🤯 LEUTE, ICH BIN ECHT BESORGT! Ich sitze hier am 1. Mai und schaue mir an, was diese Woche im Markt passiert ist. Und ich muss euch ehrlich sagen, ich habe ein ungutes Gefühl. Eins von der Sorte, das ich seit Jahren nicht mehr hatte. In dieser Nacht laufen hunderte Wallets gleichzeitig leer. Auf Ethereum, Mainnet. Wallets, die sieben Jahre lang nicht bewegt wurden, sind in derselben Stunde leer. Alle Funds gehen an eine einzige Sammeladresse. @WazzCrypto hat es zuerst öffentlich gemacht, der Vektor ist noch unklar. Etwas, das wir noch nicht benennen können? Niemand weiß es. Acht Stunden früher: Wasabi Protocol. 5 Millionen Dollar weg, über vier Chains. Eine einzige Deployer-Wallet ohne Multisig, ohne Timelock. Der Angreifer bekommt ADMIN_ROLE, schiebt per UUPS-Upgrade malicious Code rein, drained Perp Vaults und LongPool. @blockaid_ hat es zuerst gemeldet, @PeckShieldAlert bestätigt. Berachain hat die Vaults gepausert. Zu spät. @zachxbt fragt das, was wir alle wissen sollten. Wieso hatte da überhaupt eine einzige EOA so viel Kontrolle, ohne grundlegende Sicherheiten? @vanshuETH rechnet nach. 1,82 Milliarden Dollar Volumen lagen über einen ungeschützten Key. Und Leute, das ist nur diese Woche. Schaut euch April an: → 04.04. Drift Protocol: 285 Millionen, vorab signierte Admin-Transaktionen, wochenlang im Voraus vorbereitet → April Kelp DAO: 292 Millionen → April Grinex: 13,7 Millionen → 24.04. Lazarus-Gruppe: 175 Millionen in sieben Tagen über THORChain gewaschen → 30.04. Wasabi Protocol: 5 Millionen, Multi-Chain → 30.04./01.05. ETH-Mass-Drain: hunderte Wallets, eine Adresse Über 805 Millionen Dollar in 27 Tagen. @cryptothedoggy nennt April den schlimmsten Monat für DeFi-Hacks überhaupt. Vor knapp drei Wochen habe ich über das KI Modell Mythos geschrieben. Eine KI, die tausend Zero-Days in Wochen findet, gegen die kein menschlicher Auditor anschreiben kann. Project Glasswing der Zentralbanken. Damals klang das nach FUD. Heute schaue ich auf das Muster und sehe genau das, wovor ich gewarnt habe. Hacks gehören zu Krypto, damit lebe ich seit Jahren. Was sich gerade verändert, ist die Methode. Frequenz. Skalierung. Parallelität. Hunderte Wallets gleichzeitig drainen, das macht kein Mensch mehr von Hand. Vorab signierte Admin-Transaktionen einen Monat vor dem Trigger einbauen, ist keine Hobby-Arbeit. UUPS-Upgrades auf vier Chains in derselben Stunde, das skaliert nur mit Werkzeugen, die wir vor zwei Jahren noch nicht hatten. Ich sage euch, was ich befürchte. Wir haben über Jahre eine Welt aus dezentralen Protokollen gebaut, die Multisigs für Komfort opfern. Die Audits, die Admin-Vektoren nicht ernst genug prüfen. Die "decentralized" auf das Frontend schreiben und dahinter eine einzige Wallet die Schlüssel zu Milliarden hält. Diese Architektur war schon vor drei Jahren am Limit. Mit den Werkzeugen, die jetzt verfügbar sind, hält sie nicht mehr. Ich bin langfristig drin. Ich glaube an dieses Asset, an diesen Zyklus, an die These. Und genau deshalb sage ich es so deutlich. Die nächsten zwölf Monate werden die Sicherheits-Architektur dieser Industrie auf eine Art testen, auf die sie nicht vorbereitet ist. Wir werden Hacks sehen, die wir uns heute noch nicht vorstellen können. Eine ganze Chain. Eine Top-10-Börse. Was am Ende fällt, hängt davon ab, wie schnell die Industrie aufrüstet. Und ehrlich, ich glaube nicht, dass sie schnell genug ist. Mai hat gerade angefangen. x.com/Smart_Money/status/204…

