Wasabi Protocol Hacked for Over $5 Million Across Multiple Chains

Wasabi loses millions after admin key compromise

DeFi protocol Wasabi was exploited on April 30, with an attacker draining more than $5 million in assets across multiple blockchain networks. The breach affected funds on Ethereum, Base, Berachain, and Blast.

Blockchain security firm PeckShield was among the first to flag the incident:

"#PeckShieldAlert @wasabi_protocol has been exploited for $5M+ across multiple chains, including Ethereum, Base, Berachain, & Blast." — PeckShieldAlert (@PeckShieldAlert), original post

CertiK analysts conducted their own assessment and placed total losses at approximately $5.5 million:

"UPDATE: Total losses amount to ~$5.5M across the ETH, BASE, BLAST, and BERA chains" — CertiK Alert (@CertiKAlert), original post

How the attack unfolded

According to Blockaid, the attacker gained access to the protocol's admin key. Using a designated Wasabi wallet, they assigned their own version of the contract as the governing implementation. The hacker then leveraged a UUPS upgrade mechanism to replace the internal logic of the platform's vaults and siphon out the assets.

Cyvers reported that the wallets involved in the attack had been funded through crypto mixer Tornado Cash. The attacker deployed a malicious contract on both Base and Ethereum simultaneously:

"Our system has detected multiple suspicious transactions involving @wasabi_protocol. An address funded via @TornadoCash deployed a malicious contract on both #Base and #Ethereum, extracting approximately $4.5M across multiple assets, including $WETH, $PEPE, $MOG, $USDC…" — Cyvers Alerts (@CyversAlerts), original post

The stolen tokens included WETH, PEPE, MOG, USDC, ZYN, REKT, cbBTC, AERO, and VIRTUAL. According to Cyvers, the attacker has already converted the stolen assets into ETH and distributed them across multiple addresses.

Why this matters

The Wasabi incident exposed critical flaws in the protocol's security architecture. SlowMist founder, known by the pseudonym Cos, highlighted the protocol's weak safeguards: vault management was controlled by a single EOA (Externally Owned Account) without any multisig, timelock, or DAO governance mechanism in place.

On-chain investigator ZachXBT questioned this configuration publicly:

"Why did a single EOA seemingly have so much control without basic safeguards? Seems your runway was burned on KOL grifters like Kook…" — ZachXBT (@zachxbt), original post

BlockSec further confirmed that admin roles within the protocol had been granted to wallets funded through Tornado Cash, raising additional red flags about the security posture of the project.

Team response and broader context

The Wasabi team acknowledged the breach and urged users to cease all interaction with the protocol's contracts until further notice. Developers stated they would provide updates as new information becomes available.

The Wasabi exploit is the latest in a string of DeFi security incidents in recent days. On April 28, hackers targeted Ethereum infrastructure project Syndicate, causing $330,000 in losses, while Sui ecosystem exchange Aftermath Finance lost approximately $900,000 in USDC. A day earlier, L1 network ZetaChain was hit with an attack that resulted in $333,868 in damages.

The recurring pattern of exploits — particularly those targeting single-key admin controls — continues to raise questions about governance standards across the DeFi landscape.