Skip to main content
Sign in

Drift Protocol

avoid.net/drift-protocol22/100·88% conf.
[AI-DRAFTED · AWAITING VERIFICATION]
anchored·42NTYF…t2dt

Summary

Drift Protocol is a decentralized perpetual futures exchange built on the Solana blockchain, founded in 2021 by Cindy Leow, David Lu, and co-founders. The protocol has experienced two significant security incidents: a $14.5 million PnL accounting bug in May 2022 triggered by the LUNA collapse (fully reimbursed), and a catastrophic $285–286 million exploit on April 1, 2026, attributed with medium-high confidence to the North Korean state-sponsored threat actor UNC4736 (also tracked as Lazarus Group, AppleJeus, and Citrine Sleet), which constituted the largest DeFi hack of 2026. A $295 million recovery plan involving Tether-led financing and user-issued recovery tokens was announced in May 2026; a class action lawsuit was simultaneously filed against Circle Internet Financial.

Have evidence about Drift Protocol?

No evidence submitted yet — be the first.

Decision log

On-chain audit

Editorial decisions, corrections, and updates are anchored on Solana.

audit log →version history →

Protocol Overview

Drift Protocol is a decentralized perpetual futures exchange deployed on the Solana blockchain. It was founded in 2021 by Cindy Leow (co-founder, most publicly prominent) and David Lu (co-founder and core contributor), along with two additional co-founders. The protocol operates under Drift Labs and is headquartered in Australia. Drift V2 launched on December 19, 2022, introducing Just-in-Time (JIT) liquidity, a decentralized order book, and passive liquidity providers. The protocol's native governance token (DRIFT) launched on a date aligned with the V2 deployment and reached an all-time high of $2.96 on November 9, 2024, before declining to approximately $0.036 by May 2026 in the aftermath of the April 2026 exploit. Governance is structured around a multi-branch DAO including a Realms DAO for protocol development, a Security Council for governing protocol upgrades, and a Futarchy DAO for technical grants. Prior to the April 2026 exploit, DeFiLlama listed Drift with approximately $311–550 million in total value locked, making it one of the largest Solana-based DeFi protocols.

Sources

2022 Security Incident: $14.5M PnL Accounting Bug

On May 11, 2022, Drift Protocol V1 suffered a critical security incident stemming from a PnL accounting bug that was exacerbated by extreme market volatility during the LUNA/UST collapse. Within approximately 12 hours beginning at midnight UTC, $8.72 million in net collateral was withdrawn from the protocol, reducing the collateral pool from $13.66 million to $4.94 million before the exchange was paused. The root causes comprised three interconnected flaws: (1) users could withdraw positive PnL without corresponding losses being settled, allowing profits to be extracted before counterparty losses materialized; (2) positive realized profits from individual markets could drain the shared Insurance Fund without market-level isolation; and (3) the protocol extended consistent leverage regardless of long-short imbalance, amplifying withdrawals. The settled collateral shortfall reached $14.5 million, with users holding $14.9 million in unrealized gains against only -$10.7 million in realized PnL at settlement. The Drift team paused the exchange at 1:15 PM UTC on May 11, investigated, briefly reopened at 2:39 PM, then re-paused at 7:29 PM upon identifying the withdrawal bug. The protocol was subsequently retired permanently. Drift secured $14.5 million in emergency external financing to cover the full shortfall; redemptions were made available May 27, 2022. All affected users were fully reimbursed, and Drift increased its bug bounty from $500,000 to $1 million. This incident predated V2.

