A DeFi lending protocol known for its on-chain options and fixed-rate borrowing products became the latest victim of an admin key compromise late on April 30, 2026, with on-chain security firms confirming losses exceeding $5 million across Ethereum and Base.
Wasabi Protocol – a platform that lets users borrow against NFTs and long-tail assets through structured products – saw its deployer wallet used to grant elevated privileges to an attacker-controlled contract. The attacker then executed a UUPS upgrade, effectively replacing the protocol’s logic with malicious code that drained pooled user funds.
How the Attack Unfolded
Blockchain security firm Blockaid was first to flag the exploit, posting a real-time alert to X as the attack was in progress. According to Blockaid, the Wasabi Deployer externally owned address was used to assign ADMIN_ROLE to a helper contract the attacker had staged in advance.
Once admin access was granted, the attacker triggered a UUPS proxy upgrade – a standard smart contract pattern that allows logic to be swapped without migrating storage. In this case, the upgrade pointed to a contract designed specifically to extract funds.
The breach affected multiple pools across Ethereum mainnet and Base, with security analytics platform Cyvers estimating final losses somewhere between $4.5 million and $5.3 million depending on the token valuation used at time of extraction.
Wasabi Protocol acknowledged the incident in a post on X, stating that the team had identified the attack vector and paused contracts where possible. Users were advised not to interact with the protocol pending a full post-mortem.
A Familiar Playbook
The structural similarity to the $285 million Drift Protocol exploit – which occurred earlier in April – hasn’t gone unnoticed. In that case, North Korean state-backed hackers reportedly spent months embedding themselves in the project before compromising a deployer key that lacked any timelock or multisig protection.
Wasabi’s exploit followed an almost identical pattern: a single compromised key with no upgrade delay mechanism served as the sole barrier between user funds and total loss.
“Audits don’t catch this,” one security researcher posted on X. “There’s no bug in the code. There’s only an operational design that made one private key sufficient to take over a multi-chain protocol holding tens of millions of dollars of user funds. A single point of failure like that, anywhere in the chain that signs, deploys, or upgrades a DeFi protocol, is no longer defensible architecture in 2026.”
The AI Hacker Theory Returns
The Wasabi incident has revived a theory that gained momentum following the Drift hack: that sophisticated AI tools are accelerating the speed and precision of DeFi exploits.
BeInCrypto researchers noted that the staging and execution of the Wasabi attack – from pre-deploying the helper contract to timing the admin grant and upgrade call – bears the hallmarks of automated scripting and potentially AI-assisted vulnerability discovery and execution.
No group has claimed responsibility for the Wasabi exploit. But, the overlap in methodology with Drift – a hack attributed to North Korea’s Lazarus Group – has fuelled speculation that state-backed actors may be deploying machine-learning tools to identify key management weaknesses at scale across the DeFi system.
North Korean hackers have stolen an estimated $6 billion in crypto since 2017, according to intelligence firm TRM Labs. In 2026 alone, state-backed actors are said to account for 76% of all crypto hack and scam losses year-to-date.
What Needs to Change
The Wasabi and Drift hacks represent a structural problem that the DeFi sector has been slow to solve: the concentration of protocol control in single wallets.
Timelocks – mechanisms that delay the execution of critical upgrades by 24 to 72 hours – give communities and security researchers time to identify malicious changes before they go live. Multisig controls that require multiple parties to authorise upgrades add a second layer of protection. Yet many protocols continue to launch without either.
The Ethereum security community has long advocated for mandatory timelock periods on all UUPS and transparent proxy upgrades. Following April’s string of high-profile hacks, that advocacy is becoming louder.
DeFi auditing firms including Certik and OpenZeppelin have both published guidance in recent weeks urging protocols to treat key management as critically as code correctness. The message is straightforward: even a perfectly written smart contract is worthless if the key that controls it’s held in a single hot wallet.
Industry Response
Wasabi Protocol’s team has committed to publishing a full incident report. The protocol’s native token fell sharply in the hours following the disclosure before partially recovering as the team confirmed the attack was isolated to the affected pools.
Several liquidity providers posted publicly that they had begun moving funds out of similar admin-key-controlled protocols in response to the incident, citing unacceptable key management risk.
The attack adds further weight to the argument that DeFi’s security maturity hasn’t kept pace with its capital growth. Total value locked across DeFi protocols stands at roughly $95 billion as of early May 2026, representing a substantial target for increasingly sophisticated attackers.
Frequently Asked Questions
What happened to Wasabi Protocol? Wasabi Protocol suffered an admin key compromise on April 30, 2026, resulting in losses of approximately $4.5 to $5.3 million across Ethereum and Base. An attacker used the protocol’s deployer wallet to grant ADMIN_ROLE to a malicious contract and then upgraded the protocol’s logic to drain user funds.
Is Wasabi Protocol connected to the Drift Protocol hack? The two exploits share a nearly identical attack pattern – a single compromised deployer key with no timelock or multisig protection. Security researchers have noted the similarities, and some have suggested AI-assisted tooling may be accelerating this type of attack across the DeFi sector.
How can DeFi protocols prevent admin key exploits? The main protections are timelocks on critical upgrades (delaying execution by 24-72 hours), multisig key management requiring multiple approvals, and moving deployer privileges to hardware wallets or dedicated cold storage rather than hot wallets.
