DeFi can’t stop the bleeding, and Wasabi Protocol is the latest to find out why.
The protocol, a perpetual trading platform built on Ethereum and Base, lost around $4.55 million on Thursday after attackers compromised its deployment key, security firm Blockaid said in an X article.
The hack is the latest in a month that generated more than $605 million in DeFi losses across at least 12 incidents. The attack closely mirrors the April 1 Drift Protocol exploit, when North Korea-linked attackers used a compromised admin key to drain $285 million from the Solana-based perpetual exchange.
The mechanics operated through an external account, or EOA, called wasabideployer.eth, which held the sole ADMIN_ROLE in Wasabi’s authorization system.
An EOA is a wallet controlled by a private key, as opposed to a smart contract. Whoever holds the key controls the wallet. Once the attacker gained access to the deployer key, he granted himself administrative privileges without delay by calling grantRole on the authorization contract.
Their support contract then upgraded Wasabi and Long Pool vaults to malicious implementations that drained balances, Blockaid said.
The exploit relied on a standard known as the Universal Upgradeable Proxy Standard (UUPS), which allows a smart contract to modify its underlying code while maintaining the same address.
UUPS is widely used because it allows developers to fix bugs without migrating users. The downside is that if an attacker controls administrator permissions, they can replace the contract logic with anything they want, including code designed to steal funds.
Wasabi had neither timelock nor multisig protecting the administrator role, Blockaid said. A timelock imposes a delay between when an administrative action is announced and when it is executed, giving users time to react. A multisig requires multiple signers to approve a change. Wasabi had neither, leaving a single key holding complete control over the protocol.
🚨 Blockaid’s exploit detection system has identified an admin key compromise exploit in progress on @protocol_wasabi on Ethereum and Base. The Wasabi: Deployer EOA was used to grant ADMIN_ROLE to a support contract to an attacker, who then upgraded the perp and LongPool vaults to…
– Blockaid (@blockaid_) April 30, 2026
The compromised contracts include Wasabi’s wWETH, sUSDC, wBITCOIN, wPEPE and Long Pool vaults on Ethereum, as well as its sUSDC, wWETH, sBTC, sVIRTUAL, sAERO and sBRETT vaults on Base, according to Blockaid.
Users holding Wasabi LP tokens were asked to revoke any active approval of vault contracts because the underlying assets backing these tokens had been depleted or remained at risk.
A month of exploits
In the case of Drift, the attackers also exploited a single-key admin setup with no governance delay, listing a fake token as collateral and increasing withdrawal limits to drain real assets in approximately 12 minutes.
Three weeks later, on April 19, Kelp DAO lost $292 million when an attacker exploited a single-verifier setup in the protocol’s LayerZero bridge, releasing 116,500 unbacked rsETH that was then used as collateral to borrow real ether (ETH) from Aave.
The cumulative total of DeFi losses for 2026 has now exceeded $770 million across more than 30 reported incidents. The month of April alone accounts for the majority of this figure.
Smaller breaches this month affected CoW Swap ($1.2 million), Grinex ($13.74 million), Resolv Labs ($23 million), Volo Protocol ($3.5 million), among others.
What binds them is not a new vulnerability. Each incident produces the same postmortem language about lessons learned, but the next exploit usually arrives before the lessons are implemented.
Wasabi has yet to issue a public statement on the incident.
UPDATE (April 30, 11:34 UTC): General changes throughout. Moves the Drift Protocol exploit to the third paragraph.