Sources

April 2026 Exploit: $285 Million Theft

On April 1, 2026, Drift Protocol suffered the largest DeFi hack of 2026 and the second-largest exploit in Solana ecosystem history. Approximately $285–286 million in user assets were drained in roughly 12 minutes, between 16:05 UTC and 18:31 UTC. The attack was the culmination of a six-month social engineering and malware operation attributed with medium-high confidence to UNC4736, a North Korean state-sponsored threat actor. The attack proceeded in several phases. In the preparation phase (fall 2025), individuals presenting as representatives of a legitimate quantitative trading firm approached Drift contributors at major international cryptocurrency industry conferences across multiple countries. The individuals who appeared in person were stated by Drift not to be North Korean nationals, consistent with DPRK practice of deploying third-party intermediaries for face-to-face contact. Between December 2025 and January 2026, the group onboarded an Ecosystem Vault on Drift, deposited over $1 million of real funds to establish operational legitimacy, and engaged contributors in sustained technical discussions about trading strategy and vault integrations via a dedicated Telegram group. In February and March 2026, the group continued sharing what appeared to be development tools and applications — including malicious VS Code repositories and fake apps distributed via Apple TestFlight — which were used to compromise the devices of Drift Security Council members. On March 12, 2026, the attackers deployed the CarbonVote Token (CVT), a fictitious Solana asset with a total supply of 750 million units (approximately 80% attacker-controlled), seeded with roughly $500 in real liquidity on Raydium and artificially priced at $1.00 via wash trading and a controlled price oracle. On March 23–30, the attackers prepared durable nonce accounts — a legitimate Solana feature that allows pre-signed transactions to remain valid indefinitely rather than expiring after approximately 90 seconds — and induced two of the five Security Council multisig members to sign what appeared to be routine governance transactions, which in fact carried hidden authorizations for admin key transfer. On March 26–27, 2026, Drift migrated its Security Council to a new 2-of-5 threshold configuration with zero timelock, eliminating the detection delay that would otherwise have enabled intervention. On April 1 at 16:05 UTC, the attacker executed the pre-signed transactions, transferring administrative control of the protocol to the attacker-controlled address H7PiGqqUaanBovwKgEtreJbKmQe6dbq6VTrw6guy7ZgL. With administrative control established, the attacker listed CVT as valid collateral, raised withdrawal limits to approximately $500 trillion, deposited 500 million CVT, and executed 31 withdrawal transactions extracting real assets from all three Drift vaults (JLP Delta Neutral, SOL Super Staking, and BTC Super Staking). The largest single asset extracted was JLP tokens ($155.6 million, approximately 41.7 million units). Within approximately 23 minutes of the admin takeover, stolen USDC was being bridged from Solana to Ethereum via Circle's Cross-Chain Transfer Protocol (CCTP). Approximately $232 million in USDC was bridged to Ethereum across 100+ transactions over an eight-hour window, then converted to ETH and dispersed. A first proposal transaction was recorded on-chain at 2HvMSgDEfKhNryYZKhjowrBY55rUx5MWtcWkG9hqxZCFBaTiahPwfynP1dxBSRk9s5UTVc8LFeS4Btvkm9pc2C4H and an execution transaction at 4BKBmAJn6TdsENij7CsVbyMVLJU1tX27nfrMM1zgKv1bs2KJy6Am2NqdA3nJm4g9C6eC64UAf5sNs974ygB9RsN1. An intermediary attacker-affiliated wallet was identified at HkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZES. The stolen USDC was subsequently swapped to ETH and laundered in part through Tornado Cash. At least 20 downstream DeFi protocols experienced disruptions or direct losses due to DeFi composability dependencies. Solana DeFi TVL dropped approximately 12% in the days following the attack.

Sources

DPRK/Lazarus Group Attribution

Drift Protocol stated with medium-high confidence that the April 2026 attack was carried out by UNC4736, a North Korean state-sponsored threat actor also tracked under the cryptonyms AppleJeus, Citrine Sleet, Golden Chollima, and Gleaming Pisces. UNC4736 is assessed to be a subunit of the Lazarus Group, the umbrella designation for DPRK state-linked cybercriminal operations. Attribution evidence cited by Drift and corroborated by blockchain analytics firms includes: on-chain staging patterns with an initial 10 ETH withdrawal from Tornado Cash on March 11 occurring around 09:00 Pyongyang local time (a forensic indicator used in prior state-actor investigations); on-chain fund flows from the Drift staging phase that trace back to wallets previously linked to the October 2024 Radiant Capital hack, which Mandiant formally attributed to UNC4736; laundering methodologies consistent with prior DPRK-attributed operations; and operational persona overlaps with known DPRK-linked activity. Elliptic independently noted that the attack is consistent with techniques observed in previous DPRK-attributed incidents and identified it as the 18th DPRK-linked crypto incident tracked in 2026. TRM Labs further noted that DPRK-linked operations accounted for 76% of all 2026 crypto hack losses through April, totaling $577 million of $759 million stolen ecosystem-wide. Since 2017, DPRK-linked operations have cumulatively stolen an estimated $6 billion in cryptocurrency, with proceeds assessed by the UN Panel of Experts to fund the regime's ballistic missile and nuclear weapons programs. The connection to the October 2024 Radiant Capital exploit ($50 million stolen via similar social engineering and malware delivery) was confirmed at medium-high confidence by Drift based on both on-chain fund flow overlaps and operational persona similarities. UNC4736 is formally designated by the U.S. government; OFAC issued related sanctions against DPRK bankers and front companies involved in laundering cryptocurrency proceeds as recently as November 2025.

