Wasabi Protocol Suffers $4.5M Drain in Admin Key Compromise, Echoing Drift Exploit: LatestDeFiNews

Wasabi Protocol Drained of $4.5 Million in Admin Key Compromise

Wasabi Protocol, a perpetuals trading platform built on Ethereum and Base, has fallen victim to a significant exploit, losing approximately $4.55 million. The incident, which occurred on Thursday, April 30, 2026, stemmed from the compromise of its deployer admin key, allowing attackers to seize control and drain funds from multiple asset pools.

The security firm Blockaid identified the exploit, detailing how the attacker gained admin privileges through the compromised key. This access enabled them to call grantRole on the permission contract, granting themselves immediate administrative control without any delay. Subsequently, a helper contract was used to upgrade Wasabi's perp vaults and Long Pool to malicious implementations, effectively siphoning off balances.

The Mechanics of a Single Point of Failure

The attack leveraged the Universal Upgradeable Proxy Standard (UUPS), a common architecture allowing smart contracts to update their underlying logic while maintaining the same address. While UUPS offers flexibility for developers to fix bugs without migrating users, it presents a critical vulnerability if administrative permissions are compromised. In Wasabi's case, the attacker, once in control of the admin key, could replace the legitimate contract logic with code designed to steal funds.

A glaring omission in Wasabi's security setup was the absence of a timelock or multisignature (multisig) protection for the admin role. A timelock introduces a mandatory delay between announcing an administrative action and its execution, providing users and the community time to react or intervene. A multisig, conversely, requires approval from multiple independent parties before an action can be executed. Wasabi had neither, leaving a single externally owned account (EOA), wasabideployer.eth, with sole control over the protocol's critical functions.

A Troubling Echo of Past Exploits

This incident bears a striking resemblance to the $285 million Drift Protocol exploit earlier this month, where North Korea-linked attackers also exploited a single-key admin setup devoid of governance timelocks. In that case, attackers listed a fake token as collateral and manipulated withdrawal limits to drain assets within minutes. The recurring nature of such vulnerabilities highlights a systemic issue within the DeFi space.

The Wasabi exploit adds to an alarming trend, contributing to over $770 million in DeFi losses this year, with April alone accounting for more than $605 million across at least 12 incidents. This continuous bleeding underscores the urgent need for protocols to adopt more robust security practices, particularly around administrative controls.

What Traders and Users Need to Know

The compromised contracts include Wasabi's wWETH, sUSDC, wBITCOIN, wPEPE, and Long Pool vaults on Ethereum, as well as its sUSDC, wWETH, sBTC, sVIRTUAL, sAERO, and sBRETT vaults on Base. Users who held Wasabi LP tokens or had active approvals to these vault contracts are strongly urged to revoke those approvals immediately. While underlying assets may have already been drained, revoking approvals can prevent further unauthorized access or manipulation of remaining funds.

For the wider crypto community, this incident serves as another stark reminder of the importance of due diligence when interacting with DeFi protocols. Protocols must prioritize decentralized governance, implement timelocks, and enforce multisig requirements for all critical administrative functions to mitigate single points of failure. The market's trust in DeFi hinges on its ability to secure user funds against increasingly sophisticated attacks and recurring vulnerabilities.