Wasabi Protocol, a multichain decentralized perpetual futures trading platform, was hit by an exploit that led to the loss of more than $5 million across several chains.

 

The exploit, according to blockchain security company PeckShield, was carried out across multiple chains, including Base, Berachain, Blast, and Ethereum, which is its main deployment chain.

 

The incident was also flagged by blockchain security firms CertiK and Blockaid, with both firms attributing the cause of the hack to a compromise of the Wasabi deployer wallet, which allowed the attacker to gain privileged admin access and subsequently drain funds from the protocol.

 

“The Wasabi deployer externally owned account was used to grant admin role access to an attacker-controlled helper contract, which then upgraded the perpetual vaults and LongPool to a malicious implementation that drained balances,” Blockaid wrote in a post on X.

 

“All Wasabi and Spicy liquidity provider share tokens minted by these vaults should be treated as compromised. The underlying assets backing them have been drained or are at risk while the Wasabi deployer key remains active. End users holding these tokens are showing book value, but the redemption value is zero,” the firm added, while recommending the immediate flagging and revocation of these tokens.

 

Blockchain security firm Cyvers also provided further details on how the incident occurred. According to Cyvers, a crypto wallet funded through Tornado Cash was used to deploy a malicious contract on Wasabi Protocol across the Base and Ethereum chains.

 

As a result of this malicious contract deployment, about $4.5 million in various crypto assets, including WETH, USDC, BTC, VIRTUAL, and cbBTC, as well as memecoins such as PEPE, MOG, and REKT, were stolen. The funds were later consolidated into Ether and distributed across multiple wallet addresses outside the protocol.

 

Wasabi Protocol Responds

Following the disclosure of the exploit by security teams, the Wasabi team, in a post on X, stated that they were aware of the breach and were actively investigating the incident alongside security experts, notably Security Alliance and Blockaid.

 

The team also warned against interacting with a list of compromised vaults and EVM positions across Base, Blast, and Berachain, while stating that users whose vaults were not among the compromised list could proceed with withdrawals at any time.

 

The Wasabi exploit closed the month of April, which recorded some of the largest crypto exploits, including those involving Drift Protocol and KelpDAO, which led to losses of $285 million and $293 million, respectively.