Wasabi Protocol suffered an admin-key compromise that drained over $5 million from its perpetuals vaults and LongPool across Ethereum, Base, Berachain, and Blast, on-chain security firms Blockaid and PeckShield reported.
The attacker gained ADMIN_ROLE through the protocol’s deployer wallet, then upgraded the vaults to a malicious implementation that siphoned user balances. About $4.55 million had been extracted at last count, and the investigation remains active.
Single-Key Failure Behind the Breach
Blockaid traced the root cause to wasabideployer.eth, the only address holding ADMIN_ROLE in Wasabi’s PerpManager AccessManager.
The attacker called grantRole on the deployer EOA with zero delay, instantly turning their orchestrator contract into an admin.
“We’re aware of an issue and are actively investigating. As a precaution, please do not interact with Wasabi contracts until further notice,” Wasabi Protocol urged users.
From there, the attacker UUPS-upgraded perpetual vaults and the LongPool to a malicious implementation that drained balances.
The deployer key remains live. Wasabi and Spicy LP-share tokens from affected vaults are flagged as compromised, with redemption value approaching zero.
Blockaid noted the same attacker, orchestrator, and strategy bytecode tie this incident to earlier activity targeting Wasabi.
The pattern echoes prior admin-key incidents and reflects single-EOA admin setups without timelocks or multisigs. PeckShield put the total losses past the $5 million mark across all four affected chains.
AI-Hacker Theory Gains Fresh Oxygen
Meanwhile, the incident comes only hours after three other attacks between Tuesday and Wednesday. BeInCrypto reported the Tuesday cascade, comprising:
- Sweat Economy’s $3.46 million drain, which turned out to be a foundation rescue, not a hack.
- Syndicate Commons bridge on Base lost 18.5 million SYND tokens worth $330,000 to $400,000. The proceeds were bridged to Ethereum.
- Aftermath Finance paused its perpetuals protocol after losing roughly $1.14 million USDC.
Against these backdrops, analysts are talking about AI concerns, citing the asymmetric dynamic between attacker tooling and protocol defenses.
In the same line of thought, developer Vitto Rivabella floated a theory that North Korea trained an in-house AI on years of stolen DeFi data.
He suggested the model now operates as an autonomous exploiter, draining protocols faster than human reviewers can patch them.
“Wild conspiracy theory about the recent DeFi hacks: North Korea has trained its own, state funded, version of Mythos using the insane amounts of data obtained by hacking DeFi protocols over the last 10 years. Now they’re just letting their AI DeFi hacker run free and won’t stop cashing in until someone stops them,” wrote Rivabella.
Whether AI is steering the recent string of exploits or not, single-key admin roles keep giving attackers an obvious opening.
