On April 30, Blockaid’s detection systems flagged an attack on Wasabi Protocol. The attacker compromised the protocol deployer’s private key and used it to grant themselves admin rights through a helper contract. After securing those privileges, they upgraded the protocol’s vaults and LongPool via the UUPS framework, replacing the original implementation with a malicious one that drained user funds.
The attack unfolded simultaneously across multiple networks — Ethereum, Base, Berachain, and Blast — which analysts say suggests a premeditated operation rather than a randomly discovered flaw.
The entire operation fit into a single atomic transaction: the attacker deployed a contract and drained assets while paying just $1.42 in gas fees. That transaction included 18 ERC-20 transfers, including $1.9 M in WETH and $171,000 in USDC. Blockaid estimates total losses at around $4.55 M, while PeckShield places the figure above $5 M.
Blockaid warned that all Wasabi and Spicy vault LP tokens should now be treated as compromised. Balances shown in user interfaces may still appear normal, but the real value of those tokens is now zero or close to it — the underlying assets have already been drained or remain at risk for as long as the deployer key stays active. Analysts urged users to immediately revoke all permissions granted to Wasabi contracts.
In the discussion, one participant pointed to a broader systemic issue: a single compromised wallet gave the attacker complete control over the protocol.
“This is risk concentration, not decentralization,” he said.
Read Also: