Drift Protocol Drained of $285M in Solana's Largest 2026 DeFi Hack via Fake Token and Governance Hijack
Drift Protocol, Solana's largest perpetual futures exchange, was drained of $285 million on April 1, 2026, in an exploit that targeted governance, not smart contract code. The entire heist took app...
Drift Protocol, Solana's largest perpetual futures exchange, was drained of $285 million on April 1, 2026, in an exploit that targeted governance, not smart contract code. The entire heist took approximately 12 minutes.
The Attack Timeline
| Date | Action |
|---|---|
| March 11 | Attacker withdraws 10 ETH from Tornado Cash |
| March 11-22 | Deploys CarbonVote Token (CVT), seeds liquidity, wash trades |
| March 23-30 | Creates "durable nonce" accounts, social engineers multisig signers |
| March 27 | Drift migrates to 2-of-5 threshold with zero timelock |
| April 1 | Execution: lists CVT, raises limits, drains ~20 vaults |
How It Worked
Phase 1: Fake Token Creation
- Deployed CarbonVote Token (CVT) — a completely fictitious asset
- Minted ~750 million units
- Seeded small liquidity pool on Raydium
- Wash trading created artificial price history near $1
- Drift's oracles picked up the manufactured price
Phase 2: Governance Hijack via Durable Nonces
- Used durable nonces (legitimate Solana feature for pre-signed transactions)
- Social engineered Drift Security Council multisig signers into pre-signing transactions that appeared routine but contained hidden authorizations
- Drift had recently migrated to a 2-of-5 threshold with zero timelock, eliminating detection delay
Phase 3: Execution
- Listed CVT as a valid market on Drift
- Raised withdrawal limits to extreme levels
- Drained funds from nearly 20 vaults in ~12 minutes
Attribution
- TRM Labs and Elliptic independently assessed the hack as "likely perpetrated by North Korean hackers" based on on-chain staging patterns
- Post-hack laundering exceeded the pace of the Bybit exploit in both speed and transaction size
Impact
- TVL: Dropped from ~$550M to $252M (>50% wiped out)
- DRIFT token: Fell ~40%
- Stolen assets: Converted to ~129,066 ETH via Circle's CCTP bridge
- DeFi contagion: Nearly 20 interconnected protocols affected
- Circle criticism: ZachXBT criticized Circle for not freezing stolen USDC during the bridge
Significance
At $285M, this is the largest DeFi hack of 2026 and the second-largest in Solana's history (behind the $326M Wormhole hack in 2022). The attack vector — governance exploitation via social engineering rather than smart contract bugs — highlights that even audited protocols are vulnerable through human trust chains.
← Previous: Big-Endian Testing with QEMU: How to Test Cross-Platform Code Without Real HardwareNext: H.264 Streaming License Fees Quietly Surge from $100K to $4.5M — 45x Increase Shakes Internet Video Industry →
0