On April 1, 2026, Drift Protocol, the largest decentralized perpetuals exchange on the Solana ecosystem, suffered a catastrophic breach. In just minutes, $285 million in crypto assets were stolen, marking the largest security incident in DeFi this year.
As on-chain data is unraveled and security agencies become deeply involved, the full picture of this suspected North Korean hacker group-led APT attack is gradually emerging. What is heartbreaking is that the fortress of hundreds of millions of dollars in DeFi was not brought down by any sophisticated zero-day vulnerability, but by a months-long social engineering campaign that directly targeted human nature.
This disaster wasn't just Drift's darkest moment—it exposed the current DeFi industry's lax governance and key management practices for what they truly are: amateurish and unprofessional.
The Long-Awaited Hunt: How Did Drift Fall Step by Step?
Reviewing the hacker’s attack path, we find it was an extremely meticulous and patient, multi-pronged operation. The attackers expertly exploited the Web3 developer community’s blind faith in “code is law” and their neglect of the weakest link: people.
Step 1: Lurking under the guise of a market maker
Six months before the incident, the attackers impersonated a well-capitalized quantitative trading firm. They not only socialized with Drift’s core team at major crypto conferences but also deposited millions of dollars in real funds into the protocol. By participating in product testing and offering high-quality strategy recommendations, the hackers successfully gained access to Drift’s internal communication channels and established deadly trust.
Step 2: Plant a time bomb using a "persistent random number"
After gaining the trust of core contributors, the hacker exploited Solana network’s unique “Durable Nonces” mechanism, which allows transactions to be signed offline in advance and broadcast for execution at any future time. Through persuasive language and fabricated testing requests, the hacker tricked members of Drift’s Security Council into “blindly signing” several transactions that appeared ordinary. In reality, the payload of these transactions was to transfer the highest administrative control of the protocol.
Step 3: The Fatal 2/5 Multisig with Zero Time Lock
On March 27, Drift executed a critical governance update: migrating the Security Committee to a new 2/5 multisig structure and removing the timelock. This means that any instruction altering the protocol’s core logic can be executed instantly with just two signatures, leaving no time for even a network disconnect response.
Step 4: The Illusory "Fake Coin" ATM
On April 1, the hacker triggered all deployed exploits simultaneously. They broadcast pre-obtained multisignature instructions, instantly seizing the protocol’s admin privileges. Subsequently, the hacker added a fraudulent token called CVT (CarbonVote Token) to the whitelist and set its borrowing limit to the maximum. Coupled with oracle price manipulation, the hacker used a large volume of worthless tokens as collateral to legally “borrow” $285 million in USDC, SOL, and ETH from Drift’s treasury.
Valid signature ≠ Legal intent: The Achilles' heel of DeFi security
In the Drift incident, what felt most powerless was this: from the perspective of the blockchain virtual machine, every step the hacker took was “legitimate.” They didn’t exploit an overflow vulnerability or perform a reentrancy attack—they simply obtained the legitimate admin key and walked boldly into the vault.
This reveals a significant misalignment in current DeFi protocols’ treasury management: using retail-level tools designed for managing hundreds of dollars to manage institutional treasuries worth hundreds of millions of dollars.
Currently, most major DeFi protocols still heavily rely on traditional smart contract-based multisignature solutions (such as Safe or native multisig mechanisms). This architecture has two critical flaws:
- Social engineering can't be stopped: if hackers successfully target (through phishing, coercion, or bribery) just a few key individuals who hold private keys, the entire defense collapses.
- Lack of intent verification: Multisig only checks whether these individuals signed, but does not verify whether what they signed was a contract to sell themselves.
From Geek Experiment to Financial Infrastructure: The Inevitable Evolution of Web3 Security
Drift’s $285 million loss delivered a costly lesson: as Web3 and traditional finance converge at an accelerating pace, DeFi protocols must move beyond governance models reliant solely on developer self-discipline and simple multisigs, and adopt institutional-grade security standards.
Currently, industry leaders and security experts have reached a consensus that the next security iteration of DeFi infrastructure must include upgrades in the following core dimensions:
Upgrade of the cryptographic foundation: Moving toward HSM (Hardware Security Module)
Compared to software-based multisig aggregation, HSM stores the protocol’s private keys within certified, military-grade encrypted chips, making the keys non-exportable. This hardware-level physical isolation and security control fundamentally eliminates risks arising from social engineering attacks by insiders or device compromise, providing protocol vaults with key security far superior to traditional multisig.
Introduce the "intent-based" policy engine
Future DeFi governance approvals must go beyond mere signature verification. The system must incorporate built-in risk control logic—for example, when a transaction attempts to set the borrowing limit for an unknown token (such as CVT in the Drift case) to unlimited, the strategy engine should automatically detect its anomalous intent, trigger a circuit breaker, and enforce higher-level verification (such as multi-tiered human risk review, video verification, or mandatory time locks).
Embrace independent, compliant custody power
As TVL continues to grow, protocol developers should focus their efforts on code logic and business innovation, while entrusting the control and security of hundreds of millions in treasury assets to professional third-party compliant custodians. Just as in traditional finance, exchanges do not store user assets in the CEO’s personal safe. Introducing institutional-grade risk management processes with strong defensive capabilities and thorough audits is an essential step for DeFi’s path toward mainstream adoption.
As institutional service providers like Cactus Custody, long dedicated to digital asset security, advocate: DeFi’s decentralization should not be an excuse to evade systemic risk management.
The Drift hack may be a turning point. It signals the failure of ad-hoc governance and heralds the arrival of a new security paradigm centered on hardware architecture, intent verification, and professional custody. Only by strengthening this defense can Web3 truly support a trillion-dollar future.