How a $5M Wasabi Protocol Hack Funneled All Stolen Funds into Tornado Cash

Event Overview

On 2026‑04‑30 07:48 UTC Hypernative Labs flagged an active attack on Wasabi Protocol. Within ~2 hours the attacker moved assets from Ethereum, Base, Berachain and Blast, then transferred the proceeds to Tornado Cash. Total loss ≈ $5.0‑$5.5 M; largest single loss 840.9 WETH (~$1.9 M). Pre‑attack TVL ≈ $8.5 M (DeFiLlama).

Ethereum – primary loss, WETH.

Base – perp vault compromised.

Berachain – sizable liquidity pools.

Blast – LP shares.

Technical Root Cause – Admin Key Compromise

UUPS Proxy Upgrade Abuse

Blockaid and CertiK analysis shows the breach resulted from the deployer EOA private key being stolen. The protocol uses the Universal Upgradeable Proxy Standard (UUPS); the admin key controls the proxy’s upgradeTo function, effectively a master key.

Reconstructed attack flow:

Key leakage – attacker obtains the deployer private key.

Privilege escalation – attacker grants themselves ADMIN_ROLE.

Malicious upgrade – attacker calls the proxy’s upgradeTo to replace the perp vault and LongPool implementations with attacker‑controlled contracts.

Fund extraction – attacker calls the upgraded contracts to withdraw all assets from vaults and liquidity pools.

Cross‑chain bridging – swapped assets are converted to ETH/WETH and bridged to an address on Ethereum.

Mixing – ETH is deposited in multiple batches into Tornado Cash.

Lack of Timelock/Multisig

The same admin‑key weakness appeared in the $285 M Drift Protocol attack earlier in April; both protocols deployed without any timelock or multisig protection for the deployer key, allowing instant execution of the exploit.

// Vulnerable contract snippet
// Deployer holds unrestricted ADMIN_ROLE
// No timelock or multisig
adminKey.transferAdminRole(attackerAddress); // attacker seizes role
perpVault.upgradeTo(maliciousImplementation); // upgrade to malicious code
vault.withdrawAll(); // empty the vault

Fund‑Flow Tracking

Three‑Stage Money Laundering

Stage 1 – Asset collection : Tokens from the four chains are swapped on DEXes to ETH/WETH. The largest swap involved 840.9 WETH (~$1.91 M).

Stage 2 – Cross‑chain bridging : WETH is moved via official or third‑party bridges to an attacker‑controlled address on Ethereum.

Stage 3 – Tornado Cash mixing : ETH is deposited repeatedly into Tornado Cash, breaking the link to the original addresses. Some inputs appear to be “tainted” funds previously obtained by other hacker groups.

BlockSec observed that several addresses in the flow had earlier received funds through Tornado Cash linked to the Lazarus Group, the same mixer used for laundering proceeds from the KelpDAO/LayerZero breach.

Industry Context

CertiKAlert recorded >25 major DeFi incidents in April 2026, total losses >$6 B. Notable events:

Drift Protocol – $285 M (deployer‑key issue).

KelpDAO/LayerZero – large loss associated with North‑Korean APT activity.

Wasabi Protocol – $5 M loss.

~20 other incidents.

Key Takeaways

Admin keys without timelock or multisig constitute a single point of failure; key management outweighs code‑level audits.

Cross‑chain attacks can be executed rapidly when upgrade permissions are compromised.

On‑chain tracing and mixer regulation are critical components of DeFi security.