Wasabi Protocol's deployer EOA held the only ADMIN_ROLE for the entire permission system, and an attacker drained roughly $4.55 million from perp vaults across four chains. The vulnerability was governance, not code.
One Ethereum address called wasabideployer.eth held the only ADMIN_ROLE in Wasabi Protocol's permission system on Thursday morning. By the afternoon, an attacker held it instead — and roughly $4.55 million of users' deposits had been routed out of the protocol's perpetual vaults across four chains.
The Electric Capital-backed perpetuals platform confirmed the breach in a series of posts after security firm Blockaid first flagged a suspicious upgrade transaction in the early hours of April 30. The mechanics are almost embarrassingly clean. Whoever controls wasabideployer.eth could call grantRole on Wasabi's permission contract and hand themselves admin rights with no delay. From there, the attacker pushed a helper contract that upgraded Wasabi's perp vaults and Long Pool to malicious implementations and drained the balances. There was no oracle manipulation, no flash loan, no exotic cross-chain trick — just a single externally owned account with too much authority and no timelock standing between it and the money.
The damage is multi-chain. On Ethereum, the compromised contracts were Wasabi's wWETH, sUSDC, wBITCOIN, wPEPE and Long Pool vaults. On Base, the attacker hit the sUSDC, wWETH, sBTC, sVIRTUAL, sAERO and sBRETT vaults. Funds also moved across Berachain and Blast deployments. Wasabi told users to revoke approvals immediately, and within hours the attacker began consolidating the loot through standard laundering rails.
What makes this drain instructive — and depressing — is that nothing about it required a sophisticated adversary. Wasabi's contracts were not buggy. The math worked. The vulnerability was governance, not code: a single private key controlling a role that should never sit on a hot wallet. There was no multisig requiring multiple signers, no timelock forcing a delay between a malicious upgrade being queued and executed, no on-chain alarm to wake up the team before vaults flipped. Every one of those mitigations is a checklist item in any post-2022 DeFi security review. Wasabi shipped without them anyway, and roughly $4.55 million walked out the door before anyone noticed.
The protocol raised a $3 million seed round in 2024 led by Electric Capital, with backers including Alliance, Memeland, and Pudgy Penguins CEO Luca Netz. Token incentives and venture money have flowed liberally into perpetuals trading on the assumption that the next Hyperliquid is hiding somewhere in the long tail. Audits and operational discipline have not flowed at quite the same rate. The Wasabi compromise will not be the last reminder that perp DEXs sit on top of the same custody model as a centralised exchange — they pool user collateral into vaults, and whoever can authorise contract upgrades can authorise the vault to be emptied.
DeFi protocols have lost more than $770 million to exploits in 2026, and that figure was already swollen before Wasabi added itself to the ledger. Most of the headline damage has come from infrastructure attacks — compromised RPC nodes, social engineering of validator sets, single-point-of-failure bridges. The basic admin-key compromise has never gone away. It killed Multichain in 2023; it nearly killed several smaller protocols last year; it just took a chunk out of Wasabi.
There are two questions a serious risk team will ask about Wasabi this week. The first is whether the team can claw back any of the funds — possible if exchanges co-operate quickly, unlikely if the attacker has any patience. The second, harder question is why a protocol with venture backing and a multi-chain footprint was running production governance off a deployer EOA in 2026 at all. The answer, almost always, is that someone built the contracts in a hurry, never planned for the protocol to grow this large, and never went back to harden the privilege model once the deposits started flowing in. By the time the post-mortem gets written, the money is already laundered.
Wasabi has said it will compensate affected users, though it has not yet specified how or to what extent. The team has paused trading and revoked the compromised contracts. None of that addresses the underlying lesson, which is the same lesson the Aave-led $303 million DeFi United coalition is currently trying to extract from Kelp DAO and that Tropykus drew last week from its own audit: the security model of a DeFi protocol is whatever its weakest privilege check happens to be, and a single signer with full upgrade authority is barely a privilege check at all.
The attacker's wallet is now visible on every blockchain analytics dashboard tracking the heist. Investors in Wasabi's vaults are not, because their balances no longer exist on chain.
