Drift

avoid.net/drift→15/100·95% conf.

[AI-DRAFTED · AWAITING VERIFICATION][src:defillama]

15/100

[CRITICAL]95% conf.

Summary

Drift Protocol is a Solana-based decentralized perpetual futures exchange that suffered a catastrophic $285 million exploit on April 1, 2026, allegedly orchestrated by North Korean actors through sophisticated social engineering. The protocol is currently planning a relaunch with Tether backing and enhanced security measures while working to compensate affected users through a recovery token system.

Have evidence about Drift?

No evidence submitted yet — be the first.

On-chain audit

Editorial decisions, corrections, and updates are anchored on Solana.

audit log →version history →

Critical Security Exploit - April 1, 2026

On April 1, 2026, Drift Protocol suffered a $285-286 million exploit that drained over 50% of its total value locked in what became the largest DeFi hack of 2026 to date and the second-largest security incident in the Solana ecosystem after the Wormhole bridge exploit. The attackers allegedly spent months posing as a quantitative trading firm to build trust with Drift contributors, demonstrating a sophisticated long-term operation. They exploited Solana's "durable nonces" system to trick legitimate Security Council members into blindly pre-signing dormant transactions that later transferred administrative control. Once in control, the attackers whitelisted a worthless, artificially priced fake token (CVT) as collateral and deposited 500 million CVT to withdraw $285 million in real assets like USDC, SOL, and ETH. Multiple indicators suggest the exploit is linked to the Democratic People's Republic of Korea (DPRK), with on-chain behavior consistent with previously attributed DPRK operations.

Sources

[1]MEDChainalysis - The Drift Protocol Hackresearch
[2]MEDElliptic - Drift Protocol exploitedresearch
[3]HIGHBloomberg - Solana-based DeFi project Drift hit by exploitnews article

Legal and Regulatory Actions

A proposed class-action lawsuit was filed on April 14, 2026 in federal court in Massachusetts, naming Circle entities and alleging failures related to freezing stolen stablecoin funds connected to the Drift Protocol incident. The lawsuit investigation focuses on Circle Internet Financial's alleged failure to freeze funds despite having the technical ability, contractual authority, and operational capability to act during the six-hour window when attackers moved over $230 million in stolen USDC through Circle's Cross-Chain Transfer Protocol. Blockchain investigator ZachXBT criticized Circle's actions, claiming they resulted in $240 million directly funding North Korea across multiple hacks while Circle had hours to act in clear-cut cases involving illicit transfers. The controversy highlights compliance inconsistencies where Circle had aggressively frozen 16 unrelated business wallets in a separate civil matter nine days earlier, demonstrating both capability and willingness to act.

Sources

[1]MEDQuiver Quantitative - Circle Internet Group lawsuit overhangnews article
[2]HIGHNational Law Review - Drift Protocol Class Action Investigationofficial

Technical Attack Vector Analysis

The exploit did not involve a bug in Drift's code but used "durable nonces," a legitimate Solana transaction feature, to pre-sign administrative transfers weeks before executing them. The attack was a coordinated operation combining multisig approval manipulation and durable nonce exploitation, where attackers induced two of five Security Council multisig signers to pre-sign malicious governance transactions through phishing or misleading signing requests. The attackers deployed CarbonVote Token (CVT) on March 11, minting 750 million units, then seeded minimal liquidity on Raydium and used wash trading to build an artificial price history near $1, giving CVT surface-level appearance of market legitimacy. On March 26, Drift migrated to a new 2/5 threshold Security Council multisig with zero timelock, eliminating the delay window that could have allowed detection and intervention. Drift's zero timelock configuration meant that once the pre-signed transactions were triggered, administrative control was transferred immediately.

Sources

[1]HIGHCoinDesk - How Drift attackers drained $270 millionnews article
[2]MEDBlockSec - Drift Protocol Incident Analysisresearch

Recovery and Compensation Plan

Drift Protocol has secured collaboration with Tether and other partners, with Tether proposing to contribute up to $127.5 million and other partners contributing $20 million to support user recovery. This structure is designed to address the $295 million in outstanding user losses over time as exchange revenue grows, though the funding does not fully cover the estimated losses. Drift will issue a dedicated recovery token separate from the DRIFT governance token to each user impacted by the exploit, with each token representing a transferable claim on the recovery pool. The protocol plans to relaunch using USDT as its core settlement layer with incentives and liquidity support, replacing Circle's USDC. Protocol relaunch is contingent upon completion of two independent audits from industry leaders including Ottersec and Asymmetric, with new security measures including dedicated signing devices, independent transaction verification, and timelocks on all critical administrative actions.

Sources

[1]HIGHDrift Protocol - Incident Recovery Updateofficial
[2]HIGHCoinDesk - Drift gets $148 million rescue fundnews article

Team and Background Concerns

Drift Protocol was founded in 2021 by Cindy Leow and David Lu, along with two other co-founders. According to CertiK, the team has not been verified by CertiK with no CertiK KYC or third-party KYC completed, representing a transparency gap for a protocol that has handled hundreds of millions in user funds. Post-hack, blockchain analysis platform Onchain Lens reported that a wallet linked to the Drift team deposited 56.25 million DRIFT tokens valued at $2.44 million into centralized exchanges Bybit and Gate after the hacking incident. The timing of these transfers to exchanges, typically interpreted as potential selling activity, has drawn significant community scrutiny as it comes while the project is dealing with fallout from the hack. Despite the protocol's previous audit history with Trail of Bits conducting security audits in 2022 that found no high-severity flaws, the exploit highlighted governance and operational security failures beyond smart contract code.

Sources

[1]HIGHYahoo Finance - Drift floats airdrop after hacknews article
[2]MEDCertiK Skynet - Drift Protocol Project Insightresearch

Market Impact and Token Performance

Drift's governance token, DRIFT, has lost about 70% of its value since the exploit, with the token falling to an all-time low of $0.03343 and dropping 37%-42% in the hours following the attack. Drift's total value locked (TVL) collapsed from approximately $550 million to under $250 million following the attack. Following the announcement of Tether's recovery funding, DRIFT surged 20% on Thursday to intraday highs above $0.061, though it remains significantly below pre-exploit levels. Due to the interconnected nature of Solana DeFi, at least 20 protocols reported disruptions, pauses, or losses as the incident spread outward to protocols that rely on Drift's liquidity, vaults, or strategies. The broader impact demonstrates systemic risks within the Solana DeFi ecosystem when major protocols experience critical failures.

Sources

[1]MEDCapitaxer - Drift Protocol jumps 20%news article
[2]MEDBitcoin.com - Drift Protocol Hack 2026news article

Earlier Incident - May 2022 Protocol Logic Bug

DeFiLlama recorded a prior security incident affecting Drift Protocol on May 11, 2022, with reported losses of $14.50M on Solana. Classification: Protocol Logic. Technique: realized PnL withdrawal bug. The $14.50M was reportedly recovered in full, and no user funds were permanently lost in this earlier incident.

Sources