Wasabi Protocol, a multichain decentralized perpetual futures trading platform, was hit by an exploit that led to the loss of more than $5 million across several chains.

 

The exploit, according to blockchain security company PeckShield, was carried out across multiple chains, including Base, Berachain, Blast, and Ethereum, which is its main deployment chain.

 

The incident was also flagged by blockchain security firms CertiK and Blockaid, with both firms attributing the cause of the hack to a compromise of the Wasabi deployer wallet, which allowed the attacker to gain privileged admin access and subsequently drain funds from the protocol.

 

“The Wasabi deployer externally owned account was used to grant admin role access to an attacker-controlled helper contract, which then upgraded the perpetual vaults and LongPool to a malicious implementation that drained balances,” Blockaid wrote in a post on X.

 

“All Wasabi and Spicy liquidity provider share tokens minted by these vaults should be treated as compromised. The underlying assets backing them have been drained or are at risk while the Wasabi deployer key remains active. End users holding these tokens are showing book value, but the redemption value is zero,” the firm added, while recommending the immediate flagging and revocation of these tokens.

 

Blockchain security firm Cyvers also provided further details on how the incident occurred. According to Cyvers, a crypto wallet funded through Tornado Cash was used to deploy a malicious contract on Wasabi Protocol across the Base and Ethereum chains.

 

As a result of this malicious contract deployment, about $4.5 million in various crypto assets, including WETH, USDC, BTC, VIRTUAL, and cbBTC, as well as memecoins such as PEPE, MOG, and REKT, were stolen. The funds were later consolidated into Ether and distributed across multiple wallet addresses outside the protocol.

 

Wasabi Protocol Responds

Following the disclosure of the exploit by security teams, the Wasabi team, in a post on X, stated that they were aware of the breach and were actively investigating the incident alongside security experts, notably Security Alliance and Blockaid.

 

The team also warned against interacting with a list of compromised vaults and EVM positions across Base, Blast, and Berachain, while stating that users whose vaults were not among the compromised list could proceed with withdrawals at any time.

 

The Wasabi exploit closed the month of April, which recorded some of the largest crypto exploits, including those involving Drift Protocol and KelpDAO, which led to losses of $285 million and $293 million, respectively.

 

 

Hyperbridge, a cross-chain interoperability protocol built on Polkadot, was recently hit by a hack that led to the loss of approximately 108.2 ETH, roughly $237,000.

 

The attack, which occurred in the early hours of Monday, was caused by the exploitation of a smart contract vulnerability in the protocol’s token gateway contract on Ethereum.

 

 

By taking advantage of this vulnerability, the attacker forged a cross-chain message and proof that allowed them to bypass the Merkle proof verification of Hyperbridge’s Ethereum HandlerV1 contract. As this contract is central to security and proof verification on Hyperbridge’s Ethereum side, the attacker was able to gain unauthorized administrative control over the bridged DOT token contract on Ethereum.

 

With this administrative authority, the attacker minted approximately one billion fake bridged DOT tokens in a single transaction. The tokens were then immediately dumped into various liquidity pools through Uniswap V4 and other crypto aggregators such as Odos. However, due to poor liquidity and limited trading activity for the bridged DOT token on Ethereum, the attacker was only able to extract about 108 ETH, valued at roughly $237,000.

 

Polkadot acknowledged the incident in a statement on its official X account, noting that it was aware of the situation. The team stated that the breach only affected DOT tokens on Ethereum, and confirmed that its native DOT cryptocurrency, as well as DOT bridged through other platforms, remained unaffected.

 

To contain the issue, Hyperbridge temporarily paused the protocol. Seun Lanlege, founder of Polytope Labs, the team behind Hyperbridge, stated that the issue was under investigation shortly after the incident occurred.

 

 

Hyperbridge April Fool Joke

The Hyperbridge hack comes shortly after the team made an April Fool's joke on the 1st of April about being hacked, dismissing the idea as a joke and boasting that the protocol was unhackable, a move that sparked criticism about the team’s overconfidence.

 

 

Lanlege, the protocol’s founder, was also called out, with some in the crypto community accusing him of ignoring and rejecting security feedback and tests from white hat researchers who had identified flaws in the protocol’s security system.

 

The Hyperbridge exploit is one of almost 10 smart contract vulnerability exploits we have seen this year. In January, DeFi protocol Truebit and decentralized exchange aggregator Swapnet were hit by smart contract vulnerability exploits that led to the loss of approximately 26.4 million dollars and $13.4 million, respectively.

 

Solv Protocol and CrossCurve were also hit in the following months by smart contract vulnerability exploits. So far, over $400 million has been lost to crypto-related hacks and exploits this year.