DeFi can’t stop bleeding, and Wasabi Protocol is the latest to find out why.

The protocol, a perpetuals trading platform built on Ethereum and Base, was drained of about $4.55 million on Thursday after attackers compromised its deployer key, security firm Blockaid said in an X post.

The hack is the latest in a month that has produced over $605 million in DeFi losses across at least 12 incidents. The attack closely mirrors the Drift Protocol exploit on April 1, when North Korea-linked attackers used a compromised admin key to drain $285 million from the Solana-based perpetuals exchange.

The mechanics operated through an externally owned account, or EOA, called wasabideployer.eth, which held the sole ADMIN_ROLE in Wasabi’s permission system.

An EOA is a wallet controlled by a private key, as opposed to a smart contract. Whoever holds the key controls the wallet. Once the attacker had access to the deployer key, they gave themselves admin privileges with zero delay by calling grantRole on the permission contract.

Their helper contract then upgraded Wasabi’s perp vaults and Long Pool to malicious implementations that drained the balances, Blockaid said.

The exploit relied on a standard known as Universal Upgradeable Proxy Standard (UUPS), which allows a smart contract to change its underlying code while keeping the same address.

UUPS is widely used because it lets developers fix bugs without migrating users. The downside is that if an attacker controls admin permissions, they can replace the contract’s logic with anything they want, including code designed to steal funds.

Wasabi had no timelock or multisig protecting the admin role, Blockaid said. A timelock forces a delay between when an admin action is announced and when it executes, giving users time to react. A multisig requires multiple signers to approve a change. Wasabi had neither, leaving a single key holding full control over the protocol.

Compromised contracts include Wasabi’s wWETH, sUSDC, wBITCOIN, wPEPE, and Long Pool vaults on Ethereum, plus its sUSDC, wWETH, sBTC, sVIRTUAL, sAERO, and sBRETT vaults on Base, according to Blockaid.

Users holding Wasabi LP tokens were urged to revoke any active approvals to the vault contracts because the underlying assets backing those tokens had either been drained or remained at risk.

In the case of Drift, the attackers also exploited a single-key admin setup with no governance timelock, listing a fake token as collateral and raising withdrawal limits to drain real assets in roughly 12 minutes.

Three weeks later, on April 19, Kelp DAO lost $292 million when an attacker exploited a single-verifier configuration in the protocol’s LayerZero bridge, releasing 116,500 unbacked rsETH that was then used as collateral to borrow real ether (ETH) from Aave.

The cumulative DeFi loss total for 2026 has now passed $770 million across more than 30 reported incidents. April alone accounts for the majority of that figure.

Smaller breaches this month have hit CoW Swap ($1.2 million), Grinex ($13.74 million), Resolv Labs ($23 million), Volo Protocol ($3.5 million), among others.

What ties them together is not a new vulnerability. Each incident produces the same post-mortem language about lessons learned, but the next exploit usually arrives before the lessons get implemented.

Wasabi has not yet issued a public statement on the incident.

UPDATE (April 30, 11:34 UTC): General edits throughout. Moves Drift Protocol exploit to third paragraph.