The Drift Protocol Hack: How Privileged Access Led To A $285 Million Loss
Drift Protocol, Solana's largest DeFi protocol, lost $285 million after attackers spent months infiltrating the team, pre-signing malicious transactions, and manipulating a fake token's price to drain real assets.
On April 1, 2026, Drift Protocol — the largest DeFi protocol on Solana — was drained of $285 million, representing more than half of its total value locked. The attack was highly coordinated, months in the making, and likely the work of North Korean state-sponsored actors, though formal attribution had not been confirmed at the time of writing.
What made this incident unusual was not the on-chain mechanics — it was everything that happened before a single transaction was submitted.
Months of Social Engineering
The attack began well before April 1. Individuals posing as a legitimate quantitative trading firm approached Drift contributors at major crypto conferences in late 2025. Over the following six months, they built genuine-looking relationships — depositing over $1 million into Drift vaults, participating in product discussions, and maintaining regular contact across Telegram and in-person meetings at global events.
This wasn't reconnaissance. It was relationship-building designed to gain proximity and credibility within the protocol's inner circle, while simultaneously identifying and approaching Security Council members — the small group of individuals who hold multi-signature admin privileges over the protocol.
The Fake Token Setup
On March 12, 2026, the attackers created a token called CarbonVote Token (CVT), controlling roughly 80% of its supply. They built a small trading pool with around $500 in real liquidity and traded CVT between their own wallets to simulate genuine market activity and maintain an artificial price of approximately $1. They also controlled the price oracle reporting CVT's value.
To any external system, CVT looked like a legitimate asset: it had a price, a trading history, and apparent demand. This illusion would become the foundation of the actual drain.
Exploiting Solana's Durable Nonces
Between March 23 and 30, the attackers leveraged a Solana feature called durable nonces — which allow transactions to be signed in advance and executed at a later time, sometimes days or weeks later. Think of it as signing a check today to be cashed later.
The attackers prepared a set of these pre-signed transactions containing instructions to transfer administrative control of the Drift protocol to an attacker-controlled address. Through social engineering, they got at least two Drift Security Council members to sign these transactions without fully understanding their contents — a case of blind signing.
On March 26, Drift migrated to a new 2-of-5 threshold Security Council multisig with no timelock. The attackers had already obtained signatures from members of the new multisig as well, re-establishing the quorum they needed.
On April 1, the pre-signed transactions were triggered. Because they carried valid signatures from authorized council members, the Solana network treated them as entirely legitimate. In two transactions executed one second apart, the attackers had full admin control of Drift.
The Drain
With admin access secured, the attackers whitelisted CVT as collateral, set borrowing limits to extreme levels, and loosened risk parameters. The protocol accepted all of this without resistance — every action came from a validly authorized admin key.
They then deposited 500 million CVT. Based on the artificial price they had engineered weeks earlier, the system believed this deposit was worth roughly $500 million. Against that fake collateral, the attackers began withdrawing real assets across multiple vaults.
At least 18 different token types were drained over approximately 2.5 hours, including $71.4 million in USDC, $159.3 million in JLP, $11.3 million in cbBTC, $5.6 million in USDT, $4.7 million in WETH, and several others. Even as the drain was underway, the attackers were already bridging funds to Ethereum and converting assets into ETH — demonstrating a level of operational coordination that made real-time intervention extremely difficult.
The Wider Impact
Because of how interconnected Solana DeFi is, the damage didn't stop at Drift. At least 20 protocols that relied on Drift's liquidity, vaults, or strategies reported disruptions, pauses, or losses in the aftermath. Many teams paused functionality while assessing exposure.
The incident is a reminder that the weakest point in a DeFi protocol is often not the smart contract — it's the people and systems around it.