Wasabi Protocol Exploit Drains $5.5M Across Four Chains As Compromised Admin Key Exposes Critical Security Flaw

The Wasabi Protocol suffered a massive hack, losing more than $5.5 million across four blockchains: Ethereum, Base, Blast and Berachain.

The exploitation stems from vulnerabilities, but investigations to date confirm that the exploit was not due to any weakness of the protocol’s own smart contract code itself. Rather, the hack was due to a compromised deployer wallet, exposing one of DeFi’s ever-so-persistent weaknesses: excessive reliance on centralized governance.

Security analysts spotted the incident almost immediately as they noted that the attack moved fast and followed a consistent method across each supported chain. The event has garnered significant interest from crypto community members who view it as a glaring example of how non-code vulnerabilities can wreak havoc.

Admin Privilege Abuse Executed By The Attack

The attack took advantage of the administration in a very systematic manner. They first compromised the master role that was controlling a whole series of dynamic nodes that can be created by those who have access to them.

Using this access, the attacker called grantRole, instantly giving a malicious and new contract admin rights. The central feature for this operation was that it bypassed all delay protections as the system allowed role assignments without any timelock.

Having acquired administrative control, the attacker then deployed an orchestrator contract which sequentially called strategy deposit for each of the vaults. With the contract now having admin level privileges, the only admin modifier, which is meant to restrict access, became ineffective.

They allowed the attacker to drain assets directly from the vaults, transferring funds into EOAs across all four chains. The speed and accuracy of the assault suggests that they were already familiar with the system architecture and its vulnerabilities.

Immediate Recovery Measures Disable Compromised Access

Subsequently, on-chain measures were undertaken to quickly disable the permissions of the compromised key. All important roles (e.g. ADMIN, as well as role identifiers such as 100, 101, 102 and 103) were removed from the original compromised deployer wallet. It completely removed any remaining admin access for the attacker on the protocol. As a result, this breach sealed the specific attack vector.

The analysts say the compromised key can no longer be used for any further round of unauthorized operations, a landmark in stopping that incident. However, even though access is back again, the remaining stolen funds are sitting in the attackers’ wallets on these chains with no recovery options at this time.

Users of the protocol have been stranded with LP tokens worth nothing and are now waiting for an announcement on a compensation plan. The breach has had a tremendous impact on users. In this case, liquidity provider (LP) share tokens still sitting in user wallets were now stripped of their value, at least for the time being, as the assets held by vaults have been drained.

The Wasabi Protocol team confirmed the incident and said investigations are underway. Until further notice, users are highly recommended to avoid using any Wasabi contracts to limit additional risks. Security companies like SEAL 911 and Blockaid are working directly with the protocol team to understand the extent of damage and outline remediation measures. Currently, the community is waiting for information on a compensation plan that will be vital in rebuilding trust and helping users recoup their losses.

Virtuals Protocol Responds by Freezing the Wasabi-Linked Features

Repeatedly, the exploit has spoiled connected platforms, amid them Virtuals Protocol, which utilizes Wasabi’s infrastructure for certain systems.

Virtuals Protocol quickly responded by freezing margin deposits associated with Wasabi. They took precautions and ensured its core operations, trading, withdrawals and agent functions, are still working.

As the situation is still unfolding users are warned to never sign any kind of transaction regarding Wasabi. The team stressed that these restrictions are temporary and will be kept in place until they can ensure the integrity of upstream systems.

ZachXBT Slams Absence Of Fundamental Security Protections

The exploit provoked fresh discussions about the maturity of security practices in DeFi, amid ongoing questions about the use of administrative controls. Blockchain analysis expert ZachXBT calls into question the reasoning behind that a single externally owned account (EOA) was given so much general control with basic safety nets like multisig and cannot be timelocked.

His criticism is indicative of a wider trend in the industry: smart contracts are routinely subject to extensive audits but the day-to-day security and governance structures often remain soft targets.

Non-code Exploits Are Growing This April

The Wasabi incident is a prime example of something we saw escalating throughout April: the emergence of major exploits that are not due to smart contract flaws, but rather issues in administrative security.

The contract logic functioned as designed in this case. The trust model failed, simple as that; in this case S1 used a single admin key to control upstream without any additional protection layers.

This pattern simulates a change in the threat landscape. Less and less do attackers try to hack into a code that is hard to compromise, but lean more towards the path of least resistance by focusing on governance and operational vulnerabilities.

The takeaway for both developers and protocols is that security goes beyond code audit to ensuring stringent key management policies, access controls and fail-safe mechanisms.

With investigations continuing to unravel and more details surfacing, the Wasabi exploit is likely to become an important example of the increasing risks faced by decentralized finance.

Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services.

Follow us on Twitter @nulltxnews to stay updated with the latest Crypto, NFT, AI, Cybersecurity, Distributed Computing, and Metaverse news!