Key Takeaways
DeFi lending platform Wasabi Protocol lost over $5.5 million after an attacker compromised the project's deployer wallet, draining funds across its vaults on Ethereum, Base, Blast, and Berachain. The exploit, which began unfolding late Tuesday, highlights a critical operational security failure rather than a flaw in the smart contract logic itself.
"We're aware of an issue and are actively investigating," the Wasabi Protocol team said in a statement, urging users to not interact with the contracts until further notice. According to on-chain security firm Blockaid, the root cause was the compromise of a single externally owned address, wasabideployer.eth, which held the ADMIN_ROLE for the protocol's access manager. This allowed the attacker to grant themselves administrative privileges and upgrade the protocol's vaults to a malicious implementation that siphoned user funds.
The attack on Wasabi is the latest in a series of high-value exploits that made April the most damaging month for the crypto sector in over a year, with total losses crossing $630 million, according to data from CertiK. The month was defined by a handful of catastrophic, multi-stage attacks, including the $293 million Kelp DAO exploit and the $280 million breach of Drift Protocol. This marks a strategic shift from the more frequent, lower-value exploits seen in previous months.
"What connects these incidents is that well-resourced attackers are finding novel ways to exploit the seams between on-chain protocols and the off-chain systems they depend on," Yaniv Nissenboim, head of security solutions at Chainalysis, told Cointelegraph. The Wasabi incident underscores this trend, demonstrating how a single compromised key without the safeguard of a timelock or multisig governance can lead to a complete drain of a protocol's assets. The system treated the theft as a legitimate upgrade from the owner, revealing a critical single point of failure.
This article is for informational purposes only and does not constitute investment advice.
