Wasabi Protocol has been exploited for over $5M

Wasabi Protocol is the latest victim of a hacking exploit, in a wave of accelerated exploits in April. On-chain investigators estimated up to $5.5M in losses as of reporting time. 

Wasabi Protocol is a DeFi platform for trading and lending, but with a dedicated venue for long-tail assets, including NFT and meme tokens. The protocol runs on multiple chains, leading to its exposure to the current hack. 

Wasabi Protocol did not explain the nature of the hack in the initial moments after the losses were discovered. The project called for users to stop using any Wasabi smart contracts.

Just ahead of the hack, Wasabi Protocol held $8.52M in total value locked. Even this relatively low value did not prevent the app from being targeted by hackers. The attack follows the recent exploit of Aftermath Finance in a series of losses that have not spared minor DeFi protocols. 

PeckShield reported that Wasabi Protocol had been exploited on multiple chains, including Ethereum, Base, Berachain, and Blast. 

According to DeFi analyst @DefiIgnas, the recent hacks share a common pattern, targeting older or more obscure protocols. He stated the targets were probably selected using AI, and any vault with over $100K was a target. 

Wasabi Protocol attacked after expanding DEX activity

The recent attack arrived just as Wasabi Protocol increased its DEX trading activity. The project’s native DEX started with higher trading volumes in March, based on DeFi Llama data.

However, the recent exploit was not directly related to the increased DEX trading. On-chain researcher ZachXBT noted that the protocol was not sufficiently decentralized, and a single wallet controlled multiple critical functions.  

According to on-chain researchers, the most probable cause of the losses is a leaked private key. The compromised wallet apparently controlled upgradeable, permissionless vaults. Those vaults offer immediate yield with no multisig approval, timelock, or voting process.

According to Blockaid, the attacker gained access to a private key, upgraded to admin access for several vaults, and drained all liquid tokens. The attacker then drained vaults on Ethereum and Base, as well as LongPool liquidity.

According to researchers, the smart contracts of Wasabi Protocol were not the issue, but the attack was performed through private key theft, either physically or through malware. 

All Wasabi LP-share tokens are compromised

The losses of Wasabi come from the drained vaults, which have left liquidity providers with compromised value. All tokens minted from the compromised vaults have practically zero value. For end users, wallets may still display book value, but they cannot be redeemed. 

Users with active approvals to receive tokens must revoke them, and other customers must flag the tokens as compromised where possible. 

The attacker managed to drain multiple vaults, containing USDC, WETH, REKT, and PEPE on Ethereum.

On Base, the exploit affected WETH, USDC, and cbBTC. From the Blast vaults, the attacker took WETH and USDB. On Berachain, the vaults were drained for Wrapped BERA (WBERA) and HONEY.

MOG, NEIRO and ZYN were also affected, but $1.9M of the losses were in WETH tokens.

The funds were then bridged to Ethereum, consolidated, and some were sent for mixing on Tornado Cash.

Virtuals Protocol, which often launches new AI agent tokens through Wasabi, announced it suffered no losses but preemptively stopped all interactions with vault smart contracts.