The decentralized exchange Drift Protocol on the Solana blockchain suffered one of the largest attacks in its history – attackers withdrew about $286 million from three main protocol vaults.
The incident began on April 1, 2026. At first, the Drift team detected “abnormal activity” and advised users to temporarily refrain from making deposits. Shortly after, an emergency decision was made – a complete halt of deposit and withdrawal operations. By the morning of April 2, it became clear that this was not a glitch, but a carefully planned attack with serious consequences for the entire ecosystem.
The situation points to a combined nature of the attack. No vulnerability was found in the smart contract code – the attackers took a different route, combining Solana’s technical features with elements of social engineering. A key role was played by the durable nonces mechanism – a tool designed for offline signatures and delayed transactions. In normal practice, it improves convenience and security, but in this case it became part of a compromise chain.
The scenario developed gradually. The attacker managed to obtain preliminary approval from two out of five multisig participants, which formally met the established security rules. However, a more sophisticated scheme was then used – through the creation and artificial “warming up” of the CVT token. A classic wash-trading technique was employed, allowing the creation of the appearance of an active and legitimate trading history. Against this backdrop, trust was built in the fake asset, which ultimately opened access to the administrative functions of the protocol’s Security Council.
According to analysts from TRM Labs, the active phase of the attack lasted about 12 minutes – the time during which the main strike against the reserves was carried out. The largest transaction involved approximately 41.7 million JLP tokens worth around $155 million. The funds were withdrawn from JLP Delta Neutral, SOL Super Staking, and BTC Super Staking vaults, then quickly converted into USDC and transferred to the Ethereum network. Such a fast cross-chain maneuver made further tracking of the funds more difficult.
According to Elliptic, North Korean hacker groups may be involved in the attack, which aligns with previously observed patterns in similar incidents – high preparation, targeted pressure on infrastructure, and the use of complex multi-step laundering schemes.
The consequences for the protocol were severe. Drift’s total TVL dropped almost by half – from about $550 million to less than $250 million. Nearly all user categories were affected – from borrow/lend deposits to vault deposits and trading balances. This is a classic trust effect – once security is undermined, liquidity leaves faster than news spreads.
The protocol team responded quickly: all functions were frozen, the multisig structure was rebuilt, and the compromised wallet was removed from control. On April 3, on-chain messages were sent to addresses associated with the stolen funds on Ethereum, offering contact via Blockscan chat for negotiations. At the same time, coordination began with cybersecurity firms, bridges, exchanges, and law enforcement agencies to track and potentially block the assets.
The broader context is also important. The attack on Drift shows that in DeFi the key risk is not so much the code, but the access management process. A 2-of-5 multisig, which in normal circumstances looks like a reasonable balance between security and efficiency, proved insufficient in a targeted attack on specific participants. This raises an old but still unresolved question – where is the line between convenience and robust protection.
The scheme also shows how attacks are evolving. If earlier the main focus was on finding vulnerabilities in smart contracts, now a hybrid approach is increasingly used – a combination of network technical capabilities and the human factor. And here, as practice shows, the weakest link is found faster than code can be rewritten.
According to preliminary estimates, the incident will become one of the largest and most complex hacks of 2026, as well as the largest in the history of the Solana ecosystem. But even more important is that it may become a trigger for revising security standards in DeFi. The only question is whether the industry will draw conclusions in advance or once again settle for the classic “next time we’ll be more careful.” History tends to prefer the second option, but the market is still learning – even if not always on the first try.
All content provided on this website (https://wildinwest.com/) -including attachments, links, or referenced materials — is for informative and entertainment purposes only and should not be considered as financial advice. Third-party materials remain the property of their respective owners.