Verify a decision

{"actor":"system:backfill","investigation_id":"994d3e0f-b60a-4242-965c-5a18d3a83a5d","kind":"publish","page_slug":"wasabi-protocol","published_at":"2026-05-28T03:33:23.239Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Wasabi Protocol","sections":[{"content":"On April 30, 2026, Wasabi Protocol was exploited for approximately $5.9 million following the compromise of its deployer wallet, wasabideployer.eth (0x5c629f8c0b5368f523c85bfe79d2a8efb64fb0c8). The deployer EOA held the sole ADMIN_ROLE across every upgradeable vault in the PerpManager framework, with no multisignature requirement and a timelock delay set to zero. The attacker first received 0.188 ETH from a Tornado Cash-linked address at approximately 01:12 UTC. Between 07:07 and 07:36 UTC, additional funding transactions were executed. At 07:46 UTC, malicious contracts were deployed across the affected chains. The attacker, controlling an EOA at 0x02228b0afcdbEdf8180D96Fc181Da3AF5DD1d1ab, used an orchestrator contract at 0x878E94142409DAFCC5CC83D5cD2e9DA2Bf0BF3bF to call grantRole on the protocol's permission contract, instantly activating ADMIN_ROLE for the malicious helper. The orchestrator then executed UUPS proxy upgrades on Wasabi's PerpManager vault contracts and LongPool, replacing legitimate contract logic with malicious implementations at the same addresses. A fake strategy contract was deployed to bypass validation checks, and strategyDeposit() was called to route all vault assets to a drain function. At 07:49:47 UTC, eight Ethereum vaults were drained simultaneously, followed by Base at 07:52:37 UTC, and the Ethereum LongPool at 07:59:35 UTC. By 08:01:11 UTC, 500 ETH had been distributed to a secondary wallet. Chains confirmed affected include Ethereum (approximately $2 million, including 840.9 WETH), Base (approximately $2.5 million), Berachain, and Blast, with losses on the latter two still being reconciled at the time of initial reporting. Assets drained included WETH, USDC, PEPE, REKT, MOG, and several other tokens. Security firms Blockaid, CertiK, PeckShield, Hypernative, and QuillAudits independently detected and analyzed the attack in near real-time.","heading":"April 2026 Admin Key Compromise and Multi-Chain Exploit","severity":"critical","sources":[{"credibility":1,"name":"Wasabi Protocol hit by more than $5 million exploit across multiple chains, security firms say","type":"news_article","url":"https://www.theblock.co/post/399558/wasabi-protocol-hit-by-more-than-5-million-exploit-across-multiple-chains-security-firms-say"},{"credibility":1,"name":"Crypto hacks continue as Wasabi Protocol drained of $4.5 million in admin key compromise","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/30/wasabi-protocol-drained-for-usd4-5-million-in-apparent-admin-key-compromise"},{"credibility":2,"name":"Wasabi Protocol - Rekt News technical breakdown","type":"research","url":"https://rekt.news/wasabi-protocol-rekt"},{"credibility":2,"name":"Explained: The Wasabi Protocol Hack (April 2026) - Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-wasabi-protocol-hack-april-2026"},{"credibility":2,"name":"Wasabi Protocol exploit tied to admin key breach, $5M+ drained across chains - AMBCrypto","type":"news_article","url":"https://ambcrypto.com/wasabi-protocol-exploit-tied-to-admin-key-breach-5m-drained-across-chains/"}]},{"content":"Following the drain, stolen assets were converted to ETH and distributed across five attacker wallets, with a total of approximately $5.9 million tracked by QuillAudits. All five wallets were loaded within a two-hour window prior to the attack. Wallet 1 (0x6244117E1B30101F2De25442211F6A92833Cf906) held approximately 528 ETH and exited through Tornado Cash on May 3, 2026. Wallet 2 (0xb8Bb8aDDd6b283be57b4635Bf913B34824ca70dB) held approximately 300 ETH and exited through Tornado Cash on May 1, 2026. Wallet 3 (0x1A5B4A0bd3f572328AC7a8d7a3A96955F7ed2d95) held approximately 500 ETH and exited through Tornado Cash on May 2, 2026. Wallet 4 held approximately 500 ETH and exited through Tornado Cash on May 4, 2026. Wallet 5 held approximately 737.36 ETH and was still