Wasabi Protocol is the latest victim in what appears to be a record bad month for DeFi hacks.
On-chain perpetual futures protocol Wasabi has been hacked with attackers draining over $5 million across Ethereum, Base, Berachain, and Blast, blockchain security firm PeckShield reported on X from their alerts account earlier today, April 30.
Wasabi acknowledged the incident on X, urging users to avoid using the protocol while investigations are under way:
“We’re aware of an issue and are actively investigating. As a precaution, please do not interact with Wasabi contracts until further notice.”
In a follow-up post, the team confirmed it had engaged professional on-chain security responders, including SEAL 911 and Blockaid.
Peckshield’s main X account added that it appears that Wasabi’s admin key has been compromised.
In response to Wasabi’s X post about the ongoing incident, on-chain investigator ZachXBT called out the protocol for reportedly using a single external owned account (EOA), referring to a user-controlled wallet managed by a private key, instead of more secure setups, like a multisig: “Why did a single EOA seemingly have so much control without basic safeguards?
DeFi’s Worst Month Yet?
The hack caps off a brutal month for DeFi, marked by two major exploits and over twenty smaller incidents. The former head of DeFi at Monad wrote on X today that April 2026 has turned out to be DeFi’s worst month in terms of losses from hacks and exploits:
“April 2026 was the worst month ever in terms of DeFi exploits — ~$635M lost in total, 28 incidents in 30 days.”
The month’s two largest incidents in terms of dollar losses were the Drift and Kelp DAO hacks. On April 1, Solana-based perpetuals exchange Drift Protocol suffered roughly $270 million in outflows, spanning more than 15 distinct token types, in what The Defiant reported as a North Korean state-linked operation six months in the making.
Then, on April 18, an attacker, also suspected of being North Korean state-backed, exploited a LayerZero bridge on Kelp, forging a cross-chain message that tricked the protocol into minting 116,500 rsETH with nothing locked on the source side. The attacker then deposited the unbacked rsETH into Aave as collateral and borrowed approximately $236 million in real WETH, as The Defiant reported.
The response to the Kelp incident has included an unprecedented collective effort among DeFi protocols and individuals, dubbed DeFi United, which has raised over $300 million to restore the backing of Kelp’s rsETH.
This article was written with the assistance of AI workflows. All our stories are curated, edited and fact-checked by a human.
