Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 273Private Key Compromise

Wasabi Protocol Deployer EOA Compromise

Wasabi Protocol's perp vaults across Ethereum, Base, Berachain and Blast lost $5M when a compromised deployer EOA with sole ADMIN_ROLE allowed UUPS upgrades.

Date
Victim
Wasabi Protocol
Chain(s)
EthereumBase
Status
Funds Stolen

On April 30, 2026, the decentralised perpetual-futures protocol Wasabi Protocol was drained of approximately $5 million after attackers compromised the deployer EOA that held the protocol's sole ADMIN_ROLE — with no timelock and no multisig protection. The compromise affected deployments on Ethereum, Base, Berachain, and Blast. The incident landed in the middle of April 2026, which became the worst month ever for DeFi exploits at approximately $635 million lost across 28 incidents.

What happened

Wasabi Protocol's smart contract architecture used UUPS (Universal Upgradeable Proxy Standard) proxies for its perpetual-futures vaults — allowing the protocol team to upgrade implementations over time. Privileges over the proxies were gated behind a single role: ADMIN_ROLE.

The fatal architectural choice: the ADMIN_ROLE was held by a single externally-owned account (EOA) — the same wallet that had originally deployed the contracts. There was no timelock between an admin action being initiated and executed, and no multisig requiring multiple signatures. Compromise of the single deployer EOA was compromise of every deployment on every chain.

The attack:

  1. Compromised the deployer EOA — the specific vector was not publicly disclosed, but the pattern is consistent with endpoint-level compromise (malware, phishing, credential theft).
  2. Used the compromised key to grant ADMIN_ROLE to a malicious helper contract controlled by the attackers.
  3. With admin authority established, performed UUPS proxy upgrades on:
    • Wasabi's perpetual-futures vault contracts
    • The LongPool contract
    • Various supporting contracts
  4. Replaced the legitimate implementations with malicious ones that allowed direct draining of collateral and pool balances.
  5. Executed the drain across all four affected chains in rapid succession.

Total extracted: approximately $4.55-5 million in mixed assets.

Aftermath

  • Wasabi paused operations across all affected chains.
  • The team acknowledged the single-EOA admin pattern as the root structural cause.
  • No public recovery from the attacker's wallets.
  • The incident contributed to April 2026's $635M total DeFi loss — the worst monthly aggregate on record, surpassing even the months containing major individual events like the Bybit heist.

Why it matters

The Wasabi Protocol incident is the textbook 2026 case for why single-EOA admin roles are no longer acceptable for any protocol of meaningful size. The structural pattern — deployer key with full upgrade authority, no timelock, no multisig — was widely identified as risky a decade earlier in the Solidity security literature; the Parity Multisig incident in 2017 was supposed to have made the lesson universal.

In practice, the pattern persists because:

  1. Multi-sig deployment is operationally complex — coordinating signatures across multiple parties, especially for routine maintenance operations, is slow and error-prone.
  2. Timelocks delay legitimate operations — protocols that want to ship fast changes resist the friction.
  3. The cost of the protective architecture is paid up-front, in operational overhead — the cost of skipping it is paid only when (not if) the deployer's wallet is compromised.

The pattern recurs at every scale through 2025-2026:

  • Drift Protocol (Apr 2026, $285M) — durable-nonce signing bypass.
  • KelpDAO (Apr 2026, $292M) — single-DVN LayerZero bridge.
  • Wasabi Protocol (Apr 2026, $5M) — single-EOA admin role.

All three are 2026 incidents where the operational-security configuration was the entire attack surface, not any specific contract bug. April 2026 became the worst DeFi month on record primarily because of this pattern — sophisticated attackers (most plausibly state-aligned) discovered that the operational layer of DeFi protocols is now the weak link, and shifted their targeting accordingly.

The "AI-driven DeFi hacker" theory — that the rate and sophistication of 2026 incidents reflects automated discovery and exploitation by ML-augmented operations — has gained traction in the security-research community but remains speculative as of public reporting.

Sources & on-chain evidence

  1. [01]coindesk.comhttps://www.coindesk.com/tech/2026/04/30/wasabi-protocol-drained-for-usd4-5-million-in-apparent-admin-key-compromise
  2. [02]halborn.comhttps://www.halborn.com/blog/post/explained-the-wasabi-protocol-hack-april-2026
  3. [03]thedefiant.iohttps://thedefiant.io/news/hacks/wasabi-protocol-hack

Related filings