Tuesday, April 14, 2026

Three minutes, over a dozen vaults, four chains, $5.9 million gone.

In the early hours of April 30, an attacker who had already done the hard work, obtaining the private key to Wasabi Protocol's sole admin wallet, and pressed go.

What followed wasn't a hack in any technical sense. No vulnerability was found and no code was broken.

The attacker simply used the key the way it was designed to be used, and Wasabi's entire vault architecture obeyed.

The deployer EOA, wasabideployer.eth, held unchecked ADMIN_ROLE across every upgradeable vault Wasabi had ever deployed.

No multisig shared that authority. No timelock slowed it down. No governance body had a vote. One wallet. One key. Total control.

Blockaid's detection system caught it live.

CertiK followed within minutes.

The community watched on-chain as 840.9 WETH - roughly $1.9 million - left the vault in a single transaction, with seven other vaults emptied in the same block.

On Ethereum, Base, Berachain, and Blast, the same orchestrator ran the same playbook simultaneously.

Wasabi's first public statement came hours after the drain began: Aware of an issue, investigating, don't touch the contracts.

ZachXBT and Cos had already framed the real story - this wasn't about a stolen key, it was about building a protocol where stealing one key was enough.

April 2026 has been the worst month for DeFi since records started mattering.

Drift lost $285 million on April 1. KelpDAO lost $290 million on April 18.

Wasabi adds to a month that has already produced over $635M in DeFi losses, and the pattern underneath every single one of them is not getting more complicated, it's getting more obvious.

How does an industry that has watched this exact attack execute over and over still ship protocols where a single private key is the last line of defense?

Read more »

We provide an anonymous platform for whistleblowers and DeFi detectives to present their information to the community. All authors remain anonymous. 
We are all rekt.