holding as of May 4, 2026. The attacker's funding chain traces back to Tornado Cash-linked addresses beginning approximately six hours before the drain. The use of Tornado Cash for both pre-funding and post-exploit laundering is consistent with obfuscation tradecraft observed in prior state-sponsored DeFi exploits, though no attribution to a specific threat actor has been publicly confirmed.","heading":"On-Chain Fund Flow and Tornado Cash Laundering","severity":"critical","sources":[{"credibility":2,"name":"Wasabi Protocol - Rekt News on-chain analysis","type":"on_chain","url":"https://rekt.news/wasabi-protocol-rekt"},{"credibility":2,"name":"Wasabi Protocol hit by multi-chain attack after admin key compromise - Crypto Briefing","type":"news_article","url":"https://cryptobriefing.com/wasabi-protocol-attack-loss/"},{"credibility":2,"name":"Wasabi Protocol Exploited for Over $5M After Admin Key Compromise - MEXC News","type":"news_article","url":"https://www.mexc.com/en-NG/news/1064855"}]},{"content":"Security analysts identified three compounding structural deficiencies that enabled the exploit. First, the protocol's ADMIN_ROLE was held exclusively by a single externally owned account (EOA), wasabideployer.eth, rather than a multisignature wallet requiring multiple approvers. Second, although the protocol's access control framework supported a configurable timelock delay between role grant and activation, this delay was set to zero, meaning ADMIN_ROLE privileges activated instantly upon the grantRole call. Third, the UUPS (Universal Upgradeable Proxy Standard) upgrade mechanism allowed a sole authorized admin to replace the logic of any vault contract with no additional checks or governance oversight. The protocol held audits from Zellic and Sherlock prior to the exploit. These audits examined code-level logic, but as noted by multiple post-mortem analyses, smart contract audits do not typically evaluate private key management practices or operational security posture. No code-level bug was present; the vulnerability was entirely a function of centralized administrative architecture operating without safeguards.","heading":"Smart Contract Architecture Vulnerabilities","severity":"critical","sources":[{"credibility":2,"name":"Explained: The Wasabi Protocol Hack (April 2026) - Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-wasabi-protocol-hack-april-2026"},{"credibility":3,"name":"Anatomy of a Preventable Drain - Medium analysis","type":"research","url":"https://favoriteblockchain.medium.com/anatomy-of-a-preventable-drain-what-the-wasabi-protocol-exploit-teaches-defi-about-admin-key-096abef96408"},{"credibility":2,"name":"Decentralized Perpetual Futures Platform Wasabi Protocol Loses Millions In Deployer Key Compromise - Crowdfund Insider","type":"news_article","url":"https://www.crowdfundinsider.com/2026/05/276724-decentralized-perpetual-futures-platform-wasabi-protocol-loses-millions-in-deployer-key-compromise/"}]},{"content":"Wasabi Protocol issued an initial statement on X at approximately 10:00 UTC on April 30, 2026, acknowledging the issue and advising users not to interact with Wasabi contracts. A second statement at approximately 13:00 UTC confirmed engagement with security response teams including SEAL 911 and Blockaid, noted that Solana deployments were unaffected, and stated that law enforcement including the FBI had been contacted. A first substantive update on May 1, 2026 confirmed the breach was contained. As of publication, the team had not announced a final user compensation plan or confirmed any fund recovery. Bitget News reported that Wasabi Protocol explicitly stated no final compensation plan had been determined. The total value of user funds affected, details of ongoing law enforcement cooperation, and any further post-mortem have not been publicly disclosed.","heading":"Protocol Response and Recovery Status","severity":"high","sources":[{"credibility":2,"name":"Wasabi Protocol Says No Final Compensation Plan in Security Response - Bitget News","type":"news_article","url":"https://www.bitget.com/news/detail/12560605404710"},{"credibility":1,"name":"Wasabi