Home
News
Details

Drift Protocol Hacked for Over $280M, Largest Solana DeFi Attack in 2026

iconOdaily
Share
Share IconShare IconShare IconShare IconShare IconShare IconCopy
This is the logo of the coin.
DRIFT
$0.029-1.36%
This is the logo of the coin.
SOL
$84.543.26%
AI summary iconSummary

expand icon
On April 1, 2026, Drift Protocol suffered a massive DeFi exploit in which hackers stole over $280 million in assets. The breach exploited a 2/5 multi-signature wallet without a time lock, allowing rapid depletion of the treasury. The protocol’s update failed to prevent the attack, triggering sharp price declines for DRIFT and SOL. This represents the largest DeFi exploit on Solana this year.

Original | Odaily Planet Daily (@OdailyChina)

Author | Wenser (@wenser 2010)

The conflict in the Middle East continues, and a security attack exceeding $200 million has dealt another blow to the crypto community.

On April Fools' Day, Drift Protocol, a leading derivatives protocol in the Solana ecosystem, pulled off a joke that was anything but funny: just one week after updating its multisig to require only 2/5 signatures without a time lock, over $280 million in JLP-related assets were stolen. It’s hard not to suspect insider involvement.

Breaking news: Drift officially confirmed it has been subjected to an active attack and has suspended all platform deposit and withdrawal operations; affected projects have explicitly stated, “This is not an April Fools’ joke.”

A seemingly joking remark may reveal another heavy blow to Solana's DeFi ecosystem.

Drift Protocol attack timeline: 11 transfers, treasury drained instantly

Preliminary investigations indicate that the attack involved privilege escalation and a multisig execution vulnerability.

Yu Xian, founder of SlowMist, wrote: "A week ago, Drift migrated to a 2/5 multisig with no time lock (Odaily Planet Daily note: meaning actions can be executed immediately), including one old wallet address and four new signature wallets. Hours ago, the attacker took control of the management privileges, minted counterfeit CVT tokens, manipulated oracles, disabled relevant security mechanisms, and drained the pool's assets."

On-chain data shows that the attacker first purchased 41.72 million Jupiter Liquidity Tokens (JLP), worth approximately $155.6 million, then swiftly transferred large amounts of USDC and other tokens, and cross-chain bridged the funds to Ethereum to purchase approximately 19,913 ETH, equivalent to about $42.6 million.

The entire process involves approximately 11 large transactions, including:

  • 51.61 million USDC, valued at approximately $51.62 million;
  • 125,000 WSOL, valued at approximately $10.45 million;
  • 164,000 cbBTC, valued at approximately $11.29 million.
  • Hacker wallet address: HkGz4KmoZ7Zmk7HN6ndJ31 UJ1qZ2qgwQxgVqQwovpZES.

Within just a few minutes, Drift's total treasury assets dropped from $309 million to $41 million.

Around 3 a.m., Drift officially announced it had been compromised and declared a coordinated response with multiple security firms, cross-chain bridges, and exchanges.

Reason for the attack: Official cause尚未定论; leakage of administrator private key is the primary suspect.

Currently, Drift's official team has not yet publicly disclosed the primary cause of this attack.

The security firm PeckShield assessed that the admin key of Drift Protocol has likely been compromised or breached, allowing the attacker to manipulate the protocol treasury through privileged access. This assessment characterizes the attack as a privilege escalation, rather than a vulnerability in the smart contract code.

Additional community reports suggest that the attacker may have manipulated collateral parameters to artificially inflate the value of less liquid assets, then borrowed high-value tokens using those inflated values, ultimately stealing funds from the vault. This method closely aligns with previous DeFi governance attack patterns. Investigators have not ruled out possibilities such as smart contract vulnerabilities or oracle manipulation, and the investigation is ongoing.

