Wasabi Protocol Roasted by Hacker’s Admin Key Feast

by

On the morrow of April 30, 2026, a shadow with a penchant for digital looting descended upon Wasabi Protocol, seizing its deployer admin key with the dexterity of a pickpocket at a masquerade ball. The result? A grand theft of $4.5 million to $5.5 million, siphoned from perp vaults and liquidity pools across three blockchains like so much virtual champagne from a deflated cask.

Key Takeaways:

  • A phantom in cyberspace, clad in anonymity, drained $4.5M to $5.5M from Wasabi Protocol by usurping the deployer EOA admin key on April 30, 2026. A tale of hubris and misplaced trust.
  • Virtuals Protocol, ever the vigilant butler, froze margin deposits posthaste, though its own fortress of security remained unbreached-perhaps too preoccupied with polishing silverware.
  • Wasabi Protocol, the silent protagonist, has yet to utter a syllable. Users, meanwhile, are advised to revoke approvals across Ethereum, Base, and Blast with the urgency of a man fleeing a dragon.

The compromised address, 0x5c629f8c0b5368f523c85bfe79d2a8efb64fb0c8, served as the linchpin of Wasabi’s Perpmanager contracts. The attacker, with the subtlety of a sledgehammer, bestowed the ADMIN_ROLE upon a malicious helper contract before executing unauthorized UUPS proxy upgrades on Wasabivault proxies and the Wasabilongpool, all while the blockchain yawned and sipped lukewarm coffee.

Security firm Hypernative, the self-appointed guardian of the night, raised the alarm with high-severity alerts across three chains. Blockaid, Cyvers, and Defimonalerts joined the chorus, detecting the chaos in real time. Hypernative, though not a Wasabi client, vowed a full technical analysis, as if the blockchain were a patient in a psychiatric ward.

Blockaid’s dire warning on April 30, 2026, at 4:30 a.m. ET-a cry in the digital wilderness.

The attack, a ballet of malice, commenced at 07:48 UTC and lasted two hours. The deployer, now a pawn in a cosmic joke, granted ADMIN_ROLE to attacker-controlled contracts on Ethereum, Base, and Blast. A malicious contract then called strategyDeposit() on seven to eight WasabiVault proxies, passing a phony strategy that triggered a drain() function, returning all collateral to the villain with the grace of a magician’s sleight of hand.

The Wasabilongpool on Ethereum and Base was subsequently upgraded to a nefarious implementation, sweeping remaining balances with the efficiency of a vacuum cleaner. Funds were consolidated into ETH, bridged where necessary, and distributed across multiple addresses, some of which whispered to Tornado Cash in the dead of night.

The largest single loss? A staggering 840.9 WETH, worth over $1.9 million at the time of the heist. Other pilfered treasures included sUSDC, sREKT, PEPE, MOG, NEIRO, ZYN, and bitcoin, along with Base-chain assets such as VIRTUAL, AERO, and cbBTC. Wasabi’s total value locked (TVL) had stood at a mere $8.5 million across chains before the exploit, according to Defillama data-a sum now reduced to ash and crypto dust.

This was no mere smart contract vulnerability, but a key-management farce. The attacker, likely a master of social engineering or a digital pickpocket with a penchant for phishing, abused the upgradeable proxy architecture to drain funds without triggering conventional security checks. A lesson in the folly of centralized control, wrapped in a bow of decentralized illusion.

Virtuals Protocol, the beleaguered custodian of margin deposits, acted swiftly, freezing all margin deposits and declaring its own security intact. Trading and withdrawals continued unabated, as if the world had not just been turned upside down. The team, however, issued a stern warning: avoid signing any Wasabi-related transactions, lest you become the next victim in this tragicomedy.

Wasabi Protocol, the silent sufferer, had not deigned to issue a public statement as of the latest available data. The protocol, once heralded for its audits by Zellic and Sherlock, found itself bypassed by this exploit with the ease of a poorly guarded castle.

Users, now the protagonists of their own survival story, are urged to revoke all Wasabi approvals across Ethereum, Base, and Blast. Tools like Revoke.cash, Etherscan, and Basescan shall guide them, while any remaining LP positions should be withdrawn with the urgency of a man fleeing a sinking ship. No Wasabi-related transactions should be signed until the team confirms key rotation and contract integrity-a process likely to take as long as a bureaucratic hearing.

The incident, a familiar refrain in the DeFi opera of 2026, underscores the perils of upgradeable proxy contracts and centralized admin keys. When one key holds dominion over multiple chains, a single compromise becomes a protocol-wide catastrophe, a digital domino effect with no end in sight.

Wasabi’s breach did not occur in isolation. April 2026, a month of reckoning for DeFi, saw over $600 million drained from protocols in a dozen incidents, making it a veritable bloodbath. The month began with a $285 million heist on Drift Protocol on Solana, where attackers manipulated governance and oracles with the finesse of a chess grandmaster.

On April 18, a Layerzero bridge exploit struck KelpDAO on Ethereum, draining $292 million in rsETH and triggering a contagion of $10 billion across lending platforms. Smaller hits followed, like confetti at a funeral, on Silo Finance, Cow Swap, Grinex, Rhea Finance, and Aftermath Finance.

Across these tragedies, a common thread emerges: admin key compromises, bridge weaknesses, and upgradeable proxy risks. Audits, it seems, are as useful as a screen door in a submarine. Centralized control points, once the bedrock of trust, now lie exposed as vulnerabilities no amount of code review can mend.

The Wasabi saga remains unresolved. Users are advised to monitor the official @wasabi_protocol account and security feeds for updates-a waiting game as thrilling as watching paint dry. Until then, the blockchain’s favorite game of hot potato continues, with DeFi as the unwitting player.

Read More

2026-04-30 13:28