Wasabi Protocol Loses $5.5M in Multi-Chain Hack

Wasabi Protocol lost an estimated $5.5 million in a multi-chain hack discovered in April. The exploit drained upgradeable vaults on Ethereum, Base, Berachain and Blast. Virtuals Protocol, which frequently launches tokens through Wasabi, reported no losses and halted all interactions with Wasabi vault contracts.

On-chain investigators placed the estimated losses at up to $5.5 million. Wasabi is a decentralized finance application for trading and lending that supports long-tail assets such as NFTs and meme tokens. The protocol held about $8.52 million in total value locked immediately before the theft. Project developers urged users to stop interacting with Wasabi smart contracts while researchers traced the flow of funds. A security firm reported the exploit affected contracts across Ethereum, Base, Berachain and Blast.

Security researchers and firms identified private key theft as the most likely cause. A single wallet controlled several administrative functions and could upgrade permissionless vaults without multisig approval, a timelock or governance voting. One security firm reported an attacker gained access to that private key, elevated privileges to admin status on multiple vaults and withdrew liquid tokens.

Investigators did not find evidence that the smart contracts themselves were directly exploited. Control appears to have been obtained through the compromised key, which researchers indicated could have been taken via malware or a physical leak. On-chain analyst ZachXBT pointed to centralization of control as a factor in the breach.

The attacker emptied vaults across multiple chains. On Ethereum the withdrawn assets included USDC, WETH, REKT and PEPE. Base vaults lost WETH, USDC and cbBTC. On Blast the attacker took WETH and USDB, and on Berachain the emptied vaults held Wrapped BERA and HONEY. Other affected tokens included MOG, NEIRO and ZYN. Investigators estimated roughly $1.9 million of the losses were in WETH.

Stolen funds were bridged to Ethereum, consolidated and some proceeds were sent to a mixer, including Tornado Cash, as part of laundering activity. The exploit left liquidity providers with tokens that appear in wallets but cannot be redeemed. Tokens minted from the compromised vaults now carry little to no recoverable value despite on-chain balances showing book value.

Security researchers advised users to revoke active approvals and to flag compromised tokens when possible. DeFi analyst DefiIgnas identified a pattern of attacks on older or less prominent protocols, suggesting attackers target vaults holding more than $100,000 and may use automated methods including AI to select targets. Wasabi’s native decentralized exchange showed higher trading volumes in March, though researchers did not link the increased DEX activity to the exploit.

Wasabi and on-chain investigators continue to trace the stolen funds and monitor on-chain movements. Users are being urged to take immediate security steps while the probe remains active.