Drift Protocol was hacked, resulting in a loss of 285 million US dollars.

On April 1, 2026, the Solana ecosystem decentralized perpetual contract exchange Drift Protocol suffered a hack, with a cumulative amount of assets stolen estimated at about $285 million. The attacker obtained administrator permissions for the protocol’s multisig wallet, emptied assets such as USDC, SOL, cbBTC, and WETH from multiple funding pools within one hour, and cross-chain transferred them to the Ethereum network to exchange for approximately 129,000 ETH (worth about $278 million). As of April 2, 2026, the stolen funds have been dispersed and stored across 4 Ethereum addresses. The protocol’s total value locked (TVL) dropped sharply from $550 million to about $255 million. The incident became the largest single DeFi security loss in the 2026 DeFi space.

Attack Timeline and Technical Pathway

The attack was not sudden, but involved an approximately eight-day preparation period. On-chain data shows that the attacker’s wallet address HkGz4K… was created on March 24, 2026. It obtained initial funds via the NEAR Intents cross-chain system and sent a small test transaction (about $2.52) to the Drift Vault to verify contract control permissions. The attack window officially opened at 16:00 UTC on April 1:

• The first transaction transferred approximately 41.70 million JLP tokens (worth about $155.6 million) out of the Drift treasury.
• About 11 subsequent coordinated transactions gradually extracted assets such as USDC, SOL, cbBTC, wBTC, and WETH within 60 minutes, totaling $285 million.

On the technical pathway, the attacker did not exploit a smart contract code vulnerability. Instead, by obtaining administrator permissions for the multisig wallet, they sequentially carried out the following actions: minting a fake token (CVT) → manipulating oracle prices → disabling the security module → extracting high-value assets.

The Core Vulnerability: Multisig Mechanism and Missing Timelock

The direct cause of this attack was a security flaw in Drift’s multisig management configuration. A post-incident report by SlowMist (a security firm) states that about one week before the attack, Drift adjusted its multisig mechanism to a “2/5” mode (1 old signer plus 4 new signers) and did not set any timelock (Timelock).

A timelock is a mandatory delay mechanism that requires a 24–48 hour waiting period before high-privilege configuration changes can take effect, providing a buffer window for community and security institutions to detect anomalies. Without a timelock, once a new signer’s private key is stolen or maliciously controlled, the attacker can immediately execute administrator-level operations. The attacker leveraged the original sole signer in the old multisig and another newly added signer to co-sign, transferring administrator permissions to an address they controlled—thereby bypassing all user-layer security protections.

Money Laundering Logic: Cross-Chain Transfers and ETH Conversion

After the attack succeeded, the attacker initiated a funds disposal process:

1. Cross-chain transfer: Using cross-chain protocols such as Wormhole, transfer multi-asset holdings from the Solana chain to the Ethereum network.
2. Unified exchange: On decentralized exchanges on Ethereum, exchange all assets such as USDC, SOL, and wBTC into ETH.
3. Address dispersion: Approximately 129,000 ETH (worth about $278 million) was dispersed and stored across four Ethereum addresses.

The logic behind choosing ETH as the final asset includes: Ethereum has the highest liquidity, making it easier to liquidate quickly; converting multi-asset stolen proceeds into a single asset can cut off the original funds’ on-chain tracking trail; dispersing addresses reduces the risk that a single address being fully frozen would immobilize everything. Some USDC was frozen on Ethereum by Circle, but it represents an extremely small proportion of the total stolen amount.

Impact on Drift’s TVL and the Solana Ecosystem

The event’s direct financial impact on Drift is reflected in TVL data. According to DeFiLlama statistics:

Time (UTC)

TVL (USD)

April 1, 00:00

About $550 million

April 1, 22:41

About $255 million

A 50% cut in TVL means the liquidity pool size shrinks, which will increase trading slippage and reduce capital efficiency—thereby compressing the protocol’s trading volume and fee revenue. From a more macro perspective of the Solana ecosystem, this event is the largest-scale DeFi security incident for the ecosystem since the 2022 Wormhole bridge attack ($326 million). From January to March 2026, 15 DeFi protocols cumulatively lost about $137 million. Drift’s single-incident loss was about twice that amount, and also far exceeded the prior record for the largest single loss of $27.3 million.

The Intervention Role of Stablecoin Issuers and the Regulatory Gray Area

The response speed of the stablecoin issuer Circle during the incident sparked industry discussion. After the attack, some USDC was frozen on the Ethereum network by Circle, but large amounts of USDC transferred through cross-chain bridges were not intercepted in time because they were not controlled via Circle’s directly managed addresses. On-chain investigator ZachXBT criticized this, arguing that Circle’s freeze mechanism for cross-chain USDC has a delayed response.

This controversy exposes a gray area in DeFi security incidents: the lack of clear legal frameworks and industry consensus regarding the proactive intervention obligations of stablecoin issuers in cross-chain environments. Currently, issuers like Circle can only freeze USDC on their native chain (Ethereum) that is directly controlled by addresses managed by Circle. For “bridged USDC” generated via third-party cross-chain bridges such as Wormhole, or wrapped assets after cross-chain transfer, the issuer does not have direct freezing authority. This case may prompt regulators to impose more specific requirements on stablecoin issuers’ risk response obligations.

Conclusion

The core structural contradiction behind the Drift attack is that DeFi protocols promote themselves to users as non-custodial and trust-minimized, but at the management level they often retain highly centralized administrator privileges (commonly called “God keys”). Once an attacker gains administrator permissions, they can perform three high-risk operations in a single transaction: creating a fake market, manipulating oracle prices, and lifting withdrawal restrictions—indicating that the protocol lacks multi-layer validation, operational delay thresholds, and real-time risk control triggers.

It’s worth noting that in Drift’s 2022 v1 version, a similar issue involving management privileges caused a loss of $14.5 million. The team later fully compensated and published a technical post-mortem. Four years later, the same pattern reappeared on a larger scale, showing that even after review and iteration, the fundamental security architecture’s centralized permission risks remain unresolved.

FAQ

Q: Is it possible to recover the $285 million stolen from Drift Protocol?

As of April 2, 2026, the stolen funds have been cross-chain transferred to the Ethereum network, exchanged for ETH, and dispersed across four addresses. The overall funds-recovery rate in the 2026 DeFi security incidents is less than 7% (only about $9 million recovered out of $137 million). Due to the attacker’s use of mature multi-address dispersion and cross-chain laundering methods, technical recovery is highly unlikely.

Q: Did this attack affect the security of other Solana ecosystem DeFi protocols?

This attack originated from specific vulnerabilities in Drift’s multisig configuration and lack of a timelock mechanism, not from systemic flaws in Solana’s underlying blockchain or common smart contract standards. However, the incident will significantly increase scrutiny by auditors and users of other DeFi protocols within Solana regarding management permissions, potentially causing short-term reallocation of TVL across protocols.

Q: How should protocol developers prevent similar administrator privilege attacks?

Industry security standards recommend three core measures: first, implement a timelock of at least 24 hours for all high-privilege configuration changes, with automated monitoring and alerts; second, adopt a multisig scheme with at least 4/7 signatures (or higher), and store signers’ private keys in hardware security modules (HSM) with physical isolation; third, deploy on-chain real-time risk-control modules that automatically trigger delayed execution and community verification when a single transaction involves administrator operations and exceeds a predefined amount.