Protocol hit by more than $5 million exploit across multiple chains, security firms say","type":"news_article","url":"https://www.theblock.co/post/399558/wasabi-protocol-hit-by-more-than-5-million-exploit-across-multiple-chains-security-firms-say"},{"credibility":2,"name":"Wasabi Protocol Exploit: Admin Key Attack Drains Funds on Ethereum and Base - BanklessTimes","type":"news_article","url":"https://www.banklesstimes.com/articles/2026/04/30/blockaid-flags-live-admin-key-exploit-hitting-wasabi-protocol-on-ethereum-and-base/"}]},{"content":"Wasabi Protocol was founded in 2022 by co-founders Eren Derman and Kemal Hasan Atay and is headquartered in New York, NY. The protocol offers three core products: Wasabi Perps (on-chain perpetual futures), Wasabi Options, and Liquidity Aggregation, with a focus on enabling leveraged trading of long-tail assets including memecoins and NFTs. Leverage ranges from 2-3x on lower-liquidity assets to up to 10x on major assets such as ETH. The protocol was deployed on Ethereum, Blast, Base, Berachain, and Solana. In June 2024, Wasabi raised a $3 million seed round led by Electric Capital, with participation from Alliance, Luca Netz, Santiago Santos, Zagabond, and DCF God, among others. Prior to the April 2026 exploit, DeFiLlama tracked cumulative DEX volume for the protocol at approximately $277.93 million. Post-exploit TVL as tracked by DeFiLlama showed approximately $1.27 million remaining across chains, with the Solana deployment ($411,013) unaffected.","heading":"Protocol Background and Funding","severity":"low","sources":[{"credibility":1,"name":"Memecoin leverage trading protocol Wasabi raises $3 million led by Electric Capital - The Block","type":"news_article","url":"https://www.theblock.co/post/300465/memecoin-leverage-trading-protocol-wasabi-funding"},{"credibility":2,"name":"Wasabi Protocol TVL and volume - DeFiLlama","type":"on_chain","url":"https://defillama.com/protocol/wasabi"},{"credibility":2,"name":"Wasabi Protocol profile - Messari","type":"research","url":"https://messari.io/project/wasabi-protocol/profile"}]},{"content":"The Wasabi Protocol exploit occurred within a concentrated period of admin key compromise incidents targeting DeFi perpetuals platforms. DeFiLlama recorded approximately 30 separate DeFi incidents in April 2026, with total losses exceeding $625 million. The Wasabi attack shares structural similarities with the alleged Drift Protocol exploit on April 1, 2026, in which attackers reportedly used a compromised admin key to drain $285 million from the Solana-based perpetuals exchange, an incident attributed by some analysts to North Korea-linked threat actors. KelpDAO was also cited as a preceding incident in the same month. The pattern of pre-funding attacker wallets via Tornado Cash prior to draining protocol funds, then exiting proceeds through Tornado Cash, is consistent across multiple 2026 incidents. The Yahoo Finance coverage noted that the clustering of exploits accelerated an emerging theory regarding AI-assisted threat actors targeting DeFi governance architecture, though no attribution has been verified.","heading":"Broader DeFi Context: Admin Key Exploits in April 2026","severity":"medium","sources":[{"credibility":2,"name":"Wasabi Protocol $5 Million Exploit Accelerates AI-Driven DeFi Hacker Theory - Yahoo Finance","type":"news_article","url":"https://finance.yahoo.com/markets/crypto/articles/wasabi-protocol-5-million-exploit-112509659.html"},{"credibility":2,"name":"Wasabi Loses $5M+ in Latest DeFi Exploit - The Defiant","type":"news_article","url":"https://thedefiant.io/news/hacks/wasabi-protocol-hack"},{"credibility":2,"name":"Wasabi Protocol loses over $5 million in multi-chain exploit - Crypto.news","type":"news_article","url":"https://crypto.news/wasabi-protocol-loses-over-5-million-in-multi-chain-exploit/"}]}],"sources_used":[{"credibility":1,"name":"Wasabi Protocol hit by more than $5 million exploit across multiple chains, security firms say","type":"news_article","url":"https://www.theblock.co/post/399558/wasabi-protocol-hit-by-more-than-5-million-exploit-across-multiple-chains-security-firms-say"},{"credibility":1,"name":"Crypto