#StrategyAccumulates2xMiningRate

Wasabi Protocol $5 Million Exploit Accelerates AI-Based DeFi Hacker Theory

Wasabi Protocol experienced a key admin compromise resulting in losses of over $5 million from perpetual vaults and LongPool on Ethereum, Base, Berachain, and Blast, as reported by on-chain security firms Blockaid and PeckShield.

The attacker gained ADMIN_ROLE through the protocol's deployer wallet, then upgraded the vault to a malicious implementation that drained user balances. Approximately $4.55 million has already been successfully stolen, and the investigation is ongoing.

Single Key Failure Causes Hack

Blockaid traced the source of the issue to the address wasabideployer.eth, the sole address holding ADMIN_ROLE in Wasabi’s PerpManager AccessManager.

The attacker used the grantRole function on the deployer EOA without delay, causing the attacker’s orchestrator contract to become an instant admin.

“We are aware of this issue and are actively investigating. To prevent further damage, please refrain from interacting with the Wasabi contract until further notice,” said Wasabi Protocol to users.

Subsequently, the attacker performed a UUPS upgrade on the perpetual vault and LongPool to a malicious implementation that drained the balances.

The deployer key remains active to this day. The Wasabi token and Spicy LP-share from the affected vault have been marked as compromised, with redemption values nearly zero.

Blockaid explained that the attacker, orchestrator, and the same bytecode strategy were used in a previous incident targeting Wasabi.

This pattern resembles previous key admin incidents and highlights the weakness of a single EOA admin system without timelock or multisig. PeckShield estimates total losses have exceeded $5 million across the four affected chains.

AI Hacker Theory Gains Momentum

This incident occurred just hours after three other attacks between Tuesday and Wednesday. BeInCrypto reported on the series of attacks on Tuesday, including:

Loss of $3.46 million from Sweat Economy, which was actually a rescue operation by the foundation, not a hack.
The Syndicate Commons bridge on Base lost 18.5 million SYND tokens valued between $330,000 and $400,000. The attack proceeds were transferred to Ethereum.
Aftermath Finance halted their perpetual protocol after losing around $1.14 million USDC.
Amid this string of attacks, analysts began discussing concerns related to AI, highlighting the imbalance between attacker tools and protocol defenses.

In the same discussion, developer Vitto Rivabella proposed the theory that North Korea has been training internal AI models with stolen DeFi data for years.

He argued that these models now operate as autonomous attackers, capable of draining protocols much faster than human audit teams can patch vulnerabilities.

“Wild conspiracy theory about recent DeFi hacks: North Korea has trained their own Mythos version funded by the state, using big data from DeFi protocol hacks over the past 10 years. Now they let their ‘DeFi AI hacker’ run free and won’t stop extracting profits until someone stops them,” Rivabella wrote.

Whether AI is controlling the recent series of exploits or not, a single-key admin role still presents a real vulnerability for attackers.