Wasabi Protocol, a multichain decentralized perpetual futures trading platform, was hit by an exploit that led to the loss of more than $5 million across several chains.

 

The exploit, according to blockchain security company PeckShield, was carried out across multiple chains, including Base, Berachain, Blast, and Ethereum, which is its main deployment chain.

 

The incident was also flagged by blockchain security firms CertiK and Blockaid, with both firms attributing the cause of the hack to a compromise of the Wasabi deployer wallet, which allowed the attacker to gain privileged admin access and subsequently drain funds from the protocol.

 

“The Wasabi deployer externally owned account was used to grant admin role access to an attacker-controlled helper contract, which then upgraded the perpetual vaults and LongPool to a malicious implementation that drained balances,” Blockaid wrote in a post on X.

 

“All Wasabi and Spicy liquidity provider share tokens minted by these vaults should be treated as compromised. The underlying assets backing them have been drained or are at risk while the Wasabi deployer key remains active. End users holding these tokens are showing book value, but the redemption value is zero,” the firm added, while recommending the immediate flagging and revocation of these tokens.

 

Blockchain security firm Cyvers also provided further details on how the incident occurred. According to Cyvers, a crypto wallet funded through Tornado Cash was used to deploy a malicious contract on Wasabi Protocol across the Base and Ethereum chains.

 

As a result of this malicious contract deployment, about $4.5 million in various crypto assets, including WETH, USDC, BTC, VIRTUAL, and cbBTC, as well as memecoins such as PEPE, MOG, and REKT, were stolen. The funds were later consolidated into Ether and distributed across multiple wallet addresses outside the protocol.

 

Wasabi Protocol Responds

Following the disclosure of the exploit by security teams, the Wasabi team, in a post on X, stated that they were aware of the breach and were actively investigating the incident alongside security experts, notably Security Alliance and Blockaid.

 

The team also warned against interacting with a list of compromised vaults and EVM positions across Base, Blast, and Berachain, while stating that users whose vaults were not among the compromised list could proceed with withdrawals at any time.

 

The Wasabi exploit closed the month of April, which recorded some of the largest crypto exploits, including those involving Drift Protocol and KelpDAO, which led to losses of $285 million and $293 million, respectively.

 

 

Resolv Labs’ stablecoin, USR, has lost its U.S. dollar peg following an exploit of the token’s contract that allowed attackers to mint millions of tokens.

 

The exploit, which occurred on March 22, 2026, resulted in the creation of 50 million unbacked USR tokens, prompting the team to temporarily pause the protocol’s functions to prevent “further malicious actions.”

 

 

According to YieldsandMore, which first reported the story, the attack began with a 100,000 USDC deposit by the attackers, ultimately causing USR to lose its dollar peg and fall to $0.01.

 

After minting the USR tokens, the attackers converted them into wrapped USR (wstUSR) to access deeper liquidity on decentralized exchanges (DEXs). This allowed them to offload large amounts of wstUSR more gradually, reducing the risk of an immediate price crash of USR.

 

The next phase of the attack involved dumping and selling wstUSR tokens across multiple platforms, including KyberSwap and Velora. Using this method, the attackers swapped wstUSR for USDt and USDC, which were then aggressively converted into Ether (ETH).

 

Although the attack was first made public by the crypto research and analysis group YieldsandMore, the Resolv team was only able to pause the protocol three hours later.

 

“It took ResolvLabs three hours to pause its protocol. Roughly one hour of that delay came from the gap between submitting the multisig transaction and collecting the four required signatures to execute it,” YieldsandMore wrote on X.

 

While 50 million tokens were initially minted by the attackers, blockchain security company PeckShield reported that an additional 30 million USR tokens were later minted, bringing the total to approximately 80 million.

 

 

Price Action of USR in the Aftermath of the Exploit

The minting and dumping of USR tokens triggered a severe depeg, sending its price from $1 to roughly $0.02 to $0.05 within minutes, a decline of about 95 to 97%.

 

Although it briefly rebounded to between $0.14 and $0.20, USR is currently trading at $0.2773, according to data from CoinMarketCap at the time of publication. 

 

The USR depeg ranks among the most severe in recent history, second only to the collapse of Terra's TerraUSD (UST) in 2022, which fell from $1 to $0.02 and lost 98% of its value. Iron Finance also had its IRON stablecoin lose its dollar peg, dropping from $1 to about $0.05.