An attacker obtained Wasabi Protocol’s deployer EOA admin key (0x5c629f8c0b5368f523c85bfe79d2a8efb64fb0c8) on Apr 30, 2026 and drained an estimated $4.5M–$5.5M from perpetual vaults and liquidity pools across Ethereum, Base and Blast. The attacker granted ADMIN_ROLE to malicious contracts, performed unauthorized UUPS proxy upgrades on WasabiVault proxies and the Wasabi long pool, and used a fake strategy via strategyDeposit() to trigger drain() calls that swept collateral and pool balances; funds were consolidated, bridged and distributed. Security firms Hypernative, Blockaid, Cyvers and Defimonalerts detected the activity (attack began ~07:48 UTC and ran ~2 hours); Virtuals Protocol froze margin deposits and reported unaffected internal systems. This was a key-management compromise (not a contract bug); users are advised to revoke Wasabi approvals and withdraw LP positions. Wasabi had not posted a public incident update at reporting time.

Attacker seized the deployer admin EOA and executed ADMIN_ROLE grants, unauthorized UUPS proxy upgrades and a fake strategyDeposit() to trigger drain() calls, resulting in an estimated $4.5M–$5.5M loss across Ethereum, Base and Blast; security firms detected the multi-chain drain and Virtuals froze deposits. These are concrete, on-chain actions and a multi-million-dollar loss, making the news materially negative for the protocol and its positions.