On April 30, 2026, the on-chain protocol Wasabi Protocol encountered a serious security vulnerability, triggering abnormal movements of assets across multiple chains. According to AiCoin data, the security agency CertiK was the first to detect this attack, with initial estimates of stolen funds amounting to approximately $2.9 million. Subsequently, PeckShield released a more severe loss assessment, indicating that Wasabi might have been compromised due to the admin private key being breached, allowing the attackers to obtain key privilege roles through a deployed wallet, executing draining operations in contracts across multiple chains, with cumulative losses estimated at about $5.5 million. Currently, the stolen assets have been dispersed to multiple on-chain addresses, with address 0xb8Bb...70dB holding about $677,000, and address 0x6244...f906 holding approximately $1.1 million, showcasing a clear trend of decentralized laundering.

In response to this security crisis, the Wasabi team issued an official statement on May 1, clarifying the risk boundaries. The statement pointed out that the impact of this vulnerability is limited to its EVM deployed contracts, while its contract architecture on Solana remains secure and unaffected by the private key leak or abuse of permissions. This situation of "multi-chain disaster, Solana spared" shifted the market focus from mere loss amounts to discussions on the permission isolation mechanisms between different chains. Currently, Wasabi officials have stated that they are collaborating with leading security teams to manage the residual risks in contracts and funds, and have formally contacted law enforcement and the FBI to intervene in the investigation. Although the judicial recovery procedure has begun, no details about recovered fund amounts or specific compensation plans for affected users have yet been disclosed.

Stolen Multi-Chain Assets: $2.9M-$5.5M

According to monitoring data from multiple security agencies, the specific amount of loss sustained by Wasabi Protocol in this security vulnerability shows dynamic updates and distinctive cross-chain characteristics. On April 30, 2026, CertiK initially disclosed that the protocol was attacked, estimating stolen funds at around $2.9 million. However, with in-depth tracing of on-chain trajectories, monitoring results released by PeckShield indicated that cumulative losses had risen to approximately $5.5 million. The disparity between these two data sets primarily stems from differences in the accounting scope of multi-chain asset damages: PeckShield noted that this attack was not limited to an isolated incident on a single public chain but affected all EVM deployed contracts of Wasabi across multiple public chains. The consensus among several security agencies points to the core cause being "admin private key breach," meaning that the attackers achieved direct penetration into multi-chain contract assets by illegally obtaining privileged roles for wallet deployment.

In terms of fund flow, the stolen assets exhibit significant decentralization on-chain, with no large-scale concentrated laundering behavior observed so far. According to disclosed tracking data, the attackers split and transferred the illegally obtained funds to multiple independent addresses in an attempt to evade real-time fund freezes. According to AiCoin data, among these, address 0x6244...f906 currently holds about $1.1 million in stolen assets, while address 0xb8Bb...70dB holds approximately $677,000. The decentralized distribution of these assets in a multi-chain environment further confirms the security agencies' qualitative assessments of "multi-chain attacks," indicating that the defense system of the Wasabi protocol has been fully breached in a multi-chain deployment environment. This strategy of storing funds across multiple addresses not only reflects the attackers’ deep understanding of Wasabi's cross-chain fund distribution but also adds a layer of technical complexity to subsequent judicial investigations and asset interception.

Solana Contracts Remain Intact: The Isolation Effect of Multi-Chain Architecture

In the face of devastating blows to multi-chain protocols, the "firewall" effect between different underlying architectures often becomes the only hope for the survival of funds. According to AiCoin data, although Wasabi Protocol suffered heavily in the EVM ecosystem, its assets and contracts on the Solana chain exhibited strong resilience. Wasabi officials clearly stated in an open announcement on May 1 that the contracts on Solana remained secure, completely unaffected by this security vulnerability. This statement not only reassured users outside the EVM ecosystem but also confirmed from a technical perspective that the attack path had significant environmental limitations.

