protocol’s total liquidity, a devastating ratio for any DeFi platform.
More than ten hours after the exploit began, Wasabi Protocol has not posted any public statement. The team has not tweeted, published a blog post, or issued any on-chain communication.
There is no indication that the protocol has paused its contracts or initiated any recovery effort. No user compensation or insurance plan has been announced.
That silence contrasts with the quick responses from CertiK and Blockaid. Both firms identified the attack within an hour of the first malicious transaction.
Key milestones in Wasabi Protocol Exploit (April 30, 2026)
First major drain transaction executes on Ethereum after attacker gains admin access via compromised deployer wallet.
Early monitors flag suspicious transaction activity within minutes, signaling potential protocol compromise.
Security firms confirm exploit, estimating ~$2.9M+ drained and identifying admin-role takeover via compromised EOA.
Attacker upgrades contracts to inject malicious logic, draining multiple assets and dispersing funds across wallets and chains.
Wasabi Protocol has not issued any public response, pause, or mitigation update as of the latest available data.
Funds remain under attacker control with ongoing transfers and partial dispersal; no confirmed recovery or containment measures yet.
Admin-key compromises remain one of the most damaging attack vectors in decentralized finance. Unlike code exploits that target specific vulnerabilities, a compromised admin key gives the attacker full control over a protocol’s upgrade mechanism.
Past incidents include the $624 million Ronin Bridge hack in March 2022. The $100 million Harmony Horizon Bridge exploit followed in June 2022. Both involved compromised private keys.
The Wasabi Protocol exploit follows this pattern. The attacker bypassed normal user safeguards entirely by hijacking the protocol’s own administrative upgrade mechanism. For users, there was no warning and no way to withdraw before the drain.
Community sentiment on X reflects frustration. One user described the incident as part of the ongoing “DeFi bleed season.” On-chain analyst @no__yield reportedly linked the exploiter’s source address to a Bitcoin mixer, though this has not been independently confirmed.
Several critical questions remain unanswered. The root cause of the deployer key compromise is still unknown. It could have been a phished private key, a compromised infrastructure setup, or something else entirely.
The attacker’s identity remains unknown. Whether funds have been bridged, mixed, or are sitting in the identified wallets has not been fully mapped. The exact final loss amount awaits confirmation as on-chain movements continue.
No tier-1 media outlets, including CoinDesk, The Block, or Rekt.news, have published coverage of the incident yet. All current reporting comes from security firm alerts and community analysts.
Users with funds on Wasabi Protocol across any of its five supported chains should monitor the situation closely. Until the team issues a statement, the status of remaining protocol contracts is uncertain.
The incident highlights a core risk of upgradeable contracts. Without timelocks, multi-sig wallets, or decentralized governance, admin keys remain a single point of failure. For now, the community waits for Wasabi to break its silence.
This article is for informational purposes only and does not constitute financial advice. Always do your own research before interacting with any DeFi protocol.
Our Crypto Talk is committed to unbiased, transparent, and true reporting to the best of our knowledge. This news article aims to provide accurate information in a timely manner. However, we advise the readers to verify facts independently and consult a professional before making any decisions based on the content since our sources could be wrong too. Check our Terms and conditions for more info.
Wasabi Protocol Exploited for Up to $4.5M via Admin-Key Compromise
Sweat Economy Exploit Drains 13.7B SWEAT From NEAR Wallets
Aftermath Finance Exploit Drains $900K USDC on Sui
KyberSwap Hacker Moves Millions to Tornado Cash
Wasabi Protocol Exploited for Up to $4.5M via Admin-Key Compromise
Sweat Economy Exploit Drains 13.7B SWEAT From NEAR Wallets
Aftermath Finance Exploit Drains $900K USDC on Sui
KyberSwap Hacker Moves Millions to Tornado Cash
