Massive $285 Million Hack Hits Solana's Drift Protocol

On April 1, 2026, Drift Protocol, Solana's largest perpetual futures exchange, suffered a devastating hack, losing $285 million in just 12 minutes. The attack, attributed to North Korean hackers, exploited governance vulnerabilities rather than smart contract flaws. The attackers used a sophisticated method involving durable nonces and social engineering to gain control over Drift's Security Council. They created a fictitious asset, CarbonVote Token (CVT), manipulated its price, and tricked council members into pre-signing transactions that facilitated the heist.

The attackers meticulously prepared for weeks, starting with a 10 ETH withdrawal from Tornado Cash to fund their scheme. They seeded a liquidity pool on Raydium, creating an artificial price history for CVT, which Drift's oracles mistakenly accepted as legitimate collateral. The attack culminated on April 1, when the hackers listed CVT on Drift, raised withdrawal limits, and drained funds from nearly 20 vaults.

The stolen assets were quickly converted to USDC and SOL, then bridged from Solana to Ethereum using Circle's Cross-Chain Transfer Protocol. Despite public criticism, Circle did not freeze the stolen USDC during the bridge. The hack significantly impacted Drift's total value locked (TVL), which plummeted from $550 million to $252 million, and caused a 40% drop in the DRIFT token's value. Several interconnected DeFi protocols also reported financial exposure.

In response, Drift sent on-chain messages to wallets holding the stolen ETH, urging dialogue. The hack is the largest DeFi exploit of 2026 and the second-largest in Solana's history. It highlights the shift in attack strategies from code exploits to targeting human and governance weaknesses. Despite audits by Trail of Bits and ClawSecure, the governance vulnerabilities were not identified, underscoring the need for comprehensive security reviews beyond smart contracts.