From a technical logic perspective, this vulnerability was limited to Wasabi's deployment in the EVM ecosystem. Given that Solana differs fundamentally from Ethereum and its compatible chains (EVM) in development language (Rust vs. Solidity), account models, and signature mechanisms, this means that Wasabi's deployment on the Solana side did not share the compromised EVM deployment privileges or admin keys. Even if the attackers gained privileged roles on the EVM chain through an invasion of the deployment wallet, they could not directly cross the architectural divide to access the contract logic on the Solana side. According to current event reports and on-chain monitoring, no abnormal fund fluctuations or signs of contract tampering have been observed on the Solana side, constituting a factual risk isolation in the context of a simultaneous multi-chain attack.

This result of "asymmetric disaster" profoundly reveals the protective role of multi-chain architecture in extreme risk events. In the case of Wasabi, multi-chain deployment is not merely an expansion of business territory but has objectively formed a natural isolation system that limits the scope of the attack. While PeckShield indicated that the protocol may have suffered a cumulative loss of about $5.5 million due to admin private key leak across multiple EVM chains, the fact that the Solana side remains unscathed demonstrates that maintaining an independent permission management system across different technology stacks is an effective means to prevent "single point collapse leading to total destruction." For developers, this physical isolation at the architectural level becomes the last line of defense for protecting specific ecological assets when privileged roles are abused.

Admin Private Key Breach: Privileged Roles as the Attack Breakthrough Point

According to preliminary investigations by security agencies CertiK and PeckShield, the core cause of the attack on Wasabi Protocol is the compromise of its deployer wallet. After the attackers gained control of this wallet, they naturally obtained "privileged roles" for the protocol at the contract level. PeckShield's analysis further characterizes this incident as an admin private key breach, with this "god mode" privilege leak allowing attackers to bypass conventional business logic constraints and directly implement illegal operations on contracts across multiple chains. According to AiCoin data and summaries from security agencies, the damage from this vulnerability covered multiple EVM-compatible chains, with preliminary estimates of losses ranging from the initially detected $2.9 million to approximately $5.5 million. Currently, the stolen funds have shown a highly decentralized trend, flowing to multiple addresses controlled by the attackers, including 0xb8Bb...70dB (approximately $677,000) and 0x6244...f906 (approximately $1.1 million).

In the architectural design of DeFi protocols, the combination of "deployer wallet + privileged roles" often represents the weakest point in security defenses. Typically, the deployer address possesses the highest level of governance authority at the contract initialization stage, including but not limited to contract upgrades, key parameter adjustments, and emergency handling of fund pools. If these critical powers are not distributed through multi-signature wallets (Multi-sig) or lack time-lock mechanisms to provide risk warning buffers for the community, once the underlying private keys are exposed during storage or transmission, the protocol's defense system can collapse instantaneously. The Wasabi case once again confirms the systemic risk of centralized privileges: when attackers master the deployer private key, even if the underlying contract code has undergone multiple audits, its operational logic can still be altered by malicious instructions, leading to the rapid looting of protocol assets.

To address such high-level privilege risks, the industry-recognized defense framework emphasizes "privilege separation" and "logical isolation." Ideally, the deployment permissions, operational maintenance permissions, and fund management permissions of the protocol should be held by mutually independent entities and physically isolated in conjunction with hardware security modules (HSM). The fact that Wasabi's contracts on the Solana chain were spared, aside from the differences in the underlying technology stack, is clearly due to the excessive concentration of privilege management at the EVM deployment level. A comparison shows that for multi-chain protocols to achieve redundancy in security, they must maintain independent privilege systems across different ecosystems. Although Wasabi officials have indicated that they are collaborating with leading security teams and contacting the FBI to initiate a judicial investigation, for the broader DeFi developer community, how to utilize multi-signature governance and the principle of least privilege to reconstruct defensive boundaries is the core issue to fundamentally avoid the abuse of "privileged roles."

