Wasabi Protocol hacked for over $5 million
The attacker gained administrative access and altered contracts to drain user funds
30.04.2026 - 11:30
119
2 min
0
Key points:
- Wasabi Protocol lost over $5 million.
- The attack was enabled by compromise of the admin key.
- The protocol lacked basic access control protections.
DeFi protocol Wasabi Protocol was exploited, with more than $5 million drained across multiple networks including Ethereum, Base, Berachain, and Blast.
The attack became possible after the compromise of the protocol’s administrative key. Once the attacker gained admin rights, they were able to modify core contracts and drain assets from the pools.
How the attack was executed
The root cause was a weak governance model. The protocol relied on a single external wallet with full admin privileges and no additional security measures. After gaining access, the attacker granted themselves admin rights and immediately replaced the contracts.
The exploit leveraged the UUPS (Universal Upgradeable Proxy Standard) mechanism, which allows changing contract logic without altering the contract address. This enabled the attacker to swap out the live contracts with malicious versions and withdraw funds.
The attacker targeted multiple components of the protocol, including LongPool, ShortPool, and Vault. They drained various assets such as WETH, USDC, cbBTC, and several lower-liquidity tokens. A portion of the funds was converted to ETH and distributed across multiple addresses.
In response, some projects began restricting interactions with Wasabi. Virtuals Protocol, for example, paused margin deposits that relied on Wasabi’s infrastructure.
The Wasabi team has acknowledged the incident and urged users to avoid interacting with the contracts until the investigation is complete.
Useful material?
Telegram 
Twitter Incidents
The company is linking the incident to a compromised private key on a service wallet, rather than a smart contract exploit
May 22, 2026
Incidents
Following the incident, the project temporarily halted trading operations and node activity.
May 15, 2026
Incidents
The user spent weeks unsuccessfully trying to guess the password until Claude helped find an old wallet backup file
May 14, 2026
Crypto regulations
Authorities are introducing mandatory registration for companies handling cross-border crypto transactions
May 8, 2026
Incidents
According to Blockaid, the attack may have been carried out by the same hacker behind the 1inch Fusion V1 exploit.
May 7, 2026
Incidents
The apps use phishing and malicious installs to steal user funds.
Apr 23, 2026
Cryptocurrency rates
-
Bitcoin
$60 801
BTC
-2.15%
-
Ethereum
$2 551.16
ETH
+3.56%
-
BNB Smart Chain
$579.4
BSC
+1.23%
-
Ripple
$1.09
XRP
-3.24%
-
TRON
$0.160134
TRX
-1.59%
-
Dogecoin
$0.081227
DOGE
-3.64%
-
Stellar XLM
$0.197206
XLM
+4.19%
-
Zcash
$368.89
ZEC
+19.74%
-
Cardano
$0.155734
ADA
-4.74%
-
Polkadot
$3.32
DOT
+5.27%