Wasabi Protocol Hack: Over $5 M Lost to Admin Key Breach

Wasabi Protocol lost $5.5M after an admin key was compromised. Here’s how one wallet drained millions across four chains in minutes.

Wasabi Protocol suffered a major security breach on April 30, 2025. 

An attacker compromised a privileged deployer wallet, draining over $5.5 million across four blockchain networks. The affected chains included Ethereum, Base, Berachain, and Blast. 

Security firms Blockaid, CertiK, and PeckShield all flagged the incident within hours. Wasabi confirmed the issue by 10:30 a.m. UTC, urging users to stop interacting with its contracts immediately.

Read also: 

How the Wasabi Protocol Admin Key Exploit Unfolded

The attack did not involve a smart contract bug. Instead, the attacker gained control of wasabideployer.eth, Wasabi’s sole admin key holder.

According to Blockaid, the deployer wallet granted ADMIN_ROLE to a malicious helper contract. That contract then upgraded multiple perpetual futures vaults and a LongPool, pulling funds directly from them. 

Blockaid reported that around $2.2 million left Ethereum, including 841 wrapped ETH, USDC, and several memecoins. Another $2.4 million moved from Base.

PeckShield put the total losses above $5 million across all chains. Security researcher Jeremy also noted $5.5 million stolen, citing WETH, PEPE, Mog, and USDC vaults as targets. The funds landed across multiple attacker-controlled addresses.

Compromised LP Tokens and Vault Contracts Across Chains

Blockaid warned that all Wasabi and Spicy LP-share tokens tied to the breached vaults should be treated as compromised. The underlying assets backing those tokens had been drained or were at risk. 

Blockaid advised platforms to flag these tokens in their interfaces and prompt users with active approvals to revoke access immediately.

Nine vault contracts on Ethereum were listed as compromised. These included the wWETH, sUSDC, sREKT, wPEPE, wMog, wBITCOIN, sZYN vaults, and the LongPool. 

Eight contracts on Base were also affected, covering sUSDC, wWETH, sBTC/cbBTC, sVIRTUAL, sAERO, sBRETT, sWELL, and sSKI vaults.

Berachain’s foundation confirmed awareness of the breach. It paused and blacklisted affected Wasabi reward vaults on its network and stopped further BGT emissions to the compromised contracts. 

Berachain advised users who interacted with Wasabi on its chain to revoke token approvals through revoke.cash.

Single EOA, No Multisig: Security Experts Raise Concerns

The root cause, as Blockaid identified it, was a single externally owned account holding full ADMIN_ROLE in Wasabi’s PerpManager. 

There was no multisig, no timelock, and no DAO governance protecting that access. SlowMist founder Cos pointed out that once that private key leaked, nothing stood between the attacker and the vaults.

On-chain investigator ZachXBT raised questions about why one wallet carried so much control without basic safeguards in place. Besides, analyst Ted Pillows noted that the incident highlighted the dangers of privileged access paired with upgradeable contracts.

Berachain confirmed it was working with Blockaid and ZeroShadow on the ongoing investigation. This story is still developing, and further details are expected as the investigation continues.

The post Wasabi Protocol Hack: Over $5 M Lost to Admin Key Breach appeared first on Live Bitcoin News.