Wasabi Protocol: One Key, No Multisig, $5.9M Gone in Three Minutes

Wasabi Protocol had one admin key controlling every vault across four blockchains. No backup. No delay. No protection. Someone got the key.

Wasabi Protocol lost $5.9M across four blockchains in under three minutes. One key controlled all of it.

A perpetuals trading platform is a product that lets people make leveraged bets on whether crypto assets go up or down. Wasabi Protocol built one. It had $8.5 million in user deposits. It was live on four blockchains - Ethereum, Base, Berachain, and Blast.

On April 30, 2026, all of that took three minutes to disappear.

The attacker did not find a bug in the code. They did not trick a smart contract. They obtained one private key - the key belonging to an account called wasabideployer.eth - and that was enough to take everything.

Here is why that should not have been possible.

A private key in crypto is like a master password. Whoever holds it can do whatever the account is authorized to do. The wasabideployer.eth account held something called ADMIN_ROLE across every single vault Wasabi had ever deployed. That means it had the power to upgrade those vaults - to replace the legitimate code with any code the attacker wanted.

In a responsible protocol, admin powers like this are protected by two things. First, a multisig wallet - an account that requires multiple people to sign off before any action goes through, like a bank account that needs two keys to open. Second, a timelock - a mandatory delay between when an admin action is announced and when it executes, giving users time to see something bad coming and get their money out.

Wasabi had neither. One wallet. One key. Total control. No safeguards.

The attacker used the compromised key to grant ADMIN_ROLE to a malicious contract they controlled. That contract immediately ran UUPS upgrades - a technical mechanism for updating smart contract logic - across every Wasabi vault simultaneously. The upgraded contracts did one thing: emptied themselves.

840.9 WETH - worth roughly $1.9 million - left in a single transaction. Seven other vaults were drained in the same block. Across four chains, the same playbook executed simultaneously.

Blockaid, a blockchain security firm, caught it live. CertiK followed minutes later. By the time either firm finished their alert, the money was already gone. Wasabi's first public statement came hours after the drain began: "Aware of an issue, investigating." The assets drained included WETH, PEPE, USDC, wBITCOIN, MOG, AERO, and a token called VIRTUAL, among others.

Virtuals Protocol - which used Wasabi for some of its margin deposit infrastructure - had to freeze those deposits as a precaution, even though Virtuals itself was not directly compromised.

The tools to prevent this have existed for years. OpenZeppelin's TimelockController, which adds mandatory delays to admin actions, has been available since 2020. Gnosis Safe, which provides multi-signature wallet functionality, has been operational since 2018. Both are standard practice in serious DeFi protocols. Wasabi chose not to use them.

ZachXBT, the on-chain investigator, noted the real story was not that someone stole a key. The real story was that one stolen key was enough to take everything.

As of the time of writing: four of five attacker wallets have moved funds through Tornado Cash, a privacy tool that breaks the on-chain trail. One wallet remains. There is no compensation plan. No recovery. $5.9 million gone.

April 2026 was the worst month for DeFi security since records started being kept. Drift Protocol lost $285 million on April 1. KelpDAO lost $292 million on April 18. Wasabi added $5.9 million on April 30. TRM Labs released a report on the same day as the Wasabi hack showing that North Korean state-backed hackers were responsible for 76% of all crypto hack losses in 2026 - nearly $600 million - bringing their total since 2017 past $6 billion. No formal attribution has connected Wasabi to that group.

Wasabi had a working product. Real users. $8.5 million in deposits that people trusted the protocol to protect.

Nobody broke the code. They took the key, and the code did exactly what it was designed to do.