DeFi derivatives platform Wasabi Protocol has been exploited for over $5 million, according to multiple blockchain security firms. The attack was carried out across multiple chains, including Ethereum, Base, Berachain, and Blast.
PeckShield said on X that the attack was carried out across multiple chains. Blockaid and CertiK reported that a compromised admin key allowed the attacker to gain privileged access via the Wasabi deployer wallet, upgrade core systems, and drain funds.
"All Wasabi/Spicy LP-share tokens minted by these vaults should be treated as COMPROMISED — the underlying assets backing them have been drained or are at risk while the Wasabi deployer key remains live," Blockaid said.
BlockSec added that preliminary traces suggest Tornado Cash-funded accounts were granted the admin-related roles and involved in activity across Wasabi Protocol's LongPool, ShortPool, and Vault contracts. Cyvers noted that the attacker extracted multiple assets, including WETH, PEPE, MOG, USDC, ZYN, REKT, cbBTC, AERO, and VIRTUAL. "The stolen funds were consolidated into ETH, bridged to the Ethereum network, and subsequently distributed across multiple addresses," it added.
In response to the incident, Virtuals Protocol said its security remains fully intact, but that it had frozen margin deposits powered by Wasabi Protocol as a precaution. "We're aware of an issue and are actively investigating," The Wasabi Protocol team later said on X. "As a precaution, please do not interact with Wasabi contracts until further notice. We'll share an update as soon as we have more information."
The exploit rounds off one of the worst months for DeFi exploits, seemingly driven by advancements in artificial intelligence, with more than 25 protocols hacked for more than $600 million, led by the $292 million exploit of Kelp DAO.
