BlockBeats News, May 10th, Wasabi Protocol released a security incident update, pointing out that attackers exploited a Spring Boot Actuator configuration vulnerability in its AWS infrastructure to steal the private key controlling an EVM smart contract, and made off with approximately $4.8 million in user funds and $900,000 in protocol treasury funds from the relevant contract.

The attack chain started with a public-facing server used for analytics, whose Actuator heap dump was not protected by a secure password, allowing the attacker to obtain credentials for another server and ultimately take control of the smart contract's private key. This incident only affects EVM deployments, including parts of the treasury on Ethereum, Base, Blast, and Berachain, while Solana deployments and Prop AMM remain unaffected.

Wasabi Protocol stated that they have not yet provided a final solution for user compensation, but ensuring that "all affected users are made whole" remains a top priority for the team. Future updates on the reimbursement progress will be posted in the Discord community.