Wasabi Protocol Suffers $4.55 Million Exploit via Admin Key Compromise

Wasabi Protocol, a perpetuals trading platform operating on Ethereum and Base, has been drained of approximately $4.55 million following the compromise of its administrative deployer key. The breach was identified by security firm Blockaid, which noted that the attacker gained control of an externally owned account (EOA) that held the sole admin role within the protocol's permission system. Once the attacker secured the deployer key, they granted themselves administrative privileges and utilized the UUPS upgradeability pattern to swap the protocol's underlying code. This allowed the attacker to replace the perp vaults and LongPool with malicious implementations designed to drain user balances. The exploit was made possible by a critical lack of security infrastructure; Wasabi had neither a multisig wallet nor a governance timelock to delay or authorize administrative changes. The theft affected multiple vaults across two networks. On Ethereum, compromised assets included wWETH, sUSDC, wBITCOIN, and wPEPE. On Base, the attacker targeted sUSDC, wWETH, sBTC, sVIRTUAL, sAERO, and sBRETT. Users holding Wasabi LP tokens have been urged to immediately revoke all active approvals to the vault contracts to mitigate further risk. This incident is part of a broader trend of DeFi instability. Total losses for 2026 have now exceeded $770 million across more than 30 incidents, with April alone seeing a significant spike in activity. The Wasabi attack closely mirrors previous exploits, such as the Drift Protocol breach, where the absence of governance timelocks and the reliance on single-key setups led to massive capital outflows.