Coordination with Security Teams and Law Enforcement Intervention: The Practical Boundaries of Incident Handling

After confirming the scope of the vulnerability's impact, Wasabi Protocol quickly entered the crisis management phase. According to an update statement released by the official on May 1, 2026, the team has collaborated with multiple leading security experts and agencies to implement risk containment and path tracing for the damaged EVM deployed contracts. Meanwhile, Wasabi clearly stated that it has formally contacted the Federal Bureau of Investigation (FBI) and relevant law enforcement agencies, attempting to track the hacker's identity through judicial means. This dual track of "technical tracing + judicial intervention" has become the standard response paradigm following large-scale fund losses for current DeFi protocols, aiming to utilize the synergy of on-chain analysis tools and regulatory deterrence to suppress the attackers' cashing-out space.

However, the transparency of on-chain data has not directly translated into certainty about fund recovery. According to AiCoin data, approximately $5.5 million in stolen assets from this incident (according to PeckShield's monitoring criteria) has displayed highly fragmented characteristics. CertiK's monitoring data further confirms that the attackers, after obtaining the funds, rapidly split them through multiple intermediary addresses; currently, a portion of the stolen funds has been dispersed across multiple addresses, including 0xb8Bb...70dB (holding about $677,000) and 0x6244...f906 (holding about $1.1 million). This multi-chain, multi-address decentralized routing significantly increases the difficulty of asset interception. Although security teams can alert centralized exchanges (CEX) to intercept by marking malicious addresses, the success rate of funds flowing back to the original protocol address remains constrained by regulatory blind spots in the cross-chain environment.

Currently, the progress of the entire incident's handling remains within the practical boundaries of "ongoing investigation." As of now, Wasabi officials have yet to confirm any amounts of successfully recovered funds and have not provided specific plans for compensating affected users. In the multi-chain security game, even though the Solana chain contracts remain unharmed due to architectural differences, the significant funding gap on the EVM side continues to pose a severe challenge to the protocol's liquidity confidence. For the community, the current focus has shifted from the initial "causes of the vulnerability" to "effectiveness of recovery," but in the absence of a native automated recovery mechanism in a decentralized environment, the feedback cycle of law enforcement intervention is often long, and the final degree of loss recovery remains to be seen.

Signals of Multi-Chain DeFi Risk Post-Wasabi Incident

The outbreak of the Wasabi incident once again highlights the systemic risks associated with the combination of "multi-chain deployment" and "centralized privileged permissions." According to monitoring data from several security agencies, as of May 1, the scale of financial losses resulting from this attack is preliminarily fixed in the range of $2.9 million to $5.5 million. Although Wasabi officials have confirmed that its contracts on Solana have not been affected due to architectural differences, the attack path of "deployer wallet compromised - privileged roles abused - multi-chain contracts damaged" has become clear. This indicates that while pursuing cross-chain liquidity expansion, the physical isolation of management permissions and the efficacy of multi-signature mechanisms remain the lifeline for protocol survival. Currently, stolen funds are still dispersed across multiple addresses, including 0xb8Bb...70dB (about $677,000) and 0x6244...f906 (about $1.1 million); the ongoing feedback from on-chain monitoring will be key in assessing fund flows and potential selling pressure.

Looking ahead, the aftershocks of the Wasabi incident will continuously release signals from three dimensions: first, the substantial handling progress from the project party, including the disclosure of a technical review report and the effectiveness of recovery in collaboration with law enforcement such as the FBI, will directly determine the feasibility of user compensation schemes; second, the market's re-examination of the permission structures of similar DeFi protocols, especially for projects that heavily rely on a single deployer wallet or lack time-lock restrictions, may face repricing of their risk premiums; lastly, the reshaping of user on-chain behavioral habits, should remain cautious regarding its profound market impacts until more underlying details are confirmed. According to AiCoin data, sensitivity to security in the multi-chain environment is increasing, and official announcements released by the project in the future will be an important signal in determining whether risks are truly alleviated.

Join our community to discuss and strengthen together!
Official Telegram community: https://t.me/aicoincn
AiCoin Chinese Twitter: https://x.com/AiCoinzh
AiCoin On-chain: https://aicoin.com/hyperliquid
AiCoin exclusive Hyperliquid benefits: https://app.hyperliquid.xyz/join/AICOIN88
AiCoin exclusive Aster benefits: https://www.asterdex.com/zh-CN/referral/9C50e2

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。