Wasabi Protocol lost $5.5M after an admin key was compromised. Here’s how one wallet drained millions across four chains in minutes.
Wasabi Protocol suffered a major security breach on April 30, 2025.
An attacker compromised a privileged deployer wallet, draining over $5.5 million across four blockchain networks. The affected chains included Ethereum, Base, Berachain, and Blast.
Security firms Blockaid, CertiK, and PeckShield all flagged the incident within hours. Wasabi confirmed the issue by 10:30 a.m. UTC, urging users to stop interacting with its contracts immediately.
Read also:
How the Wasabi Protocol Admin Key Exploit Unfolded
The attack did not involve a smart contract bug. Instead, the attacker gained control of wasabideployer.eth, Wasabi’s sole admin key holder.
According to Blockaid, the deployer wallet granted ADMIN_ROLE to a malicious helper contract. That contract then upgraded multiple perpetual futures vaults and a LongPool, pulling funds directly from them.
🚨 Blockaid's exploit detection system identified an on-going admin-key compromise exploit on @wasabi_protocol across Ethereum and Base. The Wasabi: Deployer EOA was used to grant ADMIN_ROLE to an attacker helper contract, which then UUPS-upgraded the perp vaults and LongPool to…
— Blockaid (@blockaid_) April 30, 2026
Blockaid reported that around $2.2 million left Ethereum, including 841 wrapped ETH, USDC, and several memecoins. Another $2.4 million moved from Base.
PeckShield put the total losses above $5 million across all chains. Security researcher Jeremy also noted $5.5 million stolen, citing WETH, PEPE, Mog, and USDC vaults as targets. The funds landed across multiple attacker-controlled addresses.
Compromised LP Tokens and Vault Contracts Across Chains
Blockaid warned that all Wasabi and Spicy LP-share tokens tied to the breached vaults should be treated as compromised. The underlying assets backing those tokens had been drained or were at risk.
Blockaid advised platforms to flag these tokens in their interfaces and prompt users with active approvals to revoke access immediately.
Nine vault contracts on Ethereum were listed as compromised. These included the wWETH, sUSDC, sREKT, wPEPE, wMog, wBITCOIN, sZYN vaults, and the LongPool.
Eight contracts on Base were also affected, covering sUSDC, wWETH, sBTC/cbBTC, sVIRTUAL, sAERO, sBRETT, sWELL, and sSKI vaults.
Berachain’s foundation confirmed awareness of the breach. It paused and blacklisted affected Wasabi reward vaults on its network and stopped further BGT emissions to the compromised contracts.
Berachain advised users who interacted with Wasabi on its chain to revoke token approvals through revoke.cash.
Berachain is aware of the Wasabi Protocol admin key compromise affecting multiple chains.
We have paused and blacklisted the affected Wasabi reward vaults on Berachain. No further BGT emissions will flow to the compromised contracts.
If you interacted with Wasabi on Berachain,…
— Berachain Foundation 🐻⛓ (@berachain) April 30, 2026
Single EOA, No Multisig: Security Experts Raise Concerns
The root cause, as Blockaid identified it, was a single externally owned account holding full ADMIN_ROLE in Wasabi’s PerpManager.
There was no multisig, no timelock, and no DAO governance protecting that access. SlowMist founder Cos pointed out that once that private key leaked, nothing stood between the attacker and the vaults.
On-chain investigator ZachXBT raised questions about why one wallet carried so much control without basic safeguards in place. Besides, analyst Ted Pillows noted that the incident highlighted the dangers of privileged access paired with upgradeable contracts.
Berachain confirmed it was working with Blockaid and ZeroShadow on the ongoing investigation. This story is still developing, and further details are expected as the investigation continues.
