Wasabi Protocol Suffers Approximately $5.5 Million Loss Due to Admin Private Key Leak Attack

Wasabi Protocol was previously supported by institutions such as Electric Capital, focusing on high-yield perp vaults and leveraged products on emerging chains. This single EOA admin private key leak incident continues the pattern of multiple UUPS proxy upgrade attacks from 2025, where the deployer did not adopt multi-signature or timelock designs, becoming a core vulnerability.

In terms of capital flow, the protocol centralized user deposits in an upgradeable treasury pool, controlled by a single EOA with ADMIN_ROLE permissions. The attacker first granted a malicious helper contract role before executing strategyDeposit, motivated by the pursuit of rapid iteration and low governance costs. However, after the expansion of TVL, the security boundaries were not timely upgraded, leading to the private key leak directly translating into cross-chain asset transfers.

Similar to previous cases where DeFi vaults were emptied due to compromised admin keys, or security incidents involving perp protocols like Radiant Capital, Wasabi is currently in a fragile early stage of transitioning from high-yield expansion to security compliance in the memecoin leveraged sector, highlighting insufficient trust assumptions in emerging chain infrastructure.

Essentially, this represents a capital concentration risk under technical substitution: the project replaced complex governance structures with a single EOA to pursue deployment efficiency, prioritizing product functionality over permission decentralization during the rapid TVL growth period, resulting in a high concentration of permissions in a single private key, which, upon leakage, triggered an instantaneous transfer of asset pricing power and liquidity across the entire protocol.