Onchain perpetuals protocol Wasabi was hacked for more than $5.5mn, wiping out the majority of its roughly $8mn in total value locked (TVL) and capping the most exploit-heavy month in crypto history.
Attackers drained the funds across multiple networks, including Ethereum, Base, Blast and Berachain following what appeared to be a compromised admin key, according to security firms CertiK and PeckShield.
Wasabi said it is "actively investigating" the incident and urged users not to interact with its contracts "until further notice." It added that it has brought in security responders, including SEAL 911 and Blockaid. Onchain investigator ZachXBT questioned on X why a single externally owned account (EOA) appeared to have so much control over the protocol without safeguards in place.
Record-breaking month
The incident adds to a surge in crypto and decentralized finance (DeFi) exploits that has made April the most hacked month on record by number of incidents, according to DeFiLlama data.
More than two dozen attacks were recorded over the 30-day period, with total losses amounting to at least $630mn. This marks a massive jump from the 15 exploits recorded in March, which caused losses of just over $41mn.
Two major breaches – Kelp at around $293mn and Drift at about $285mn – accounted for more than 90% of the month's losses. The two exploits were both linked to North Korean state-backed hackers, specifically the Lazarus Group.
Data also shows that the losses were highly concentrated to just a few attack types. Bridge exploits and compromised admin controls together were responsible for the majority of funds stolen during the month.
Kelp and Drift
On 1 Apr, Solana-based perpetuals exchange Drift Protocol was exploited after attackers gained admin account access and whitelisted a fake token as collateral, allowing them to withdraw millions in assets, including USD Coin (USDC), Solana (SOL) and Ether (ETH).
Then, on 18 Apr, liquid restaking protocol Kelp was exploited via a LayerZero-powered cross-chain bridge. That attacker drained more than 150,000 Restaked ETH (rsETH), which were then used as collateral to borrow real assets from DeFi lending protocols.
The fallout from both exploits has been severe and widespread. Following the Kelp exploit, Ethena's USDe stablecoin saw roughly $1.6bn in net outflows while over on the Aave protocol, borrowing costs surged to as high as 16% shortly after the exploit amid a liquidity squeeze.
The effects are still being felt. On 30 Apr, Solana-based DeFi protocol Carrot, which was impacted by the Drift exploit, said it's shutting down after previously warning that users could face losses of around 50% if funds were not recovered. The protocol set a mid-May deadline for withdrawals.
The impact isn't just financial, it's reputational. "DeFi has a security problem that the industry still doesn't address honestly enough," Misha Putiatin, co-founder of Symbiotic and founder of Statemind, told Sandmark. "Hacks are constant, and because everything is onchain, every incident is public."
Putiatin explained that while in traditional finance fraud is larger in absolute terms, it is way less visible. "That weight is felt when you're sitting across from a financial institution and talking about onboarding them to DeFi," he added. "The answer is to build better risk methodologies and prevention mechanisms. Otherwise, most 'institutional adoption' will remain surface-level, without real composability."
