Security firms Blockaid and CertiK confirmed the incident. CertiK placed its confirmed theft figure at approximately $2.9 million, though investigators noted that number reflects only a portion of the identified attacker addresses. On-chain data traced roughly $677,000 to one attacker wallet (0xb8Bb...70dB) and approximately $1.1 million to a second (0x6244...f906). Those two wallets together account for approximately $1.78 million; additional attacker addresses beyond these two account for the remaining portion of CertiK's $2.9 million figure and contribute to the broader $5 million or more total reported by The Block and Coinpedia. The total loss figure is expected to be revised as the investigation continues.

How the Attack Worked

The attacker first obtained control of a wallet holding administrative privileges over Wasabi's contracts. Using that access, they granted an ADMIN_ROLE to a malicious helper contract. That contract then executed a UUPS upgrade, a technical mechanism that allows smart contract code to be replaced without changing the contract's address. By swapping in fraudulent code, the attacker redirected assets out of Wasabi's perpetual trading vaults and LongPool contracts across all four supported chains simultaneously.

UUPS (Universal Upgradeable Proxy Standard) is a common design pattern in DeFi that lets development teams push updates after launch. It also creates a single point of failure: whoever controls the admin key controls the entire protocol. Security researcher @Exploitless has described this risk plainly: "an attacker who hijacks the implementation can trigger a self-destruct or redirect the proxy to a malicious address, effectively nuking the entire protocol." CertiK has previously echoed that concern: "A compromise of the admin key could be catastrophic, so teams should use a multi-signature wallet for the admin and enforce a timelock on upgrades." Security researchers have not identified evidence of multi-signature controls or upgrade timelocks on the Wasabi deployer wallet.

Wasabi Protocol issued an advisory urging users not to interact with its smart contracts while the investigation remained active. The team promised further updates as more information became available.

A Protocol With No Audit on Record

In June 2024, the protocol raised a $3 million seed round led by Electric Capital. Wasabi positioned itself as the first protocol to offer fully asset-backed on-chain perpetuals, enabling leveraged trading on memecoins and NFTs without traditional counterparty risk. The round also included participation from Alliance, CoinGecko Ventures, Memeland, Spencer Ventures, Canonical Crypto, and Sharding Capital, among others, as well as angel investors such as Pudgy Penguins CEO Luca Netz and Magic Eden co-founder Zhouxun Yin.

Before the exploit, the protocol reported more than 18,000 traders, $500 million in trading volume, and a peak total value locked above $111 million.

Despite that scale, CertiK's Skynet platform lists Wasabi Protocol as not audited by CertiK, with no third-party audit on record and no active on-chain monitoring enabled. The protocol's CertiK security score stood at 76.21, a BBB rating. Whether that absence of a formal audit was disclosed to retail depositors remains unclear.

This is not Wasabi's first security incident. In a prior event involving rsETH exposure across Aave, Kelp DAO, and LayerZero, the protocol stated that losses were absorbed by its insurance fund and that depositors carried zero loss. That prior rsETH incident involved Kelp DAO, the same protocol that suffered the largest single DeFi exploit of April 2026, a $292 million hack on April 19. Wasabi's earlier exposure to Kelp DAO adds a notable dimension to its security history, as a protocol it was entangled with subsequently suffered a catastrophic breach of its own. The current Wasabi breach appears to have exceeded whatever capacity its insurance mechanism provided.

Regional Impact: South Asia and Africa Absorb the Damage

Wasabi's product, leveraged trading on long-tail assets and memecoins, fits the trading profile of retail users across South Asia and Africa, regions where crypto adoption has grown rapidly in recent years. The scale of retail exposure to on-chain leveraged products is not trivial: the DEX-to-CEX perpetuals volume ratio tripled from 6.3% to 18.7% in 2025, according to the DL News State of DeFi 2025 report, underscoring how quickly users in high-growth markets have moved into products like Wasabi's.

India reports a 13.5% NFT ownership rate, among the highest in the world, and seven of the top ten countries by crypto adoption are in Asia, according to CoinLaw's 2026 data. In markets like Nigeria and Kenya, protocols offering amplified returns on volatile assets attract users seeking to offset local currency depreciation. In South Africa, new wallet signup growth has slowed to 2.1% in 2026, according to CoinLaw, a deceleration that researchers link in part to trust erosion from incidents like this one.

For those users, an exploit like this carries consequences that go beyond the immediate loss. Legal recourse is limited. Consumer protection frameworks that might apply to regulated financial products do not reach DeFi protocols. Funds deposited into a compromised upgradeable contract are, in most cases, permanently gone.

The Broader Context: April 2026 Has Been Brutal for DeFi

The Wasabi exploit lands at the end of what CryptoTimes and other analysts have labelled "Black April" in DeFi. More than $606 million was stolen across the sector in roughly 18 days this month, contributing to a total 2026 DeFi loss figure that surpassed $770 million before April closed. To appreciate the acceleration, consider that losses across all of Q1 2026 reached approximately $169 million across 34 protocols, according to DefiLlama and the Bitcoin Foundation. April's toll is nearly four times that figure in a fraction of the time. The largest single incident this month was the $292 million exploit of Kelp DAO on April 19. TVL across DeFi fell by an estimated $6 billion to $13 billion during the month as users withdrew funds.

Admin key and private key compromises have been among the most common attack vectors in 2026, appearing in incidents involving Step Finance, Resolv Labs, and Drift Protocol, which lost $285 million in an attack attributed to North Korea's Lazarus Group. The Wasabi exploit follows the same pattern and underlines an industry-wide failure to treat key management as infrastructure-level security rather than an afterthought. Until more protocols adopt multi-signature admin controls and upgrade timelocks as baseline requirements, incidents of this kind will continue to compound.

The investigation into the Wasabi Protocol exploit was ongoing at time of publication. Loss figures may be revised. Verse Press will update this article as confirmed data becomes available.