Breaking News from yesterday - Solana DeFi protocol Carrot shuts down following the Drift exploit, giving users until May 14 to withdraw from Boost, Turbo, and CRT before deleveraging begins - US Senate unanimously passes S. Res. 708, banning senators from prediction market trading effective immediately to prevent insider trading - Trump reportedly plans an executive order to expand retirement access for workers without employer plans, with crypto inclusion in 401k plans still under review. - UK FCA issues new DLT guidance and introduces a direct-to-fund model for tokenized assets - Secretary of Defense Pete Hegseth confirms the US is running classified efforts to secure a strategic Bitcoin advantage over China, calling himself a long and enthusiastic supporter of Bitcoin - Canadian sovereign wealth fund AIMCo disclosed a $219M purchase of 1.38M Strategy (MSTR) shares, marking the $142B government-owned fund’s first Bitcoin-related allocation. - Hong Kong unveiled its Fintech 2030 vision, prioritizing stablecoin regulation and global coordination - Rakuten Wallet launched XRP integration for its 44 million Rakuten Pay users in Japan, allowing them to convert Rakuten Points into XRP and spend at 5M merchant locations.​​​​​​​​​​​​​​​​ - South Korean prosecutors requested a 20-year prison sentence for Delio CEO Jeong Sang-ho over alleged embezzlement of $168.5M in crypto from roughly 2,800 users following the platform’s 2023 withdrawal freeze. - Syndicate Labs suffered a private key compromise, with attackers draining 18.5M SYND ($330K) and ~$50K in customer tokens via malicious bridge contract upgrades, all affected users being made whole. - Stablecoin firm KAST appointed former SEC senior advisor and Crypto Task Force spokesperson Stephanie Allen as head of corporate and policy communications. - Tether proposed that Twenty One Capital merge with Strike and bitcoin miner Elektron Energy in a two-stage deal, sending XXI shares up 6.6% in after-hours trading. - Wasabi Protocol was exploited for $4.5M via an admin-key compromise on Ethereum and Base, with attackers upgrading perp vaults and LongPool to a malicious implementation that drained balances. - Shinhan Card partnered with the Solana Foundation to pilot a stablecoin payment system on Solana’s testnet, focusing on consumer-to-merchant payment scenarios. - Japan Exchange Group CEO Hiromi Yamaji said JPX aims to list BTC and ETH spot ETFs as early as 2027. - Gemini secured a Derivatives Clearing Organization license from the CFTC, allowing its Olympus unit to act as an in-house clearinghouse for derivatives including futures, options, and prediction markets. - PayPal restructured into three core units, with crypto and payments now operating as a standalone division. - Aave launched incentives on its MegaETH market for USDm, with USDe by Ethena also available as caps fill quickly. - Avalanche completed Retro9000 C-Chain Round 2, with the foundation set to verify onchain activity and process rewards for the top 40 projects on the final leaderboard. - Blockscout went live on Kite mainnet, providing open-source block explorer infrastructure for the Kite AI agent economy. - MegaETH’s MEGA token went live, with 53.3% of supply tied to performance-based KPIs rather than a fixed vesting schedule. - MoonPay Korea signed an MOU with Woori Bank to support global distribution and cross-border settlement infrastructure for South Korea’s emerging won-backed stablecoin market. - Polymarket tapped Chainalysis to police insider trading and market manipulation as it seeks to raise $400M at a $15B valuation and gain CFTC approval to relaunch in the US. - MARA Holdings agreed to acquire Ohio gas plant operator Long Ridge Energy & Power for $1.5B including debt to power its AI data center expansion. - Tether-backed Oobit launched Visa-supported Agent Cards, enabling AI bots to make purchases using USDT balances with per-transaction spending caps and no human approval required. - Coastal Bank is building stablecoin-native payment infrastructure on Tempo alongside its existing rails, giving fintech partners access to faster settlement and global reach. - Coinbase Asset Management launched the Coinbase Stablecoin Credit Strategy (CUSHY) fund targeting institutional investors, with an onchain share class powered by Superstate FundOS set to launch in Q2 2026. - Solana yield exchange Exponent raised a $5M seed round led by Multicoin Capital, bringing total funding to $7.1M ahead of a platform expansion into broader yield management. - xStocks launched on BNB Chain with 50 tokenized stocks and ETFs, surpassing $30B in total transaction volume and $350M in AUM across 100,000 unique holders. - Lightspark partners with Visa to enable stablecoin- and Bitcoin-backed Visa debit cards across 100 countries, giving cardholders access to 175M merchants worldwide - USDat introduced risk tranching on STRC via senior (srUSDat) and junior (jrUSDat) tranches, powered by Saturn and Strata, senior targets 65% of the STRC dividend rate, junior takes first-loss exposure - Kraken launched Crypto and xStocks bundles combining digital assets and tokenized equities, with 130 xStocks now live including ASMLx and URAx - Stripe launched updated Treasury with multi-currency and stablecoin balances, global payouts to 160 countries, 2% card cashback, and MCP integration - Variational launched a TradFi-on-chain platform covering 450 crypto markets, with RWA perps including US500, oil, and gold going live within a month — single USDC cross-margined account, 50x leverage, 0% fees - Arbitrum DAO votes to release 30,766 ETH (~$71M) frozen from the Kelp DAO attacker to the DeFi United initiative, with 16.9M ARB cast in favor within the first hour — vote runs until May 7 - Anchorage Digital, the US’s only federally chartered crypto bank, partnered with M0 to power institutional stablecoin issuance ahead of the GENIUS Act

