DeFi can’t stop bleeding and the Wasabi Protocol is the latest to find out why.
The protocol, a perpetual trading platform built on Ethereum and Base, lost around $4.55 million on Thursday after attackers compromised its implementation key, security firm Blockaid said in an X post.
The hack is the latest in a month that has produced more than $605 million in DeFi losses in at least 12 incidents. The attack closely mirrors the April 1 Drift Protocol exploit, when North Korea-linked attackers used a compromised administration key to drain $285 million from the Solana-based perpetual exchange.
The mechanic operated through an externally owned account, or EOA, called wasabideployer.eth, which had the sole ADMIN_ROLE in Wasabi’s permissions system.
An EOA is a wallet controlled by a private key, unlike a smart contract. Whoever has the key controls the wallet. Once the attacker had access to the deployer key, he promptly granted himself administrator privileges by calling GrantRole in the permission contract.
Their help contract then upgraded the Wasabi and Long Pool criminal vaults to malicious deployments that depleted balances, Blockaid said.
The exploit was based on a standard known as the Universal Upgradeable Proxy Standard (UUPS), which allows a smart contract to change its underlying code while maintaining the same address.
UUPS is widely used because it allows developers to fix bugs without migrating users. The downside is that if an attacker controls administrator permissions, they can replace the contract logic with anything they want, including code designed to steal funds.
Wasabi did not have any time locks or multi-signatures protecting the administrator role, Blockaid said. A time lock forces a delay between the time an administrator action is announced and the time it is executed, giving users time to react. A multiple signature requires multiple signatories to approve a change. Wasabi had neither, leaving a single key with full control over the protocol.
🚨 Blockaid’s exploit detection system identified an ongoing exploit that compromises the administrator key on @wasabi_protocol on Ethereum and Base. Wasabi: Deployer EOA was used to grant ADMIN_ROLE to an attacker support contract, which UUPS then upgraded the offender and LongPool vaults to…
– Block (@blockaid_) April 30, 2026
The compromised contracts include Wasabi’s wWETH, sUSDC, wBITCOIN, wPEPE, and Long Pool vaults on Ethereum, in addition to its sUSDC, wWETH, sBTC, sVIRTUAL, sAERO, and sBRETT vaults on Base, according to Blockaid.
Users holding Wasabi LP tokens were urged to revoke any active approval of the vault contracts because the underlying assets backing those tokens had been depleted or remained at risk.
A month of feats
In the case of Drift, attackers also exploited a single-key management setup with no governance time lock, including a fake token as collateral and increasing withdrawal limits to drain real assets in about 12 minutes.
Three weeks later, on April 19, Kelp DAO lost $292 million when an attacker exploited a single verifier configuration on the protocol’s LayerZero bridge, releasing 116,500 unbacked rsETH that was then used as collateral to borrow real ether (ETH) from Aave.
DeFi’s total cumulative loss by 2026 has exceeded $770 million across more than 30 reported incidents. April alone accounts for most of that figure.
Smaller breaches this month have hit CoW Swap ($1.2 million), Grinex ($13.74 million), Resolv Labs ($23 million), Volo Protocol ($3.5 million), among others.
What unites them is not a new vulnerability. Each incident produces the same postmortem language about lessons learned, but the next exploit usually arrives before the lessons are implemented.
Wasabi has yet to issue a public statement regarding the incident.
UPDATE (April 30, 11:34 UTC): General editions throughout. Move the Drift Protocol exploit to the third paragraph.
