Wasabi Protocol loses over $5M in cross-chain exploit
A compromised deployer/admin key let attackers upgrade Wasabi contracts and drain more than $5 million across Ethereum, Base, Berachain and Blast.
Wasabi Protocol lost more than $5 million after an attacker used a compromised deployer/admin key to upgrade contracts and withdraw funds across Ethereum, Base, Berachain and Blast.
Security audits and on-chain monitors found the attacker gained privileged access through the Wasabi deployer wallet, upgraded vault and pool contracts, and removed assets from multiple Wasabi contracts. Audit firm Blockaid warned: “All Wasabi/Spicy LP-share tokens minted by these vaults should be treated as COMPROMISED — the underlying assets backing them have been drained or are at risk while the Wasabi deployer key remains live.”
Blockchain analytics firm BlockSec traced administrative role assignments to accounts with ties to Tornado Cash. Those accounts interacted with Wasabi Protocol’s LongPool, ShortPool and Vault contracts, according to the tracing results.
Security researcher group Cyvers identified a range of tokens taken in the exploit, including wrapped ether (WETH), PEPE, MOG, USDC, ZYN, REKT, cbBTC, AERO and VIRTUAL. Cyvers added that the stolen tokens were converted into ETH, bridged to the Ethereum network and redistributed across multiple addresses.
Virtuals Protocol said its own security systems remain intact but that it froze margin deposits that rely on Wasabi as a precaution. Wasabi Protocol posted a notice on its social channel asking users not to interact with Wasabi contracts until the team provides an update: “As a precaution, please do not interact with Wasabi contracts until further notice. We'll share an update as soon as we have more information.”
The incident is one of several recent DeFi exploits. Security trackers recorded more than 25 protocol breaches this month totaling over $600 million in losses, including a single incident that accounted for roughly $292 million.
Blockchain security firms continue on-chain analysis and monitoring of addresses linked to the exploit. Wasabi Protocol has not yet published a detailed postmortem or confirmed whether the compromised deployer key has been revoked or rotated. Investigators and affected projects advise users to avoid interacting with Wasabi-related tokens and vaults until the deployer key is secured and funds are accounted for.
The content on The Coinomist is for informational purposes only and should not be interpreted as financial advice. While we strive to provide accurate and up-to-date information, we do not guarantee the accuracy, completeness, or reliability of any content. Neither we accept liability for any errors or omissions in the information provided or for any financial losses incurred as a result of relying on this information. Actions based on this content are at your own risk. Always do your own research and consult a professional. See our Terms, Privacy Policy, and Disclaimers for more details.
Articles by this author