Sources

On-Chain Addresses and Laundering

The primary attacker-controlled address to which administrative control was transferred on April 1, 2026 at 16:05:18 UTC is H7PiGqqUaanBovwKgEtreJbKmQe6dbq6VTrw6guy7ZgL on the Solana blockchain. A secondary attacker-affiliated intermediary wallet was identified at HkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZES. The primary attacker wallet was created approximately eight days before the exploit and received a small test transfer from a Drift vault during the preparation period. The first governance proposal transaction hash was 2HvMSgDEfKhNryYZKhjowrBY55rUx5MWtcWkG9hqxZCFBaTiahPwfynP1dxBSRk9s5UTVc8LFeS4Btvkm9pc2C4H, and the execution transaction hash was 4BKBmAJn6TdsENij7CsVbyMVLJU1tX27nfrMM1zgKv1bs2KJy6Am2NqdA3nJm4g9C6eC64UAf5sNs974ygB9RsN1. Initial attack staging involved a 10 ETH withdrawal from Tornado Cash on March 11, 2026. Following the drain, stolen tokens were rapidly swapped to USDC using a Solana-based DEX aggregator, then bridged from Solana to Ethereum via Circle's Cross-Chain Transfer Protocol (CCTP) in over 100 transactions totaling approximately $232 million over an eight-hour window. Funds were subsequently swapped to ETH on Ethereum and dispersed across wallets and chains, with a portion routed through Tornado Cash. Elliptic has made attacker wallet addresses available to exchanges and screening tools for sanctions compliance purposes. The asset breakdown of the theft included: JLP tokens approximately $155.6 million; USDC approximately $71.4 million (Chainalysis) or $60.4 million (Nexus Mutual); cbBTC approximately $11.3 million; USDT approximately $5.6 million; USDS approximately $5.3 million; WETH approximately $4.7 million; dSOL approximately $4.5 million; WBTC approximately $4.4 million; FARTCOIN approximately $4.1 million; JitoSOL approximately $3.6 million; and approximately eight additional token types.

Sources

Regulatory and Sanctions Implications

The attribution of the April 2026 exploit to UNC4736/Lazarus Group carries direct U.S. sanctions implications. OFAC has formally designated the Lazarus Group and associated entities under Executive Order 13722 and the Countering America's Adversaries Through Sanctions Act (CAATSA). Any U.S. person or entity that transacted with, facilitated transactions for, or processed assets connected to the attackers may face potential civil OFAC sanctions liability, even absent knowledge of the DPRK connection. The March 2026 OFAC sanctions announcement specifically described North Korea's remote IT worker schemes as a meaningful source of revenue for the regime's weapons programs. The Drift incident highlights a key compliance gap: Circle's CCTP was used to bridge approximately $232 million in stolen USDC from Solana to Ethereum across over 100 transactions over eight hours, during which time Circle allegedly did not freeze assets despite having both the technical capability and alleged regulatory obligation to do so under the Bank Secrecy Act. This failure is the basis of the McCollum v. Circle Internet Financial lawsuit filed in federal court in Massachusetts. Law firm Crowell & Moring LLP published a client alert noting that organizations handling digital assets should evaluate compliance posture to address the risk of inadvertently processing proceeds connected to sanctioned DPRK actors, and should engage counsel with law enforcement contacts at the FBI, DOJ, and other agencies to expedite freeze letters or seizure orders in the event of future incidents. The New York Department of Financial Services has issued guidance recommending video verification during onboarding for major financial firms and crypto companies to address identity concealment risks of the type demonstrated in this incident.