No puede ser que vayamos a exploit por día 🤦‍♂️ Esta mañana saltaban las alertas en Wasabi Protocol tras ver que un usuario comprometió la clave del deployer (Wasabi: Deployer EOA) Una vez dentro pudo darle el rol ADMIN_ROLE a un contrato malicioso y a partir de ahí, hizo UUPS upgrade en los Perp Vaults y en el LongPool para implementar código malicioso Con esta acción ha drenado toda la liquidez de los vaults con un total de $4.55M entre Ethereum y Base Hasta ahora no han conseguido pausar esta actividad así que revoca todos los permisos que tengas y no interactues con el protocolo ❌ Muy fuerte todo...

Wasabi Protocol Hacked: $5.5M Drained Across 4 Chains DeFi perpetuals platform @WasabiProtocol has been exploited for around $5.5M today, with losses across Ethereum, Base, Blast, and Berachain. What Happened: The attacker compromised the protocol's deployer admin key, granted ADMIN_ROLE to a malicious contract, then used a UUPS proxy upgrade to inject harmful logic into the perp vaults and LongPool, draining liquidity across all 4 chains. CertiK flagged the incident around 08:30 UTC. Initial estimates were $2.9M but losses climbed to $5.5M as the attack unfolded. Same as Drift Protocol's $285M hack earlier this month: Compromised deployer key no timelock no multisig = drained funds. Action for Users: ✅ Withdraw funds immediately if you have open positions or LP exposure ✅ Revoke all token approvals granted to Wasabi contracts ✅ Monitor official channels for updates (no official statement yet) April 2026 has now seen $606M lost to DeFi hacks in just 18 days, making it the worst month since February 2025. Drift ($285M) and Kelp DAO ($293M) lead the damage. The Lesson: Privileged admin keys without timelocks or multisig protection remain DeFi's biggest unsolved problem. Always check protocol governance setup before depositing. Stay Safe. DYOR. Protect Your Capital.

🚨 Another Hack Before April Ends: @wasabi_protocol Drained for ~$5M Admin key on the deployer EOA was compromised (no timelock, no multisig). Attacker granted themselves ADMIN_ROLE and UUPS-upgraded the perp vaults LongPool. Affected chains: Ethereum, Base, Berachain, Blast and others. Stolen funds (PEPE, MOG, USDC, BTC) swapped to ETH and distributed. #zBit #WasabiProtocol #DeFi #CryptoHack #Exploita

wasabi protocol hacked > raised ~$3,000,000 from electric capital > built leveraged perps for memecoins and nfts > $1,820,000,000 in all time volume > backed by alliance and luca netz > single deployer key controlls everything > no multisig, no timelock, nothing attacker gets that key > upgrades vault proxies silently > grants admin role to his malicious contract > drains wWETH, sUSDC and the longpool ~$4,500,000 gone across eth and base > not a protocol bug > not a smart contract exploit > just one unprotected key > one wallet controlling all the vaults $1,820,000,000 in volume and only one key to protect it all🤷‍♀️ is it actually a hack or management failure, discuss?

