Wasabi Protocol — a perpetuals trading platform running on Ethereum and Base — was drained of roughly $4.55 million after attackers compromised its deployer (admin) key, security firm Blockaid said in an X post. The exploit is the latest in a bruising month for DeFi and underscores a recurring failure mode: single-key admin control. What happened - Blockaid’s monitoring flagged an on‑chain admin-key compromise tied to the wallet wasabideployer.eth. That externally owned account (EOA) held the protocol’s sole ADMIN_ROLE in Wasabi’s permission system. Because an EOA is controlled directly by a private key, whoever possessed that key effectively controlled the protocol. - The attacker used the deployer key to call grantRole on the permission contract, giving an attacker-controlled helper contract ADMIN_ROLE with no delay. The helper contract then performed UUPS upgrades on Wasabi’s perp vaults and Long Pool, replacing their logic with malicious implementations that drained funds. - UUPS (Universal Upgradeable Proxy Standard) lets contracts update their implementation while keeping the same address — useful for fixes and upgrades, but dangerous if an attacker gains admin permissions and swaps in theft code. Assets and scope Blockaid identified compromised vaults on both chains. On Ethereum: wWETH, sUSDC, wBITCOIN, wPEPE and the Long Pool. On Base: sUSDC, wWETH, sBTC, sVIRTUAL, sAERO and sBRETT. In short, underlying assets backing Wasabi LP tokens were either drained or remained at risk. Immediate advice Blockaid urged anyone holding Wasabi LP tokens to revoke active approvals to the affected vault contracts to reduce exposure. Why this echoes other recent hacks - The mechanics mirror the April 1 Drift Protocol exploit, where attackers used a compromised admin key to drain $285 million from the Solana perpetuals exchange. Like Wasabi, Drift lacked a governance timelock and relied on single-key admin control. - On April 19, Kelp DAO lost $292 million after a single-verifier configuration in its LayerZero bridge allowed the creation of unbacked rsETH used as collateral to borrow real ETH. - Smaller incidents this month include losses at CoW Swap ($1.2M), Grinex ($13.74M), Resolv Labs ($23M), and Volo Protocol ($3.5M), among others. Scope of the crisis Blockaid noted the Wasabi loss comes amid a month that has seen over $605 million in DeFi losses across at least a dozen incidents. Year-to-date DeFi losses for 2026 have now surpassed roughly $770 million across more than 30 reported incidents, with April driving much of the damage. Core weakness Many of these breaches aren’t due to exotic bugs but to governance and operational design: single-signature admin keys, no multisigs, and no timelocks. Timelocks create a pause between an administrative action and its execution, giving users and auditors time to react; multisigs require multiple approvals for critical changes. Wasabi reportedly had neither. Status and update Wasabi has not yet issued a public statement. Blockaid’s post and follow-up updates remained the primary source of on‑chain forensic detail. Takeaway This incident reinforces a familiar lesson for Ethereum ecosystems: upgradeable contracts and powerful admin keys must be protected by multi-signer governance and time-delayed controls. Until those controls are standard practice, DeFi will likely keep paying the price. Read more AI-generated news on: undefined/news