DeFi can’t stop the bleeding, and Wasabi Protocol is the latest to find out why.
The protocol, a perpetuals trading platform built on Ethereum and Base, was drained of about $4.55 million on Thursday after attackers compromised its deployer key, security firm Blockaid said in an X post.
The hack is the latest in a month that has produced over $605 million in DeFi losses across at least 12 incidents. The attack closely mirrors the Drift Protocol exploit on April 1, in which North Korean attackers used a compromised admin key to drain $285 million from the Solana-based perpetuals exchange.
The mechanics operated through an externally owned account, or EOA, called wasabideployer.eth, which held the sole ADMIN_ROLE in Wasabi’s permission system.
An EOA is a wallet controlled by a private key as opposed to a smart contract. Whoever holds the key controls the wallet. Once the attacker had access to the deployer key, they granted themselves admin privileges with zero delay by calling grantRole on the permission contract.
Their helper contract then upgraded Wasabi’s perp vaults and Long Pool to malicious deployments that drained the balances, Blockaid said.
The exploit relied on a standard known as the Universal Upgradeable Proxy Standard (UUPS), which allows a smart contract to change its underlying code while keeping the same address.
UUPS is widely used because it lets developers fix bugs without migrating users. The downside is that if an attacker controls admin permissions, they can replace the contract’s logic with anything they want, including code designed to steal money.
Wasabi had no timelock or multisig protecting the admin role, Blockaid said. A time lock enforces a delay between when an admin action is announced and when it is performed, giving users time to react. A multisig requires multiple signatories to approve a change. Wasabi had neither, leaving a single key in full control of the protocol.
🚨 Blockaid’s exploit detection system identified an ongoing administration key compromise on @wasabi_protocol across Ethereum and Base. Wasabi: Deployer EOA was used to grant ADMIN_ROLE to an attacker helper contract which then UUPS upgraded perp vaults and LongPool to…
— Blockaid (@blockaid_) 30 April 2026
Compromised contracts include Wasabi’s wWETH, sUSDC, wBITCOIN, wPEPE and Long Pool vaults on Ethereum, plus its sUSDC, wWETH, sBTC, sVIRTUAL, sAERO and sBRETT vaults on Base, according to Blockaid.
Users with Wasabi LP tokens were encouraged to revoke all active approvals of the vault contracts because the underlying assets backing these tokens had either been drained or remained at risk.
A month of achievements
In the case of Drift, the attackers also exploited a one-key admin setup with no management timeout, listing a fake token as collateral and raising withdrawal limits to drain real assets in about 12 minutes.
Three weeks later, on April 19, the Kelp DAO lost $292 million when an attacker exploited a single-verifier configuration in the protocol’s LayerZero bridge and released 116,500 unbacked rsETH, which was then used as collateral to borrow real ether (ETH) from Aave.
The total DeFi loss total for 2026 has now passed $770 million across more than 30 reported incidents. April alone accounts for the majority of that number.
Smaller breaches this month have hit CoW Swap ($1.2 million), Grinex ($13.74 million), Resolv Labs ($23 million), Volo Protocol ($3.5 million), among others.
What binds them together is not a new vulnerability. Each incident produces the same post-mortem language of lessons learned, but the next exploitation usually comes before the lessons are implemented.
Wasabi has yet to issue a public statement about the incident.
UPDATE (April 30, 11:34 UTC): General edits throughout. Moves Drift Protocol exploitation to third section.