wow, i want to re-iterate here, the @wasabi_protocol exploit isn't really a story about a stolen key. It's a story about what happens when one EOA controls a batch of upgradeable vaults with no multisig, no timelock, and no DAO governance as @evilcos and @zachxbt both pointed out within an hour of the drain (it should have never happen) The mechanics: deployer EOA grants ADMIN_ROLE to an attacker contract → UUPS upgrade replaces the perp vaults & LongPool with malicious logic → strategyDeposit() called on 7 vaults → drain(). 3 minutes, $5M across Ethereum, Base, Berachain & Blast. Largest single hit: 840.9 WETH (~$1.9M) from wWETH. Wasabi has acknowledged the issue and asked users not to interact with contracts. @blockaid_ flagged that all Wasabi/Spicy LP-share tokens minted by these vaults should be treated as compromised the underlying assets are gone. If you have funds anywhere in the protocol: withdraw and revoke approvals via @RoscoKalis's @RevokeCash. Big shoutout to him, the tool everyone reaches for on days like this. 34th major incident this month. April 2026: 30 exploits, ~$630M drained. The recurring pattern keeps writing itself: privileged EOAs over upgradeable contracts, no governance friction, one phished signature away from zero.

🚨 @wasabi_protocol subit un hack de plus de 5m$ de dollars sur quatre blockchains après une compromission de clé admin. Plus de 5m$ dérobés sur Ethereum, Base, Berachain et Blast. L'attaquant a pris la main sur le wallet déployeur, mis à jour les contrats core et siphonné les vaults LongPool, ShortPool et Vault. @blockaid_ a confirmé le vecteur. BlockSec relève que les comptes ayant reçu les rôles admin étaient financés via Tornado Cash. Tokens drainés : WETH, PEPE, MOG, USDC, cbBTC, AERO, VIRTUAL et plusieurs autres. Les fonds ont été convertis en ETH puis bridgés sur Ethereum. Virtuals Protocol, qui s'appuyait sur Wasabi pour ses dépôts de marge, a gelé l'intégration par précaution.

🚨 LỖ HỔNG GIAO THỨC WASABI BỊ KHAI THÁC (~3 triệu - 4,5 triệu USD) 🚨 Khóa triển khai bị xâm phạm đã cấp quyền ADMIN_ROLE cho kẻ tấn công (0x878e94142409dafcc5cc83d5cd2e9da2bf0bf3bf), kẻ này đã nâng cấp các vault và rút cạn thanh khoản trên Ethereum, Base, Berachain. Thu hồi TẤT CẢ các phê duyệt Wasabi ngay lập tức (đặc biệt là các phê duyệt gần đây). Các Hợp Đồng Quan Trọng Cần Kiểm Tra & Thu Hồi (qua revoke.cash): - Ethereum: - Các triển khai Wasabi Perp Vaults / LongPool (tìm kiếm "Wasabi" hoặc các phê duyệt gần đây) - Các hợp đồng liên quan đến Deployer (kiểm tra bất kỳ phê duyệt nào cho các địa chỉ bắt đầu bằng 0x878e...) - Base: - Các vault và pool tương tự trên mạng Base - Berachain Cách Thu Hồi (revoke.cash): 1. Truy cập 2. Kết nối ví hoặc dán địa chỉ 3. Chuyển sang Ethereum → sắp xếp theo Mới nhất → thu hồi tất cả các phê duyệt Wasabi 4. Chuyển sang Base → lặp lại 5. Chuyển sang Berachain → lặp lại 6. Thu hồi bất kỳ thứ gì đáng ngờ/cũ trong khi ở đó Lưu ý: - Coi như token LP/share từ các vault Wasabi đã bị xâm phạm - KHÔNG tương tác với các hợp đồng Wasabi cho đến khi có xác nhận an toàn chính thức - Luôn luôn thu hồi chứng chỉ sau khi sử dụng bất kỳ giao thức nào Hãy giữ an toàn! Thu hồi chứng chỉ ngay nếu bạn đã từng sử dụng Wasabi. 🔒

🚨 @wasabi_protocol exploited for $5M across Ethereum, Base, Berachain & Blast. Admin-key compromise. The Deployer EOA granted ADMIN_ROLE to an attacker contract, which UUPS-upgraded the perp vaults and LongPool to a malicious implementation and drained balances. per @blockaid_ 📸 @PeckShieldAlert