hacks continue as Wasabi Protocol drained of $4.5 million in admin key compromise","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/30/wasabi-protocol-drained-for-usd4-5-million-in-apparent-admin-key-compromise"},{"credibility":2,"name":"Wasabi Protocol exploit tied to admin key breach, $5M+ drained across chains","type":"news_article","url":"https://ambcrypto.com/wasabi-protocol-exploit-tied-to-admin-key-breach-5m-drained-across-chains/"},{"credibility":2,"name":"Wasabi Protocol - Rekt News","type":"research","url":"https://rekt.news/wasabi-protocol-rekt"},{"credibility":2,"name":"Explained: The Wasabi Protocol Hack (April 2026) - Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-wasabi-protocol-hack-april-2026"},{"credibility":2,"name":"Wasabi Loses $5M+ in Latest DeFi Exploit - The Defiant","type":"news_article","url":"https://thedefiant.io/news/hacks/wasabi-protocol-hack"},{"credibility":2,"name":"Wasabi Protocol hit by multi-chain attack after admin key compromise - CryptoBriefing","type":"news_article","url":"https://cryptobriefing.com/wasabi-protocol-attack-loss/"},{"credibility":2,"name":"Wasabi Protocol Exploit: Admin Key Attack Drains Funds on Ethereum and Base - BanklessTimes","type":"news_article","url":"https://www.banklesstimes.com/articles/2026/04/30/blockaid-flags-live-admin-key-exploit-hitting-wasabi-protocol-on-ethereum-and-base/"},{"credibility":2,"name":"Decentralized Perpetual Futures Platform Wasabi Protocol Loses Millions In Deployer Key Compromise - Crowdfund Insider","type":"news_article","url":"https://www.crowdfundinsider.com/2026/05/276724-decentralized-perpetual-futures-platform-wasabi-protocol-loses-millions-in-deployer-key-compromise/"},{"credibility":2,"name":"Wasabi Protocol hit by $5 million admin key exploit across chains - Cryptonomist","type":"news_article","url":"https://en.cryptonomist.ch/2026/05/01/wasabi-protocol-cross-chain-exploit/"},{"credibility":2,"name":"Wasabi Protocol Loses $5M After Attacker Seizes Deployer Admin Key Across 3 Chains - Bitcoin.com News","type":"news_article","url":"https://news.bitcoin.com/wasabi-protocol-loses-5m-after-attacker-seizes-deployer-admin-key-across-3-chains/"},{"credibility":2,"name":"Wasabi Protocol loses over $5 million in multi-chain exploit - Crypto.news","type":"news_article","url":"https://crypto.news/wasabi-protocol-loses-over-5-million-in-multi-chain-exploit/"},{"credibility":2,"name":"Wasabi Protocol Says No Final Compensation Plan in Security Response - Bitget News","type":"news_article","url":"https://www.bitget.com/news/detail/12560605404710"},{"credibility":2,"name":"Wasabi Protocol $5 Million Exploit Accelerates AI-Driven DeFi Hacker Theory - Yahoo Finance","type":"news_article","url":"https://finance.yahoo.com/markets/crypto/articles/wasabi-protocol-5-million-exploit-112509659.html"},{"credibility":2,"name":"Wasabi Protocol Suffers Over $5M Loss in Multi-Chain Exploit - CoinEdition","type":"news_article","url":"https://coinedition.com/wasabi-protocol-suffers-over-5m-loss-in-multi-chain-exploit/"},{"credibility":2,"name":"Wasabi Protocol Suffers a $5.5M Exploit from its Vault Pools - Tekedia","type":"news_article","url":"https://www.tekedia.com/wasabi-protocol-suffers-a-5-5m-exploit-from-its-vault-pools/"},{"credibility":1,"name":"Memecoin leverage trading protocol Wasabi raises $3 million led by Electric Capital - The Block","type":"news_article","url":"https://www.theblock.co/post/300465/memecoin-leverage-trading-protocol-wasabi-funding"},{"credibility":2,"name":"Wasabi Protocol TVL and volume - DeFiLlama","type":"on_chain","url":"https://defillama.com/protocol/wasabi"},{"credibility":2,"name":"Wasabi Protocol profile - Messari","type":"research","url":"https://messari.io/project/wasabi-protocol/profile"},{"credibility":3,"name":"Anatomy of a Preventable Drain: What the Wasabi Protocol Exploit Teaches DeFi About Admin Key Security - Medium","type":"research","url":"https://favoriteblockchain.medium.com/anatomy-of-a-preventable-drain-what-the-wasabi-protocol-exploit-teaches-defi-about-admin-key-096abef96408"}],"summary":"Wasabi