DeFi can’t stop the bleeding, and Wasabi Protocol is the latest to discover why.
Security firm Blockaid said in an
This is the latest hacking incident in a month, with at least 12 incidents causing DeFi losses of more than $605 million. The attack is very similar to the April 1 Drift Protocol breach, in which North Korea-linked attackers stole $285 million from a Solana-based perpetual exchange using compromised administrative keys.
These mechanisms operate through an external account (EOA) named wasabideployer.eth, which has a unique ADMIN_ROLE within Wasabi’s permissions system.
EOA is a wallet controlled by private keys, not smart contracts. Whoever holds the key controls the wallet. Once the attacker has access to the deployer key, they grant themselves administrator privileges with zero delay by calling grantRole on the permissions contract.
Blockaid said their helper contract then upgraded Wasabi’s Perp Vault and Long Pool to malicious implementations, draining their balances.
The vulnerability relies on a standard called the Universal Upgradeable Proxy Standard (UUPS), which allows smart contracts to change their underlying code while maintaining the same address.
UUPS is widely used because it allows developers to fix bugs without migrating users. The downside is that if an attacker gains control of admin rights, they can replace the contract’s logic with anything they want, including code designed to steal funds.
Blockaid says Wasabi does not have timelocks or multi-signatures to protect administrator roles. Timelocks enforce a delay between announcing an administrative action and executing it, giving users time to react. Multi-signature requires multiple signers to approve changes. Mustard does neither, leaving only one key to fully control the protocol.
🚨 Blockaid’s vulnerability detection system discovered a persistent administrative key disclosure vulnerability @wasabi_agreement Across Ethereum and Base. Wasabi: Deployer EOA is used to grant ADMIN_ROLE to the attacker helper contract, which then upgrades the Perp vault and LongPool to…
— Blockaid (@blockaid_) April 30, 2026
According to Blockaid, affected contracts include Wasabi’s wWETH, sUSDC, wBITCOIN, wPEPE, and Long Pool vaults on Ethereum, and Base’s sUSDC, wWETH, sBTC, sVIRTUAL, sAERO, and sBRETT vaults.
Users holding Wasabi LP tokens are urged to withdraw any active approval of the vault contracts as the underlying assets backing these tokens have either been depleted or remain at risk.
One month’s achievements
In the case of Drift, the attacker also took advantage of a single-key management setup without governance timelocks, listed fake tokens as collateral, and increased withdrawal limits, depleting real assets in approximately 12 minutes.
Three weeks later, on April 19, Kelp DAO lost $292 million after attackers exploited a single-validator configuration in the protocol’s LayerZero bridge and released 116,500 unbacked rsETH, which was then used as collateral to borrow real ether (ETH) from Aave.
Total cumulative losses in DeFi in 2026 have now exceeded $770 million, involving more than 30 reported incidents. April alone accounts for the majority of this number.
Smaller breaches this month involved CoW Swap ($1.2 million), Grinex ($13.74 million), Resolv Labs ($23 million), Volo Protocol ($3.5 million), and more.
What ties them together isn’t a new vulnerability. Each incident generates the same postmortem language about lessons learned, but the next vulnerability often emerges before the lessons learned are implemented.
Mustard has yet to make a public statement regarding the incident.
Update (April 30, 11:34 UTC): General editing of the full text. Moved the Drift Protocol vulnerability to the third paragraph.