💥 JUST IN: @wasabi_protocol hacked for ~$5M Attacker contract: 0x878e94142409dafcc5cc83d5cd2e9da2bf0bf3bf Compromised deployer: 0x5c629f8c0b5368f523c85bfe79d2a8efb64fb0c8 Attacker gained access to the deployer’s private key then granted ADMIN_ROLE to malicious contract, upgraded UUPS proxy Vaults & LongPool & drained liquidity of $WETH, $USDC, $PEPE, $MOG, etc. across Ethereum, Base, Berachain & Blast. 1/2

🚨 #Arisk 4月30日链上安全事件更新 @wasabi_protocol 协议管理员密钥遭到妥协，已确认遭受管理员权限滥用攻击。 攻击者通过 Wasabi Deployer EOA（0x02228b0afcdbEdf8180D96Fc181Da3AF5DD1d1ab）授予恶意合约 ADMIN_ROLE，随后通过 UUPS 升级 LongPool、ShortPool 及多个 Vault 实现，已在 Ethereum、Base、Berachain、Blast 多链成功抽取超 500 万美元资产（主要为 #WETH、#USDC、#REKT、#PEPE、#cbBTC、#AERO 等）。 关键交易哈希（Ethereum 主链）： 0xcd77423f1bfa362c43f98356360c1f6c6e5fe989f18036e874884e9ad4a70116 ⚠️重要提醒： 所有由 Wasabi Vault 铸造的 LP / Share Token 已处于高风险状态，底层资产已被大量转移。 #WasabiExploit #DeFiHack #Arisk #AML #Hack

. @wasabi_protocol 4.5M USD Hack: Classic “Admin Key Season” Victim 🚨 Today Wasabi suffered a complete operational security disaster. 💥 The attacker stole the private key of wasabideployer.eth (a single EOA), granted the ''ADMIN_ROLE'' to their own contract, and instantly upgraded the UUPS proxy vaults and LongPool to malicious code with a drain function completely emptying the liquidity. 🧨 I also had positions in the vaults. I pulled my solana:3iQL8BFS2vE7mww4ehAqQHAsbmRNCrPxizWAT2Zfyr9y . Why was it so easy? 😤 - Single EOA as admin (still in 2026!) - No Multisig - No Timelock - Zero Least Privilege one ADMIN_ROLE could do everything - UUPS proxies left completely unprotected (instant upgrades) In short: There was no major code bug. Human and operational security was nonexistent. 🚩 This is a clear warning to all DeFi protocols still operating with the “deploy first, secure later” mentality. Audits catch code issues, but not these fundamental security failures. ⚠️ The Wasabi team is still silent. Users should treat their LP tokens as compromised and revoke all remaining approvals immediately. Lesson: Using UUPS without Multisig Timelock proper role separation is like leaving the front door wide open. 🚪 Wasabi left that door wide open, and we paid the price. 💸

TLDR: Wasabi Perp Exploit (April 30, 2026) => Attacker compromised the deployer EOA (sole admin key across chains). => Used it to grant ADMIN_ROLE to a malicious contract (e.g. 0x878e...). => Executed strategyDeposit drains on vaults UUPS upgrades on WasabiLongPool contracts to sweep liquidity. => Impact: $5M drained (reports range $2.9M–$5.5M). => Chains: Ethereum, Base, Blast (Berachain also mentioned). => Centralized privileged key upgradeable contracts. Status: Still Ongoing as ghey key not fully rotated some LongPool contracts are still controlled by the attacker Stay Safu

🔴 Wasabi Perp Drained for ~$5M Across Three Chains via Deployer Key Compromise This morning at 07:48 UTC, Hypernative detected an active exploit targeting Wasabi Perp across three chains. Approximately $5M was drained from the protocol's vaults and long pools in a coordinated ~2-hour attack window. Hypernative's systems fired high-severity alerts in real-time across all three chains involved (Ethereum, Base, Blast) as the vault drains and pool upgrade executed surfacing the privileged strategyDeposit calls and malicious implementation swap as they happened. Note: Wasabi is not a Hypernative customer. What happened: → The attacker gained control of the Wasabi Deployer EOA (the sole admin key across every chain's PerpManager) and used it to grant admin authority to an attacker-controlled contract. → From there, they called strategyDeposit across 8 WasabiVault proxies to redirect collateral, then performed a UUPS upgrade on the WasabiLongPool to an attacker-deployed implementation, sweeping the pool's balances. → The same playbook was replicated on Base and Blast. The compromised key has not been rotated; LongPool contracts on Ethereum and Base remain under attacker control. ❗ If you have funds or approvals in Wasabi Perp on any chain act now: → Revoke all approvals → Withdraw any remaining funds immediately We will publish a full technical analysis shortly.

