Drift Protocol officially confirmed on April 2, 2026, that hackers successfully drained approximately $285 million in user assets during a sophisticated attack on April 1. The exploit represents a new paradigm in DeFi attacks, focusing on human vulnerabilities rather than smart contract bugs. The attackers spent three weeks manufacturing fake collateral through a worthless token called CarbonVote (CVT), which they seeded with just $500 in liquidity on Raydium DEX while conducting wash trading to maintain a stable $1.00 price that fooled Drift's oracle systems.
The attack's execution phase involved compromising Drift's Security Council through social engineering, with hackers convincing multisig signers to pre-approve transactions using Solana's durable nonce feature. This allowed them to execute pre-signed administrative transfers weeks after initial approval, completely bypassing the protocol's security mechanisms. Within 12 minutes of execution, the hackers had drained over $285 million across multiple asset types including USDC, SOL, JLP tokens, wrapped Bitcoin, and other Solana-native assets. The protocol immediately suspended all deposits and withdrawals while coordinating with security firms and law enforcement.
The aftermath has been severe, with Drift's native token losing over 25% of its value and the protocol's TVL falling by more than half. Security experts note this attack highlights critical gaps in DeFi security auditing, as neither Trail of Bits' 2022 audit nor ClawSecure's February 2026 review identified the governance vulnerabilities that made the attack possible. The incident serves as a stark reminder that sophisticated attackers are increasingly targeting human behavior and governance processes rather than relying solely on code exploits.