Protocol is a decentralized perpetual futures and leverage trading protocol founded in 2022, enabling users to trade memecoins, NFTs, and other long-tail assets with leverage on Ethereum, Base, Blast, and Berachain. On April 30, 2026, the protocol suffered a critical exploit in which an attacker compromised the deployer EOA private key (wasabideployer.eth), granted ADMIN_ROLE to a malicious orchestrator contract with zero timelock delay, and executed UUPS proxy upgrades across all four chains to drain approximately $5.9 million in user funds. The stolen assets were subsequently consolidated into ETH and routed through Tornado Cash across five attacker wallets.","timeline":[{"date":"2022-01-01","event":"Wasabi Protocol founded by Eren Derman and Kemal Hasan Atay in New York, NY.","source":"Tracxn / Alliance company profile","source_url":"https://alliance.xyz/companies/wasabi-protocol"},{"date":"2024-06-18","event":"Wasabi Protocol closes $3 million seed round led by Electric Capital, with participation from Alliance, Luca Netz, Santiago Santos, Zagabond, and DCF God.","source":"The Block","source_url":"https://www.theblock.co/post/300465/memecoin-leverage-trading-protocol-wasabi-funding"},{"date":"2026-04-30","event":"At 01:12 UTC, attacker wallet receives 0.188 ETH from a Tornado Cash-linked address, beginning pre-exploit funding.","source":"Rekt News on-chain analysis","source_url":"https://rekt.news/wasabi-protocol-rekt"},{"date":"2026-04-30","event":"Between 07:07 and 07:36 UTC, additional attacker wallet funding transactions executed. At 07:46 UTC, malicious contracts deployed across chains.","source":"Rekt News on-chain analysis","source_url":"https://rekt.news/wasabi-protocol-rekt"},{"date":"2026-04-30","event":"At 07:49:47 UTC, Ethereum vault drain executes across eight vaults simultaneously. Base drain follows at 07:52:37 UTC. Ethereum LongPool drained at 07:59:35 UTC.","source":"Rekt News on-chain analysis","source_url":"https://rekt.news/wasabi-protocol-rekt"},{"date":"2026-04-30","event":"Blockaid exploit detection system flags the active drain across Ethereum and Base in near real-time. Hypernative, CertiK, and PeckShield subsequently issue independent alerts.","source":"BanklessTimes / The Block","source_url":"https://www.banklesstimes.com/articles/2026/04/30/blockaid-flags-live-admin-key-exploit-hitting-wasabi-protocol-on-ethereum-and-base/"},{"date":"2026-04-30","event":"At approximately 10:00 UTC, Wasabi Protocol issues first public statement on X advising users not to interact with contracts. Second statement at 13:00 UTC confirms SEAL 911 and Blockaid engagement, notes Solana unaffected, and states FBI contacted.","source":"Wasabi Protocol / The Block","source_url":"https://www.theblock.co/post/399558/wasabi-protocol-hit-by-more-than-5-million-exploit-across-multiple-chains-security-firms-say"},{"date":"2026-05-01","event":"Wasabi Protocol issues first substantive update confirming the breach is contained. Berachain and Blast confirmed as additional affected chains.","source":"CryptoBriefing / AMBCrypto","source_url":"https://cryptobriefing.com/wasabi-protocol-attack-loss/"},{"date":"2026-05-01","event":"Attacker Wallet 2 (300 ETH) exits through Tornado Cash.","source":"Rekt News on-chain analysis","source_url":"https://rekt.news/wasabi-protocol-rekt"},{"date":"2026-05-02","event":"Attacker Wallet 3 (500 ETH) exits through Tornado Cash.","source":"Rekt News on-chain analysis","source_url":"https://rekt.news/wasabi-protocol-rekt"},{"date":"2026-05-03","event":"Attacker Wallet 1 (528 ETH) exits through Tornado Cash.","source":"Rekt News on-chain analysis","source_url":"https://rekt.news/wasabi-protocol-rekt"},{"date":"2026-05-04","event":"Attacker Wallet 4 (500 ETH) exits through Tornado Cash. Wallet 5 (737.36 ETH) still holding as of this date.","source":"Rekt News on-chain analysis","source_url":"https://rekt.news/wasabi-protocol-rekt"},{"date":"2026-05-04","event":"Wasabi Protocol states publicly that no final user compensation plan has been determined.","source":"Bitget News","source_url":"https://www.bitget.com/news/detail/12560605404710"}]},"v":1}