Sources

Class Action Litigation

On April 14, 2026, law firm Gibbs Mura, A Law Group (in association with Joshua Joseph Law Firm LLC) filed a class action lawsuit in federal court in Massachusetts on behalf of Drift Protocol investors who sustained losses in the April 1, 2026 exploit. The primary defendant named is Circle Internet Financial. The lawsuit alleges that Circle aided and abetted the hackers and was negligent in its response to the exploit. Specifically, the complaint alleges that Circle had both the technical capability and legal obligation under the Bank Secrecy Act to freeze USDC transactions on its Cross-Chain Transfer Protocol (CCTP) infrastructure, and that it failed to do so despite the attackers using CCTP to bridge approximately $230 million in stolen USDC from Solana to Ethereum across 100+ transactions over an eight-hour window on April 1. According to the complaint, within one hour of the hack, cryptocurrency community members and influencers had publicly tagged Circle on social media alerting the company to the ongoing exploit. Circle's alleged inaction allowed attackers to retain approximately $230 million, while other companies froze the remainder. Lead plaintiff Joshua McCollum, a Missouri resident, had approximately $23,500 in assets affected by the hack. Prior to filing, Gibbs Mura announced a class action investigation on April 7, 2026. The specific case number and assigned judge were not publicly disclosed in available materials as of the time of this investigation. Separately, Drift Protocol itself faces potential litigation from users dissatisfied with the recovery token mechanism and the estimated eight-year timeline to full reimbursement.

Sources

Recovery Plan and User Impact

On April 16, 2026, Drift Protocol announced a $147.5 million rescue package led by Tether, comprising up to $127.5 million from Tether (contingent on performance benchmarks, structured as a $100 million revenue-linked credit facility, an ecosystem grant, and loans to market makers) and $20 million from other unspecified partners. As part of the arrangement, Drift announced it would replace Circle's USDC with Tether's USDT as its primary settlement layer, with Tether funding fee reductions, user incentives, and liquidity support to designated market makers. In May 2026, Drift formally unveiled its comprehensive recovery plan. Affected users will receive transferable SPL-standard recovery tokens, with one token issued per $1 of independently verified loss, representing a claim on the recovery pool. The recovery pool was seeded with approximately $3.8 million in remaining protocol resources. Early redemption is available at a discount once the pool exceeds $5 million. Recovery tokens are transferable, enabling secondary market trading. Total verified losses were calculated at approximately $295.4 million. Based on Drift's 2025 revenue of approximately $19 million annually, the recovery token pool would require approximately eight years to fully capitalize without external support. With Tether and partner commitments, this timeline accelerates considerably but depends on Drift successfully relaunching and generating revenue. Drift's DRIFT governance token showed minimal price reaction to the recovery announcement, trading at approximately $0.04 before and after. Community reaction to the recovery plan was described as mixed, with some users expressing dissatisfaction with the multi-year recovery timeline and the absence of immediate cash compensation. The protocol intends to relaunch before July 2026 as a restructured, security-enhanced perpetual futures venue, with security audits by Ottersec (codebase redesign and full audit) and Asymmetric (operational security). Governance changes include a new community-governed multisig, dedicated hardware signing devices for council members, timelocks on critical actions, and quarterly administrator security training.

Sources

Ecosystem Contagion and Broader Impact

The April 2026 Drift exploit caused significant contagion across the Solana DeFi ecosystem. At least 20 downstream protocols experienced disruptions, pauses, or direct losses due to DeFi composability and interconnected liquidity dependencies. Solana DeFi TVL dropped approximately 12% from roughly $8.1 billion to $5.7 billion in the days following the attack. The Solana-based yield protocol Carrot permanently shut down, becoming one of the first DeFi protocol casualties of the Drift exploit's contagion. DeFiLlama confirmed April 2026 as the worst month for crypto hacks in recorded history, with approximately 28–30 incidents totaling over $625–651 million stolen. The Drift exploit ($285 million, April 1) and the KelpDAO exploit ($293 million, April 18) together accounted for approximately 89% of April's total losses. According to TRM Labs, DPRK-linked hackers alone accounted for approximately 76% of all 2026 crypto hack value through April. The Drift attack was also the second-largest exploit in Solana ecosystem history, following the $326 million Wormhole bridge hack of February 2022.

Sources

Timeline

2021-01-01

Drift Protocol founded by Cindy Leow, David Lu, and co-founders; V1 deployed on Solana.

