On April 30, 2026, Wasabi Protocol—a so-called “decentralized” perpetual futures platform focused on leveraged trading of memecoins and other assets—experienced a significant exploit resulting in the drainage of approximately $4.5–5.5 million from its vaults and pools. The breach impacted deployments on Ethereum, Base, Berachain, and Blast.
The root cause was a compromised deployer wallet (an externally owned account, wasabideployer.eth) that held the sole ADMIN_ROLE in the protocol’s access control system.
The attacker used it to grant administrative privileges to a malicious contract without delay, then executed UUPS proxy upgrades on the PerpManager vault contracts and LongPool.
We're aware of an issue and are actively investigating.
As a precaution, please do not interact with Wasabi contracts until further notice.
We'll share an update as soon as we have more information. Thanks for your patience.
— Wasabi Protocol 🟢 (@wasabi_protocol) April 30, 2026
These modified contracts allowed the immediate extraction of collateral and liquidity from affected pools, with stolen tokens swapped and dispersed to obscure the trail.
Admin key exploits follow a well-worn pattern in DeFi.
Just weeks earlier, Drift Protocol suffered a comparable $285 million loss through a compromised deployer key lacking timelocks or multisig requirements.
Such incidents have recurred across the industry for years: attackers obtain private keys via phishing or other means, then leverage the deployer’s trusted status to alter contracts or withdraw funds directly.
Many past cases involved centralized control points that bypassed audited code, leading to rapid drains without traditional smart contract vulnerabilities.
This case differed in its efficient multi-chain execution and reliance on privilege escalation rather than a code bug.
The attacker coordinated actions across four networks almost simultaneously, targeting specific perpetuals infrastructure.
It highlighted how a single point of failure—an unprotected EOA with broad powers—could cascade across deployments.
On-chain analyst ZachXBT publicly questioned the architecture, noting the risks of granting extensive control to one wallet without basic safeguards like multisignature setups or delays.
He also raised concerns about prior project spending, including payments to influencers.
Blockchain security teams Blockaid, PeckShield, and CertiK detected and detailed the activity in real time through their monitoring alerts.
🚨 Blockaid's exploit detection system identified an on-going admin-key compromise exploit on @wasabi_protocol across Ethereum and Base. The Wasabi: Deployer EOA was used to grant ADMIN_ROLE to an attacker helper contract, which then UUPS-upgraded the perp vaults and LongPool to…
— Blockaid (@blockaid_) April 30, 2026
The Wasabi team quickly acknowledged the issue on X, instructing users to avoid interacting with contracts during the investigation.
They confirmed collaboration with responders such as SEAL 911 and Blockaid, noted that Solana contracts were unaffected, and reported contacting law enforcement including the FBI for further assistance.
The event contributes to a challenging period for DeFi security, with April 2026 noted for an elevated number of incidents.
It now seemingly reinforces longstanding calls for stronger key management practices, decentralized administration, regular audits, and timelocked or multisig protections on privileged roles. While the protocol paused operations and investigations continue, the breach serves as another case study in the persistent tension between usability, speed of development, and robust security in permissioned contract systems.