Wasabi Protocol Exploit Results in Over $5 Million Loss

Severity: High (Score: 66.0)

Sources: Theblock.Co, Decrypt.Co, www.dlnews.com, Thedefiant

Summary

Wasabi Protocol, a DeFi derivatives platform, suffered an exploit resulting in over $5 million in losses. The attack was executed across multiple chains, including Ethereum, Base, Berachain, and Blast, with security firms confirming that a compromised admin key allowed the attacker to gain privileged access. The exploit involved the use of the UUPS upgradeability pattern, which enabled the attacker to drain funds from vaults without adequate safeguards like timelock or multisig protection. The stolen assets included WETH, PEPE, USDC, and others, which were subsequently consolidated and distributed across various addresses. Wasabi Protocol has advised users to refrain from interacting with its contracts while investigations are ongoing. This incident is part of a troubling trend in DeFi, with over 25 protocols hacked in April 2026 alone, totaling more than $600 million in losses. The exploit highlights operational design flaws rather than smart contract vulnerabilities, raising concerns about security practices in the DeFi space. Key Points: • Wasabi Protocol lost over $5 million due to a compromised admin key. • The exploit utilized the UUPS upgradeability pattern without adequate security measures. • This incident is part of a larger trend of DeFi exploits in April 2026, totaling over $600 million.

Key Entities

• Data Breach (attack_type)
• Drift Protocol (company)
• Indexed Finance (company)
• Kelp DAO (company)
• Wasabi (company)
• Wasabi Protocol (company)
• KyberSwap (platform)
• LayerZero (platform)
• Aave (platform)
• Blast (platform)
• LongPool (platform)
• Colombia (country)
• Netherlands (country)
• Philippines (country)
• Serbia (country)
• dlnews.com (domain)
• T1078 - Valid Accounts (mitre_attack)
• Tornado Cash (tool)