Wasabi Protocol Exploited for Over $5M After Admin Key Compromise

TLDR

Wasabi Protocol, a perpetuals trading platform operating across Ethereum, Base, Berachain, and Blast, has been exploited for more than $5 million after attackers gained control of a privileged admin key.

The attack affected multiple vaults and liquidity pools linked to the protocol. Blockchain security firms said the attacker used the compromised deployer wallet to grant admin permissions, upgrade contracts to malicious versions, and drain assets from Wasabi’s systems.

The Wasabi team said it was investigating the incident and warned users not to interact with its contracts until further notice. Virtuals Protocol also froze margin deposits powered by Wasabi as a precaution, while stating that its own security remained intact.

Wasabi Protocol Admin Key Compromise Led to Contract Takeover

Security firm Blockaid said the exploit began through an externally owned account known as wasabideployer.eth, which held the sole admin role in Wasabi’s permission system.

After gaining access to the deployer key, the attacker granted themselves privileged access without delay. They then used a helper contract to upgrade Wasabi’s perpetual vaults and pool contracts into malicious implementations designed to drain balances.

The exploit involved the Universal Upgradeable Proxy Standard, a common smart contract upgrade method. UUPS allows developers to update contract logic while keeping the same contract address. However, if admin control is compromised, attackers can replace legitimate code with malicious code.

Blockaid said Wasabi did not have a timelock or multisig protecting the admin role. A timelock would have delayed sensitive changes, while a multisig would have required multiple approvals before contract upgrades could take effect.

Multiple Chains and Assets Were Affected

The compromised contracts included Wasabi vaults on Ethereum and Base, including wWETH, sUSDC, wBITCOIN, wPEPE, sBTC, sVIRTUAL, sAERO, and sBRETT.

Other security firms said the exploit also touched Berachain and Blast. Stolen assets reportedly included WETH, PEPE, MOG, USDC, ZYN, REKT, cbBTC, AERO, and VIRTUAL.

Cyvers said the attacker consolidated stolen funds into ETH, bridged assets to Ethereum, and distributed funds across several addresses. BlockSec noted that some accounts involved in the activity appeared to have been funded through Tornado Cash.

Users holding Wasabi LP-share tokens were warned that the underlying assets backing those tokens may have been drained or remain at risk. Security researchers advised users to revoke active approvals tied to affected vault contracts.

DeFi Key Management Risks Remain in Focus

The Wasabi exploit adds to a difficult month for decentralized finance security. More than $600 million has been lost across multiple attacks in recent weeks, including large incidents involving Drift Protocol and Kelp DAO.

The Wasabi incident shares similarities with other admin-key compromise attacks. In such cases, the code may function as designed, but operational control is too concentrated in one private key.

Security experts said the absence of delay mechanisms and multi-party approval systems remains a major risk for protocols managing user funds across several chains.

The Wasabi team has not yet released a full post-mortem. Further updates are expected after forensic review of the compromised deployer wallet, contract upgrades, affected vaults, and fund movements.

The post Wasabi Protocol Exploited for Over $5M After Admin Key Compromise appeared first on CoinCentral.