On April 1, 2026, decentralized exchange Drift Protocol on the Solana blockchain suffered a massive cyberattack. The attacker drained at least $285 million in crypto assets, making it the largest crypto exploit of the year and the second-largest in Solana's history.
Multi-stage attack preparation
The investigation revealed that preparation for the hack lasted several weeks. The attacker created a token called CarbonVote Token (CVT) and minted approximately 750 million units. They then set up a small liquidity pool, roughly $500, on decentralized exchange Raydium and conducted wash trades over several weeks to build an artificial price history around $1 per token.
This strategy allowed Drift's oracles to register CVT as a legitimate asset with a stable price. Once the artificial price became established in the system, the attacker moved to the main phase of the exploit.
How the April 1 exploit unfolded
The key element of the attack was the compromise of an administrative key through a vulnerability in the durable nonces mechanism - a specialized transaction signing system on Solana. After gaining control of the protocol's Security Council, the hacker made a series of critical changes: added the fake CVT token as a valid market on Drift, raised withdrawal limits to extreme levels, and effectively disabled safety mechanisms.
The attacker then deposited hundreds of millions of CVT as collateral and within minutes withdrew real assets. USDC, SOL, JLP, WBTC, and other tokens totaling $285 million.
Scale of losses and market reaction
The consequences of the attack were immediate. Drift Protocol's TVL (total value locked) plunged from approximately $550 million to less than $300 million in under an hour. The DRIFT token lost over 40% of its value, dropping to around $0.05.
The Drift Protocol team immediately suspended platform operations, blocking deposits and withdrawals. The protocol said it was coordinating with multiple security firms, bridges, and centralized exchanges to contain the fallout.
Tracking the stolen funds
Blockchain analysts promptly traced the movement of stolen assets. The hacker consolidated funds and converted them primarily into USDC and SOL. A significant portion was bridged to Ethereum via Circle's Cross-Chain Transfer Protocol (CCTP), while the rest was distributed across dozens of wallets on Solana.
Circle - the USDC issuer, faced particular criticism. Despite having the technical ability to freeze the stolen stablecoins, the company did not do so during the critical hours after the breach. This stands in stark contrast to a recent case where Circle swiftly froze USDC in 16 business wallets as part of a civil action in the United States.
Chain reaction across the Solana ecosystem
The Drift hack triggered a wave of consequences across Solana's entire DeFi ecosystem. At least 12 protocols with exposure to Drift's liquidity or strategies suffered losses of varying magnitude. Some temporarily suspended deposits, withdrawals, and borrowing functions. Several projects announced limited losses and pledged to reimburse users from their own reserves.
This incident became the second-largest hack in Solana's history after the $326 million Wormhole exploit in 2022. It once again raised critical questions about admin key security, oracle effectiveness, and the vulnerability of the entire DeFi protocol chain when a key node is compromised.
Lessons for the crypto community
The $285 million Drift Protocol hack is yet another painful lesson for the DeFi sector. Even protocols with audits and multi-layered security systems remain vulnerable if an attacker gains access to an administrative key. This attack vector is considered one of the most dangerous, as it allows bypassing any software-based protections.
Security experts recommend the crypto community diversify assets across multiple protocols, closely monitor governance changes in projects they invest in, and favor protocols with multisig administrative mechanisms over single-key solutions.
Comments
Your email address will not be published. Required fields are marked *