Drift Protocol Incident

Just on April 1, 2026 (April Fools’ Day), one of the largest derivatives trading protocols in the Solana ecosystem, Drift Protocol, suffered a devastating hack.

Because the incident occurred on April Fools’ Day, many users initially thought it was a joke, but later the official team confirmed that this was a real and extremely serious exploitation event.

Below is a detailed reconstruction of what happened and the current progress:

1. Key incident data

• Loss amount: About $285 million (this is the largest DeFi hack case from 2026 to date).
• Token price drop: The protocol token $DRIFT fell by more than 40% within a few hours after the news was confirmed; the price once dropped to around $0.048.
• TVL drained: The protocol’s total value locked (TVL) shrank from about $550 million to less than $300 million in just 12 minutes.

2. Attack method analysis

According to initial tracking by security organizations (such as PeckShield and ZachXBT), this is not a simple code vulnerability, but a highly complex admin privilege takeover combined with oracle manipulation:

1. Privilege exposure: The hacker allegedly obtained the protocol’s Admin Key through social engineering methods.
2. Creation of fake assets: With admin privileges, the attacker listed a worthless new token and manually disabled the “withdrawal protection” feature in the risk controls.
3. Collateral manipulation: Through oracle manipulation, the hacker infinitely amplified the collateral value of the fake token.
4. Draining the treasury: Using these fake collateral assets, the hacker launched 31 large withdrawals within 12 minutes, emptying the treasury of real assets such as USDC, SOL, JLP, WBTC, and others.

3. Flow of funds

After gaining control of the assets, the hacker demonstrated a high level of anti-detection capability:

• Cross-chain laundering: Funds rapidly moved through Circle’s CCTP protocol and ChainFlip to the Ethereum chain.
• Final assets: As of now, the hacker has converted all of the stolen funds—about $285 million—into 129,066 ETH (about $278 million), and has stored them across multiple new addresses.

4. Official response and follow-up

• Protocol shutdown: Drift has urgently paused all trading and deposit functions and called on users to not deposit any more funds into the protocol.
• Efforts to recover funds: The team is working with law enforcement agencies and security experts, and has issued a “white-hat bounty” to the hacker in hopes of recovering some users’ assets through bounty payments, but the hacker has not responded yet.
• Market ripple effects: This incident severely damaged the market’s trust in the Solana DeFi ecosystem, causing SOL to drop by more than 11% this week, making it the worst-performing among major assets.

Advice for you

1. Check approvals: If you have used Drift, immediately go to the “Security Settings” in your Solflare or Phantom wallet and revoke (Revoke) all approvals related to Drift contracts.
2. Beware of scams: After an attack of this scale, social platforms will be flooded with “compensation claim links” impersonating the official—never click. Rely only on the official X (formerly Twitter) verified account.
3. Mitigate risk: Since the hacker holds a large amount of ETH, they may create potential sell-pressure on the ETH price in the short term. It’s recommended to monitor the activity of the relevant addresses.