Wasabi Protocol, a perpetuals trading platform focused on leveraged positions in long-tail assets like memecoins was exploited on April 30, 2026, with approximately $4.5–5.5 million drained from its vault pools across multiple chains.
Attackers compromised the protocol’s deployer EOA; externally owned account, which held the sole ADMIN_ROLE with no timelock or multisig protections. They used this key to:Grant the ADMIN_ROLE to a malicious helper contract they controlled. Perform UUPS proxy upgrades on Wasabi’s perp vault contracts and the LongPool. Replace the legitimate implementations with malicious ones that allowed draining of collateral and pool balances via fake strategyDeposit() calls that triggered a drain() function sending assets to the attacker.
The attack affected vaults on Ethereum, Base, and mentions of Blast/Berachain in some reports. Compromised assets included wrapped tokens like wWETH, sUSDC, wBITCOIN, wPEPE, sBTC, sVIRTUAL, sAERO, sBRETT, and others. Funds were reportedly swapped to ETH and distributed.
Security firms such as Blockaid, Hypernative, PeckShield, and CertiK detected and reported the incident in real time, with the attack unfolding over roughly two hours. It followed a similar pattern to the recent Drift Protocol breach; a massive admin-key compromise earlier in April 2026 that drained far more. Users holding Wasabi LP tokens were advised to revoke approvals to the affected vault contracts immediately, as the underlying assets were drained or at risk.
Register for Tekedia Mini-MBA edition 20 (June 8 – Sept 5, 2026).
Register for Tekedia AI in Business Masterclass.
Join Tekedia Capital Syndicate and co-invest in great global startups.
Register for Tekedia AI Lab.
The protocol appears to have lacked basic safeguards like timelock + multisig on a powerful admin key — a recurring issue in DeFi that turns a single point of compromise like key leakage, phishing, or poor key management into a full drain. This is another example of how admin-key or deployer-key compromises remain a top vector for DeFi losses, even without smart contract bugs.
Centralized control over upgrades and roles in otherwise decentralized protocols creates single points of failure. Projects are increasingly pressured to adopt stronger opsec: multisig wallets, timelocks, hardware security modules, and minimized privileged roles. The incident adds to a wave of DeFi exploits in 2026.
Always treat crypto protocols with caution — verify security practices, monitor on-chain activity where possible, and never assume decentralized means no trusted parties with god-mode keys. If you had exposure to Wasabi vaults, check your wallet approvals and transaction history right away.
Approximately $4.5M – $5.5M drained from perp vaults and LongPool liquidity across Ethereum, Base, Berachain, and Blast. Assets included wETH, USDC, memecoins like PEPE, BRETT, AERO and others, which attackers swapped to ETH and distributed.
LP tokens (Wasabi/Spicy shares) from affected vaults are now compromised and largely worthless, as underlying collateral was drained. Users with exposure advised to immediately revoke approvals to the vault contracts to prevent further risk.
Vault pools effectively emptied ? severe hit to liquidity for leveraged perp trading on long-tail assets (memecoins, NFTs). Pre-exploit TVL was modest ~$8M range; the drain represents a massive portion of affected pools. Trust severely damaged; highlights lack of basic safeguards; no timelock and multisig on admin and deployer key.
Similar to the recent Drift Protocol admin-key breach, hundreds of millions lost. Adds to April 2026’s heavy DeFi exploit wave; already >$600M total earlier in the month. No user funds outside the vaults appear directly affected, but confidence in the protocol is shattered. Small-to-mid sized loss in absolute terms, but potentially fatal for Wasabi’s operations and user base due to the complete drainage of key pools and eroded trust.
