DeFi’s weak spots: How a single key led to a $4. 5 million hack

A recent attack on Wasabi Protocol shows how quickly decentralized finance (DeFi) projects can lose millions when security measures are weak. On Thursday, hackers stole $4. 55 million by gaining control of a single admin key. This key, held in a wallet called wasabideployer. eth, gave them full control over the platform’s vaults and trading pools. The attackers didn’t need to find a hidden flaw. Instead, they exploited a common feature in DeFi called UUPS upgradeability. This allows smart contracts to change their own code without moving to a new address. While useful for fixing bugs, it also lets anyone with admin rights rewrite the rules—including adding malicious code to drain funds. Wasabi had no safeguards like a time delay or multi-signature approval, meaning the single key was all that stood between safety and disaster.This wasn’t an isolated case. Earlier this month, a similar attack on Drift Protocol, a Solana-based exchange, resulted in a $285 million loss. Hackers used a compromised admin key to fake collateral and withdraw real assets in minutes. Just weeks later, another breach at Kelp DAO saw $292 million vanish when a single verifier in a bridge contract was manipulated. Every incident follows the same pattern: weak admin controls, no delays, and no backup checks. So far in 2026, DeFi has lost over $770 million across more than 30 hacks, with April alone accounting for most of it. Smaller but still costly attacks hit platforms like CoW Swap, Grinex, and Resolv Labs. The irony? Each breach leads to the same discussions about improving security—but by the time changes happen, another exploit has already occurred.