The DeFi sector continues its troubling trend as Wasabi Protocol suffers a significant loss of approximately $4.55 million due to an attack leveraging a compromised deployer key, according to security firm Blockaid in an X post.
This incident adds to a month already witnessing over $605 million in losses across at least 12 DeFi-related breaches. The exploit was carried out via an externally owned account (EOA), wasabideployer.eth, which held the sole ADMIN_ROLE within Wasabi’s permission system. An EOA, managed by a private key unlike smart contracts, allowed whoever possessed it to control the wallet.
Once in possession of the deployer key, attackers granted themselves admin rights with zero delay and upgraded critical components like perp vaults and LongPool to harmful versions that siphoned off funds, Blockaid reported. This attack utilized UUPS upgradeability, a widely adopted pattern allowing smart contracts to alter their code without changing addresses—a feature beneficial for bug fixes but dangerous if admin controls fall into the wrong hands.
Wasabi’s lack of protective measures like timelocks or multisignature requirements meant that a single key could command full control over protocol operations. This absence left the system vulnerable to swift exploitation. Blockaid emphasized this as they detected an ongoing exploit on Wasabi Protocol across Ethereum and Base networks, where malicious contracts were upgraded to drain assets.
The affected vaults included those holding wWETH, sUSDC, wBITCOIN, wPEPE, Long Pool on Ethereum, and sUSDC, wWETH, sBTC, sVIRTUAL, sAERO, sBRETT on Base. Users were advised to revoke any active contract approvals linked to these compromised vaults.
This attack bears resemblance to the Drift Protocol hack by North Korean-linked attackers exploiting a similar single-key admin vulnerability on Solana. The Wasabi incident mirrors past breaches like Kelp DAO’s loss of $292 million due to a compromised verifier in its LayerZero bridge, underscoring recurring issues with DeFi governance structures.
As 2026 progresses, the cumulative losses from DeFi incidents have exceeded $770 million across more than 30 events, with April alone accounting for most. Smaller attacks this month also targeted CoW Swap, Grinex, Resolv Labs, and Volo Protocol among others.
Despite varied incidents, a common theme persists: new vulnerabilities are often identified post-attack, with the subsequent breach typically occurring before any substantial changes are enacted. No public statement from Wasabi has been made regarding this latest exploit.