Notably, the Solana wallet used by the attacker was initially funded with just 1 SOL last week and previously received a small test transfer of approximately $2.52 from the Drift treasury, suggesting the attacker may have been lying in wait and verified permissions prior to the main attack. Additionally, the attacker’s associated wallet funds originated from Backpack, potentially leaving KYC-related traces.

Market reaction: DRIFT token drops 28%, SOL briefly pressured

After news of the Drift hack spread, the market plunged into panic, with DRIFT and SOL rapidly declining.

Image

The native token of Drift Protocol, DRIFT, has dropped over 38% in the last 24 hours, currently trading at approximately $0.042, representing a cumulative decline of more than 98% from its all-time high of $2.60 set in November 2024. SOL’s price also declined following the news, falling below $80 with a 24-hour drop of nearly 5%, currently trading at $78.60.

The Phantom wallet has proactively displayed a risk warning to users attempting to access the Drift protocol; Solana treasury-backed companies Forward Industries and DeFi Development Corp have also confirmed that their funds were not affected by this attack.

The largest DeFi attack on the Solana ecosystem in 2026

According to crypto KOL @lugeweb3’s post statistics, projects that have suffered clear losses or significant impacts due to the Drift hack include:

  • @piggybank_fi: $106,000 in funds were stolen; the team is injecting liquidity to compensate users for their losses.
  • @DeFiCarrot: Boost and Turbo products are unaffected, but the overall system has been impacted by the vulnerability, and minting/exchange functions have been temporarily paused.
  • @uselulo: Traditional deposits may be affected (protected and enhanced deposits are not affected).
  • @reflectmoney: All minting and redemption of USDC+ and USDT+ have been frozen.
  • Borrowing backed by Drift markets has been suspended.
  • @ranger_finance: rgUSD deposits and withdrawals are suspended; $900,000 of the $14.6 million TVL on Drift is frozen.
  • @elementaldefi: SOL and Lend funds deposited into Drift have been frozen (USDC and ONYC funds are safe).
  • @TradeNeutral: All Drift-related vaults (JLP, BTC/ETH/SOL super-staking, Hyper JLP, etc., with a total TVL of $3.6 million) may be affected, with deposits and withdrawals paused.
  • @xplaceapp: Deposits and withdrawals are unavailable; credit mode and lending functions are disabled.
  • @GetPyra: Funds are affected, all card functions have been suspended.
  • @ExponentFinance: Trading related to USDC+ has been suspended.
  • @fusewallet: Deposits are temporarily suspended.
  • @perena: Stablecoins are unaffected, but redemptions are paused; the JLP Vault on Neutral Trade ($512K TVL) may be affected.

Projects explicitly stated as unaffected:

  • @JupiterExchange
  • @kamino
  • @UnitasLabs
  • @onrefinance
  • @solflare
  • @hylo_so
  • @MarinadeFinance
  • @synatraxyz
  • @solsticefi
  • @defidevcorp
  • @jito_sol
  • @s2>MeteoraAG
  • @sanctumso
  • @wormhole

Estimated by scale, this incident may become one of the largest DeFi security events in the Solana ecosystem since the Wormhole cross-chain bridge attack.

Before the Drift incident, its TVL was approximately $550 million; the attack resulted in direct losses of up to $285 million, making it the largest loss among all DeFi security incidents in 2026 to date. Notably, DeFi attack losses in March totaled approximately $52 million across 20 major incidents, but this single Drift security incident has now pushed the上半年 loss figures to a new level.

Without a doubt, the Drift hack once again sounds the familiar yet timeless alarm to the DeFi industry: beyond code security, operational security is equally critical. If the breach is ultimately confirmed to have resulted from an administrator’s private key compromise, it will further validate that no matter how thorough the code audits are, human factors remain the weakest link in on-chain security.

Finally, Odaily Planet Daily reminds users: Do not deposit funds or interact with the protocol until Drift releases a complete investigation report and provides a clear resolution.

Source:Show original
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information. Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.