Wasabi Protocol loses over $5 million in multi-chain exploit

Wasabi Protocol has been hit by a multi-chain exploit worth more than $5 million, according to blockchain security firms. The attack affected Ethereum, Base, Berachain, and Blast.

PeckShield said the exploit targeted Wasabi Protocol across several networks. The affected chains included Ethereum, Base, Berachain, and Blast.

Security firms said the attack drained more than $5 million from the DeFi derivatives platform. The incident adds to a sharp rise in DeFi exploits reported this month.

Compromised admin key linked to attack

Blockaid and CertiK said the attacker used a compromised admin key. The key allowed privileged access through the Wasabi deployer wallet.

The attacker then upgraded core contracts and drained funds. BlockSec said early traces show Tornado Cash-funded accounts received admin-linked roles.

Blockaid warned, “All Wasabi/Spicy LP-share tokens minted by these vaults should be treated as COMPROMISED.”

Cyvers said the attacker extracted several assets, including WETH, PEPE, MOG, USDC, ZYN, REKT, cbBTC, AERO, and VIRTUAL.

The security firm said the stolen funds were consolidated into ETH. They were then bridged to Ethereum and distributed across several addresses.

Wasabi tells users to avoid contracts

Wasabi Protocol said it was aware of the issue and was investigating. The team warned users not to interact with Wasabi contracts until further notice.

The team said, “As a precaution, please do not interact with Wasabi contracts until further notice.”

Virtuals Protocol said its security remains intact. However, it froze margin deposits powered by Wasabi Protocol as a precaution.

The incident comes during one of the worst months for DeFi security. More than 25 protocols have reportedly lost over $600 million, led by the $292 million Kelp DAO exploit.