Key Takeaways:
An attacker drained $4.5M to $5.5M from Wasabi Protocol by compromising the deployer EOA admin key on April 30, 2026. Virtuals Protocol froze margin deposits immediately after the breach, though its own security remained fully intact. Wasabi Protocol has not issued a public statement; users must revoke all approvals across Ethereum, Base, and Blast. DeFi Protocol Wasabi Loses $5M in Admin Key HackThe attack began around 07:48 UTC and ran for approximately two hours. The deployer granted ADMIN_ROLE to attacker-controlled contracts on Ethereum, Base, and Blast. A malicious contract then called strategyDeposit() on seven to eight WasabiVault proxies, passing a fake strategy that triggered a drain() function returning all collateral to the attacker.
The pattern across nearly every incident points away from code-level bugs and toward admin key compromises, bridge weaknesses, and upgradeable proxy risks, exposing centralized control points that audits alone cannot protect against.
The Wasabi situation remains active. Users should monitor the official @wasabi_protocol account and security firm feeds for updates.
