In April 2026, the Wasabi Protocol, a DeFi derivatives platform, was the victim of a $5 million hack. The attacker used a compromised deployer key to update smart contracts and drain funds across multiple blockchains, including Ethereum, Base, Berachain, and Blast.
Inside the Attack
The Wasabi Protocol hack was caused by a compromised private key, the one associated with the wasabideployer.eth account. This account was the sole administrator account within the protocol’s PerpManager framework.
With access to this private key, the attacker was able to assign ADMIN_ROLE privileges to a malicious smart contract. This contract then performed a Universal Upgradeable Proxy Standard (UUPS) upgrade to several of the protocol’s smart contracts, introducing malicious code into the contracts while maintaining the same smart contract address.
By performing these malicious upgrades, the attacker was able to grant themselves elevated permissions that allowed them to drain underlying assets and liquidity from the protocol across multiple blockchains. In total, an estimated $5 million was stolen from the protocol and converted into ETH before being transferred to various on-chain accounts.
Lessons Learned from the Attack
The Wasabi Protocol hack is a classic example of the dangers of centralized power within a DeFi protocol. The platform had a single externally owned account (EOA) with administrative control over the entire protocol. Once the attacker stole the private key associated with this account, they gained complete control over the protocol and changed the underlying smart contract logic to allow them to drain funds from the protocol.
This centralization of authority in a single EOA was exacerbated by the lack of multisig or a timelock on the account. Without multisig, the attacker only had to steal a single private key to carry out their attack, making it easier to perform. The lack of a timelock meant that the attacker could instantly perform malicious actions — like appointing a malicious contract as an admin and upgrading the project’s smart contracts — eliminating the risk that the project could block the malicious actions before they were executed. The framework used by the protocol supported timelocks, but the value was set to zero.
The Wasabi Protocol hack was made possible by issues with private key security and the design of the platform’s security protocols, not exploitable smart contract vulnerabilities. Halborn offers security advisory services that help organizations limit their exposure to these threats by implementing security best practices. Get in touch to learn more.