Drift Protocol Hacked for $285M: What Went Wrong and What Happens Next

On April 1, 2026, Solana-based Drift Protocol was exploited for approximately $285 million, making it the largest DeFi hack of the year, to date. The attacker used a multi-week setup involving a fake token, manipulated price feeds, and pre-signed transactions to seize admin control of the protocol, then drained real user funds in under 12 minutes.

What Happened to Drift Protocol on April 1?

The attack did not come out of nowhere. According to the Drift Protocol team, it was the result of days of preparation that only became visible when the damage was already done.

Drift's total value locked (TVL) dropped from roughly $550 million to under $300 million in less than an hour. The DRIFT token fell more than 40% during the incident. Security firm PeckShield confirmed the loss exceeded $285 million, representing more than 50% of the protocol's TVL at the time.

The timing caused immediate confusion. Drift's team posted on X to clarify the situation was real, writing: "This is not an April Fools joke. Proceed with caution until further notice."

The protocol suspended all deposits and withdrawals as the investigation began.

How Did the Attacker Set Up the Exploit Days in Advance?

Per reports the attacker spent at least 9 days building the conditions for the theft before executing it.

The Fake Token and the Oracle Trap

The attacker created a token called CarbonVote Token (CVT), minting approximately 750 million units. They seeded a liquidity pool on Raydium with just $500 and used wash trading, buying and selling the token between their own wallets, to build a fake price history near $1. Over time, on-chain price oracles picked up this artificial price and treated CVT as a legitimate asset worth roughly $1 per token.

An oracle is a service that feeds external price data into a smart contract. When an oracle is fed manipulated data, the smart contract has no way to know the price is fake.

The Durable Nonce Attack

Separately, the attacker used a Solana feature called durable nonces to pre-sign transactions and delay their execution. A durable nonce replaces the normal transaction expiry mechanism, allowing a signed transaction to be held and submitted at any point in the future.

The timeline:

• March 23: Four durable nonce accounts were created. Two were linked to real Drift Security Council multisig members. Two were controlled by the attacker.
• March 27: Drift migrated its Security Council due to a planned member change. The attacker obtained access to two signers in the updated multisig as well.
• March 30: A new durable nonce account was created for a member of the updated multisig.
• April 1: The attacker executed two pre-signed durable nonce transactions, four slots apart, completing an admin transfer that handed them control of protocol-level permissions.

With admin access secured, the attacker listed CVT as a valid market on Drift, removed all withdrawal limits, deposited hundreds of millions of CVT tokens as collateral, and then executed 31 rapid withdrawals draining real assets, including USDC, JLP, SOL, wrapped BTC, Jito (JTO), and the Fartcoin (FRT) memecoin, in approximately 12 minutes.

Drift confirmed the attack did not result from a bug in its smart contracts or any compromised seed phrases. Instead, it involved "unauthorized or misrepresented transaction approvals obtained prior to execution."

Security audits by Trail of Bits in 2022 and ClawSecure in February 2026 had cleared Drift, but neither review caught the CVT market introduction or the governance changes that made the attack possible.

Where Did the Stolen Funds Go?

After the exploit, the attacker moved quickly to obscure the trail.

Stolen assets were converted to USDC and SOL, then bridged from Solana to Ethereum using Circle's Cross-Chain Transfer Protocol (CCTP). On Ethereum, the attacker converted the funds into ETH. According to on-chain tracking, the attacker ultimately accumulated 129,066 ETH, worth approximately $273 million at the time.

The attacker also deposited SOL into both HyperLiquid and Binance, complicating tracing efforts across multiple platforms and wallets.

Did Circle Do Enough to Stop the Theft?

On-chain investigator ZachXBT publicly criticized Circle after the exploit, pointing out that large amounts of stolen USDC were bridged from Solana to Ethereum during U.S. business hours without being frozen.

ZachXBT contrasted this response with Circle's recent decision to freeze 16 unrelated corporate hot wallets in a sealed U.S. civil case, arguing that Circle had both the ability and the precedent to intervene but failed to act quickly enough to limit the damage.

Which Protocols Were Affected Beyond Drift?

The fallout extended across Solana's DeFi ecosystem. Several platforms connected to Drift liquidity paused operations or reported losses:

• PiggyBank_fi reported roughly $106,000 in exposure through delta-neutral strategies and covered users directly using team funds.
• Reflect Money paused minting and redemptions for USDC+ and USDT+.
• Ranger Finance halted RGUSD deposits and withdrawals, with estimated exposure above $900,000.
• Project0 stopped borrowing against Drift positions as a precaution.
• TradeNeutral, GetPyra, xPlace, Uselulo, and Elemental DeFi all paused key features or reported limited exposure.
• Jupiter Exchange confirmed its JLP pool remains fully backed.

What Happens Next for Drift?

Drift is coordinating with multiple security firms, exchanges, bridges, and law enforcement to trace and recover stolen assets. The multisig has been updated to remove the compromised wallet. All remaining protocol functions remain frozen.

According to Immunefi CEO Mitchell Amador, the token price impact often outlasts the exploit itself. Immunefi data shows 83% of native tokens from hacked protocols never recover to pre-hack prices.

A detailed postmortem from Drift is expected in the coming days.

Resources

1. PeckShield on X: Posts (April 1-2)

2. Lookonchain on X: Posts (April 1-2)

3. Drift Protocol on X: Posts (April 1-2)

4. Mitchell Amador on X: Post on March 25