Wasabi Hacked for $2.9 million: Administrator’s private key leaked, contract altered into a malicious version

DeFi derivatives protocol Wasabi Protocol suffered an administrator private key leakage attack on April 30 in the afternoon. Based on monitoring by on-chain security firms Blockaid and CertiK Alert, the attacker first granted ADMIN_ROLE to a helper contract under their control via Wasabi’s Deployer EOA. Then, through a UUPS upgradeable proxy mechanism, they upgraded perp vaults and LongPool to malicious implementation versions, directly withdrawing the token balances held in the contract custody. CertiK initially estimated the loss at about $2.9 million, with the attack spanning both the Ethereum mainnet and Base. Wasabi’s official account announced at 6:33 p.m. Taiwan time that contract interactions have been suspended.

Attack path: Deployer private key compromised → ADMIN_ROLE granted → UUPS upgrade to malicious contract

At around 4:30 p.m. Taiwan time on 4/30, Blockaid disclosed on X that Wasabi Protocol was experiencing an “ongoing admin-key compromise exploit.” The full attack chain consists of three steps: first, Wasabi’s deployer wallet (Deployer EOA) was hacked, and the attacker obtained the private key of that wallet; next, the attacker used this wallet to execute a grantRole operation, granting ADMIN_ROLE to a helper contract they controlled; finally, the helper contract leveraged the UUPS upgrade mechanism to replace the implementations of two core contracts—perp vaults (perpetual contract vaults) and LongPool (long-side liquidity pool)—with malicious versions, which then directly withdrew the token balances held in contract custody.

UUPS (Universal Upgradeable Proxy Standard) is an upgradeable smart contract pattern promoted by OpenZeppelin. The upgrade logic is placed in the “implementation contract,” not in the proxy layer. The advantages are lower gas costs and a more streamlined contract structure; the cost is that once the “role able to execute upgrades” is compromised, the attacker can replace the entire contract with arbitrary logic without going through governance processes or time locks. This incident is a typical example of UUPS being abused via an administrator private key leakage.

CertiK estimates a $2.9 million loss, affecting both Ethereum and Base

CertiK Alert confirmed the incident at 4:30 p.m. on 4/30: “The attacker received a privileged Role granted by the Wasabi deployer wallet, showing that the wallet was compromised.” CertiK cited on-chain data to estimate losses of about $2.9 million. The attack occurred on both the Ethereum mainnet and Base. The affected core contracts were perp vaults and LongPool—perp vaults handle collateral custody for perpetual contract positions, while LongPool supports the long-side liquidity pool.

The scale of the incident is much smaller than the $285 million hack of Drift Protocol on Solana in early April, but the attack type is essentially similar—again, administrator private key leakage combined with abuse of high-privilege roles. For the DeFi ecosystem, the repeated occurrence of these “private key”-type attacks implies that the correctness of smart contract code itself cannot protect privileged accounts that can bypass mechanisms outside of the code.

Wasabi pauses contract interactions; Virtuals Protocol freezes margin deposits

On 4/30 at 6:33 p.m., Wasabi Protocol’s official X account posted: “We have noticed the issue and are actively investigating. As a precaution, please do not interact with Wasabi contracts until further notice.” The official announcement did not directly confirm the attack details described by Blockaid and CertiK, and only stated that more information will be provided later.

Among the downstream affected projects, the most notable is Virtuals Protocol—a popular AI Agent protocol ecosystem from the past year. Some product features rely on the margin deposit services provided by Wasabi. Virtuals stated on X at 5:07 p.m. on 4/30 that its own security is intact and it immediately froze the margin deposit functionality supported by Wasabi. Other actions—trading, withdrawals, and agent operations—remain functioning normally, and it reminded users not to sign any Wasabi-related transactions until the incident is resolved.

For DeFi investors, the reminder from this type of event is consistent: when protocols are composed with each other and leverage or derivatives features are used via upstream services, the upstream infrastructure’s private key security becomes a risk shared by all downstream users, regardless of whether the protocol you directly interact with is safe.

This article “Wasabi hacked for $2.9 million: administrator private key leak, contracts changed to malicious implementations” first appeared on ChainNews ABMedia.