Wasabi Protocol Postmortem

Wasabi Protocol Exploit — April 30, 2026 Post-Mortem (Aggregated)

The Incident

On April 30, 2026 (Thursday), Wasabi Protocol — an Electric Capital-backed perpetuals trading platform deployed on Ethereum and Base — was drained of approximately $4.55 million after attackers compromised its deployer EOA admin key. The attack was first flagged live by Blockaid's exploit detection system. Some outlets reported the loss above $5M; CoinDesk's confirmed figure is $4.55M.

How the Attack Worked

Blockaid traced the root cause to wasabideployer.eth — a single externally owned account (EOA) that held the sole ADMIN_ROLE in Wasabi's PerpManager AccessManager contract. Once the attacker controlled the deployer key:

1. They called grantRole(ADMIN_ROLE, attacker_helper_contract) on the permission contract — granting themselves admin authority with zero delay (no timelock, no multisig review).

2. The helper contract then UUPS-upgraded Wasabi's perpetual vaults and Long Pool to malicious implementations.

3. The malicious implementations drained the underlying balances from each upgraded vault on both chains.

The Core Technical Issue

Two compounding access-control failures:

• Single-key admin authority: The most-privileged role in the entire protocol's permission system was held by one EOA with no multisig.

• No timelock on grantRole or upgrades: Once the attacker held ADMIN_ROLE, the upgrade-and-drain sequence executed atomically with no on-chain delay during which the team could revoke the role.

This is a textbook "single-key + no-timelock + UUPS-upgradable" vulnerability — the same structural pattern that has produced the largest exploits of the year. Once the deployer key was lost (mechanism not disclosed: phishing, malware, or insider compromise are all plausible), the protocol had no defense.

Scope of Loss

Ethereum-side compromised vaults: wWETH, sUSDC, wBITCON, wPEPE, Long Pool.

Base-side compromised vaults: sUSDC, wWETH, sBTC, sVIRTUAL, sAERO, sBRETT.

The attacker consolidated stolen assets into ETH and distributed them across multiple addresses, with some transactions linked to Tornado Cash for laundering.

Response

• Wasabi paused affected pools after detection (post-drain).

• The team confirmed the exploit publicly via X and engaged with Blockaid and other security responders.

• No on-chain recovery had been achieved at time of reporting; investigation into the deployer-key compromise vector was ongoing.

Why This Matters

Wasabi adds to a list that now includes Kelp ($292M, 1-of-1 DVN), Radiant Capital (2024, $55M, multisig signer endpoint compromise), and dozens of smaller protocols — all sharing the same root structural pattern: upgrade authority concentrated in a small set of keys with no timelock, no multisig, or both. Every protocol on this list could have prevented the exploit with either (a) a 24-hour timelock on admin role grants and upgrades, or (b) a multisig of independently-secured signers. Wasabi had neither.