Wasabi Protocol, a perpetuals trading platform operating on Ethereum and Base, lost approximately $4.55 million after an attacker gained control of its deployer admin key and used it to drain multiple liquidity pools. Security firm Blockaid flagged the breach in a post on X, confirming the exploit unfolded across both chains simultaneously. The supporting evidence appears in the cited X post.
The attack followed a now-familiar pattern: a single externally owned account holding unchecked administrative power over a protocol with no safeguards in place to slow or block unauthorized changes. The result was a fast, near-total drain of user funds before any intervention was possible.
How the Attacker Moved Through the Protocol
Wasabi’s permission system assigned the sole ADMIN_ROLE to an externally owned account named wasabideployer.eth. An externally owned account, or EOA, is a standard crypto wallet controlled entirely by whoever holds its private key, with no additional smart contract logic governing access.
Once the attacker obtained the compromised key, they called the grantRole function on Wasabi’s permission contract, assigning themselves full admin privileges with zero delay. They then deployed a helper contract that used UUPS upgradeability to swap out the logic inside Wasabi’s perp vaults and LongPool, replacing legitimate code with malicious implementations designed to drain balances, according to Blockaid.
UUPS, or Universal Upgradeable Proxy Standard, is a common design pattern that lets developers push code fixes to a live contract without migrating users to a new address. It is widely used across DeFi precisely because of that flexibility.
The tradeoff is that whoever controls admin permissions can also replace a contract’s logic with anything they want.
Wasabi had no timelock and no multisig protecting the admin role. A timelock would have introduced a mandatory delay between announcing an admin action and executing it, giving users time to withdraw.
A multisig would have required approval from multiple keyholders before any upgrade could proceed. Wasabi had neither, leaving a single private key as the only barrier between the protocol and a total compromise.
A Pattern Repeating Across DeFi in 2026
The Wasabi breach adds to more than $770 million in cumulative DeFi losses reported so far this year, a figure that has grown sharply through April alone. The month produced over $605 million in losses across at least 12 separate incidents, according to data referenced by Blockaid.
The mechanics of the Wasabi attack closely mirror recent exploits at Drift Protocol and Kelp DAO, both of which also involved compromised deployer keys with insufficient access controls.
In the Drift case, a breach involving a compromised deployer key was linked to roughly $285 million in losses earlier this month, establishing admin key compromise as one of the most damaging attack vectors active in the current DeFi landscape.
Compromised contracts included Wasabi’s wWETH and sUSDC vaults, among others, spread across the Ethereum mainnet and Base deployments. Blockaid said its exploit detection system identified the attack as it was still ongoing, though the disclosure came after funds had already been moved.
The incident reinforces a straightforward security principle that continues to be ignored at cost: any upgradeable contract controlled by a single EOA is one stolen private key away from a complete loss of user funds.
Timelocks and multisig requirements are not advanced security measures; they are baseline protections, and their absence in a live protocol handling millions of dollars in assets remains a critical and preventable failure.
Not Financial Advice: This article is for informational purposes only. Crypto investments are highly volatile. Always do your own research.
