Wasabi Protocol drained for $4.5 million in apparent admin key compromise
The exploit used a similar playbook as Drift’s $285 million breach earlier this month — a compromised deployer key with no timelock or multisig that resulted in a drain of funds.
What to know:
- Wasabi Protocol, a perpetuals trading platform on Ethereum and Base, was drained of about $4.55 million after attackers compromised its deployer admin key.
- The attacker used the compromised key to grant themselves admin privileges and UUPS-upgrade Wasabi’s vault contracts to malicious versions, draining assets from multiple pools on both chains.
- The incident, which lacked safeguards such as a timelock or multisig on the admin role, adds to more than $770 million in DeFi losses this year and echoes recent key-compromise exploits at Drift Protocol and Kelp DAO.
The hack is the latest in a month that has produced over $605 million in DeFi losses across at least 12 incidents.
The mechanic was an externally owned account, or EOA, called wasabideployer.eth held the sole ADMIN_ROLE in Wasabi’s permission system.
An EOA is a wallet controlled by a private key, as opposed to a smart contract. Whoever holds the key controls the wallet. Once the attacker had access to the deployer key, they called grantRole on the permission contract to give themselves admin privileges with zero delay.
Their helper contract then upgraded Wasabi’s perp vaults and LongPool to malicious implementations that drained the balances, Blockaid said.
The exploit relied on UUPS upgradeability, a pattern where a smart contract can swap out its underlying code while keeping the same address.
UUPS is widely used because it lets developers fix bugs without migrating users. It also means that if an attacker controls admin permissions, they can replace the contract’s logic with anything they want, including code designed to steal funds.