🚨 Wasabi just got hit. ~$4.55M and counting. Again, no timelock and no multisig. EOA holding ADMIN_ROLE in OZ AccessManager (wasabideployer.eth) Attacker grabbed the key, called grantRole(ADMIN, orchestrator, delay=0), bypassed onlyAdmin on strategyDeposit, UUPS-upgraded the perp vaults to a malicious implementation, and drained. Ethereum Base perp vaults. Long Pool. Same orchestrator strategy bytecode now hitting Bera and Blast. LP shares look fine on screen. Redemption value is zero. If you’re holding wWETH, sUSDC, sREKT, wPEPE, wMog, wBITCOIN, sZYN, sBTC, sVIRTUAL, sAERO, sBRETT, sWELL, sSKI , or any Wasabi/Spicy LP token ,revoke approvals to the vault contracts NOW. Two weeks after Drift, three weeks after the AAVE oracle misconfig, and we are still watching protocols ship $100M TVL behind a single hot key…. Even after the @Dune report.. This is what governance risk looks like in 2026.. One line in a deploy script: _grantRole(ADMIN_ROLE, deployer) , and never moved. S/o @blockaid_ for the early flag. Receipts: → ETH drain: 0xcd77423f1bfa362c43f98356360c1f6c6e5fe989f18036e874884e9ad4a70116 → Base drain: 0x10b371603d42a672b0bffda526af8400885c65fa7b541678f2bd8dad6fcb7e40 → LongPool drain: 0xbabbfd5dc3a448244b1797928c69001726106c241f29e22b979a8bc01807c317 @CertiK update below . Still no coms from @wasabi_protocol DeFi without an on-chain risk intelligence layer is blind. We’ve been saying this. The market keeps proving it. Time to make Investinf safer -> @xerberus

Blockaid detected an active admin-key compromise exploit on @wasabi_protocol across Ethereum and Base. The Wasabi deployer EOA granted ADMIN_ROLE to an attacker-controlled helper contract, which then UUPS-upgraded perp vaults and LongPool to malicious implementations, draining balances.

Exploiter: 0x02228b0afcdbEdf8180D96Fc181Da3AF5DD1d1ab ETH drain tx (vaults): 0xcd77423f1bfa362c43f98356360c1f6c6e5fe989f18036e874884e9ad4a70116 Base drain tx (vaults): 0x10b371603d42a672b0bffda526af8400885c65fa7b541678f2bd8dad6fcb7e40 ETH drain tx (LongPool): 0xbabbfd5dc3a448244b1797928c69001726106c241f29e22b979a8bc01807c317 Extracted so far: ~$4.55M. Investigation is ongoing.

🚨 Blockaid's exploit detection system identified an on-going admin-key compromise exploit on @wasabi_protocol across Ethereum and Base. The Wasabi: Deployer EOA was used to grant ADMIN_ROLE to an attacker helper contract, which then UUPS-upgraded the perp vaults and LongPool to a malicious implementation that drained balances.

铁子们，大毛来了！！ Bit.com和 LongPool（龙池） 正在举办矿工专属福利活动，只要在龙池挖矿，并将收益地址绑定Bit.com的充值地址，就能参与瓜分 5,000 USDT 等值云算力和代币奖励！ 参与流程超简单： 1️⃣: 用户先到 龙池挖矿 2️⃣: 将龙池收币地址改成 Bit.com 充值地址，并提交报名信息 3️⃣: 活动期间保持每日收益到账，活动结束时账户余额 ≥ 500 USDT 活动详情：helpcenter.bitexch.io/zh-CN/… ⬇️ 点击这里填写表明表: wj.qq.com/s2/23489921/81b1/ #Scash #CPU挖矿 #Bit #Longpool