Gate Learn / Crunchbase

2022-05-11

Drift V1 suffers $14.5M PnL accounting bug triggered by LUNA/UST collapse; exchange paused twice during the day.

Drift Protocol official Medium incident report

2022-05-27

Full $14.5M reimbursement made available to V1 users following emergency external financing.

Drift Protocol official Medium incident report

2022-11-04

DRIFT governance token created; Drift V2 framework initiated.

CoinGecko

2022-12-19

Drift V2 launches with JIT liquidity, decentralized order book, and passive liquidity providers.

Gate Learn

2024-10-01

Radiant Capital suffers $50M hack attributed by Mandiant to UNC4736 — the same group later attributed to the Drift exploit.

Drift Protocol / Crypto News

2024-11-09

DRIFT token reaches all-time high of $2.96.

CoinGecko

2025-11-01

OFAC issues sanctions against DPRK bankers and front companies for laundering proceeds from cybercrime and IT worker operations.

Crowell & Moring LLP client alert

2025-11-01

UNC4736 threat actors begin approaching Drift contributors at international cryptocurrency conferences, posing as representatives of a legitimate quantitative trading firm.

The Hacker News

2025-12-01

Attackers onboard an Ecosystem Vault on Drift, deposit over $1 million of real funds, and begin engaging contributors on Telegram regarding trading strategy and vault integrations.

The Hacker News

2026-03-11

Attack staging begins: 10 ETH withdrawn from Tornado Cash at approximately 09:00 Pyongyang local time.

TRM Labs

2026-03-12

Attackers deploy the CarbonVote Token (CVT) on Solana: 750 million units minted, approximately 80% attacker-controlled, seeded with $500 in real liquidity on Raydium and artificially priced at $1.00 via wash trading.

Chainalysis / TRM Labs

2026-03-23

Attackers begin preparing Solana durable nonce accounts and social engineering Security Council members into pre-signing governance transactions with hidden admin transfer authorizations.

Chainalysis

2026-03-26

Drift Security Council migrated to a new 2-of-5 threshold configuration with zero timelock, eliminating the detection delay that would otherwise have enabled intervention.

Chainalysis / Nexus Mutual

2026-04-01

At 16:05:18 UTC, pre-signed durable nonce transactions executed; admin control transferred to attacker address H7PiGqqUaanBovwKgEtreJbKmQe6dbq6VTrw6guy7ZgL. CVT listed as collateral; withdrawal limits raised to ~$500 trillion; 31 withdrawal transactions drain $285-286 million in 12 minutes ending at approximately 18:31 UTC.

Chainalysis / Elliptic / Bloomberg

2026-04-01

Within 23 minutes of admin takeover, attackers begin bridging USDC from Solana to Ethereum via Circle CCTP; $232 million bridged across 100+ transactions over eight hours. Drift halts deposits and withdrawals.

Nexus Mutual incident report / Elliptic

2026-04-05

Drift publicly states medium-high confidence attribution to UNC4736/North Korean state actors; links the attack to the same group responsible for the October 2024 Radiant Capital hack.

CoinDesk

2026-04-07

Gibbs Mura, A Law Group announces class action investigation into Drift Protocol hack losses.

BusinessWire

2026-04-14

Gibbs Mura and Joshua Joseph Law Firm LLC file class action lawsuit in federal court in Massachusetts against Circle Internet Financial, alleging aiding and abetting hackers and negligence for failure to freeze $230 million in USDC bridged via CCTP.

BusinessWire

2026-04-16

Drift Protocol and Tether announce up to $147.5 million rescue package ($127.5M from Tether, $20M from partners); Drift pivots settlement layer from USDC to USDT.

BusinessWire / CoinDesk

2026-05-05

Drift Protocol publishes comprehensive $295.4 million recovery plan: recovery tokens (1 token per $1 of verified loss, transferable), initial pool seed of $3.8 million, early redemption at discount above $5 million, estimated eight-year timeline to full compensation at current revenue rates.

CoinDesk / DL News
Provenance
Anchored on SolanaVerify on-chain

This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive. Full audit log →

model: claude-code-investigator

generated: 5/10/2026, 5:04:24 AM

last updated: 5/10/2026, 6:52:12 AM

avoid.net — verified advice for a post-truth world