Key Highlights
- Berachain warned users to withdraw funds from Wasabi after a hack, with about $50,000 in user funds at risk.
- The breach came from a compromised admin key, leading to the firm pausing its reward vaults and revoking approvals.
- Over $5 million was drained across multiple chains, highlighting cross-chain risk exposure.
Following the hack on Wasabi Protocol, Berachain Foundation, an EVM-identical Layer 1 (L1) blockchain that had integrated the protocol to offer high-yield leveraged trading, has urged users to withdraw their funds urgently.
“Wasabi across all chains including Berachain has been hacked. If you have funds in Wasabi WITHDRAW THEM NOW,” the foundation warned in a post on X.
It added that around $50,000 belonging to Berachain users is at risk and urged users to act quickly using revoke.cash to remove approvals. At the same time, the foundation said Wasabi reward vaults on Berachain have been halted to reduce further risk while the issue is being handled.
Berachain pauses reward vaults for safety
In another X post, the foundation explained that the issue came from a compromised admin key in the Wasabi system and that the affected reward vaults on Berachain had been paused and blacklisted so no further emissions could go into compromised contracts.
Users who had interacted with Wasabi contracts were told to revoke approvals immediately using the listed contract addresses, with the tags “0xc95ab”, “0xd948”, “0x0da5”, and “0x3EE6”.
At the same time, the team clarified that “BGT rewards in Berachain’s native RewardVaults are safe and can still be claimed.” Berachain also said it is working with Web3 security platforms Blockaid and ZeroShadow to track and investigate the incident.
How the attack happened
The exploit on Wasabi Protocol happened early Thursday, with the attacker draining over $5 million across multiple chains, including Ethereum, Base, Berachain, and Blast.
Security firm PeckShieldAlert quickly flagged the incident on X. Another firm, Hypernative, detected the attack at 07:48 UTC and said it was caused by a “deployer key compromise.” The attack lasted around two hours and affected several vaults and liquidity pools.
Investigators found that the attacker gained control through a compromised deployer EOA key, which allowed full administrative actions on core contracts.
This access was used to grant ADMIN_ROLE to malicious contracts and execute functions that redirected collateral. Blockaid confirmed that the attacker upgraded key vault contracts and long pool systems before draining assets.
Hacker moved stolen funds across wallets
After the breach, the attacker converted the funds into ETH and moved them across multiple wallets. Some of the money was also linked to privacy tools like Tornado Cash, which are used to hide transaction paths so that they will be difficult to trace.
The largest single loss was around 840 ETH, worth more than $1.9 million, while other tokens like USDC and several memecoins were also affected. Before the hack, Wasabi had around $8.5 million in total value locked, according to data from DeFiLlama. That has now dropped to $8.1 million.
Reports confirm the issue was not from a broken smart contract code but from leaked admin access. This means the system worked as designed, but someone got the “master key,” which gave them full control. Once that key was exposed, the attacker was able to drain funds easily.
Meanwhile, DeFi exploits continue to accumulate, often following a similar pattern where attackers gain control through compromised access points.
A couple of months ago, a similar case happened on Step Finance, where attackers used a compromised wallet key to drain about $27 million from its treasury funds. Also, the Drift protocol suffered the same fate early this month after hackers manipulated the system and drained funds through hidden control paths, resulting in over $270 million in losses.
Also Read: How Hackers Hijacked Robinhood’s Legitimate Emails Using Gmail Dot Aliases
