Original | Odaily Planet Daily (@OdailyChina)
Author | Wenser (@wenser 2010)
While the flames of conflict in the Middle East remain unextinguished, a security breach involving over $200 million has delivered another heavy blow to the crypto world.
On April 1st, April Fool's Day, Solana's leading derivatives protocol, Drift Protocol, played what might be the least funny 'joke' on everyone: just a week after updating to a multi-signature wallet requiring only 2/5 signatures without a timelock; a week later, over $280 million in JLP-related assets were shockingly stolen. It's hard not to speculate whether this was an inside job.
Latest news, Drift officially confirmed the active attack and has suspended all platform deposits and withdrawals; furthermore, a potentially affected project explicitly stated: "This is not an April Fool's joke."
A statement meant as a jest unveils what could be yet another heavy blow to the Solana DeFi ecosystem.
Drift Protocol Attack Process: 11 Transactions, Treasury Drained in an Instant
Preliminary investigation indicates the attack method involved hijacking administrator privileges and exploiting a multi-signature execution vulnerability.
SlowMist founder Cosmos posted: "A week ago, Drift migrated to a 2/5 multi-signature setup with no timelock (Odaily Planet Daily Note: meaning operations execute immediately) (including 1 old wallet address and 4 new signature wallet addresses). The attacker took over the admin permissions hours ago, minted CVT fake coins, manipulated the oracle, disabled relevant security mechanisms, and drained the pool's valuable assets."
On-chain information shows the attacker first purchased 41.72 million Jupiter liquidity tokens (JLP), worth approximately $155.6 million, then quickly transferred out large amounts of USDC and other tokens, bridged the funds to Ethereum, and purchased about 19,913 ETH, equivalent to roughly $42.6 million.
The entire process involved about 11 large transactions, including:
- 51.61 million USDC, worth approximately $51.62 million;
- 125,000 WSOL, worth approximately $10.45 million;
- 164,000 cbBTC, worth approximately $11.29 million.
- Hacker wallet address: HkGz4KmoZ7Zmk7HN6ndJ31 UJ1qZ2qgwQxgVqQwovpZES.
Within just a few minutes, Drift's total treasury assets plummeted from $309 million to $41 million.
Around 3 AM, Drift officially announced the attack and stated it is jointly responding with multiple security companies, cross-chain bridges, and exchanges.
Attack Cause: Official Conclusion Pending, Admin Private Key Leak Suspected as Main Reason
Currently, Drift has not officially announced the primary cause of this attack.
Security firm PeckShield assessed that the admin keys for Drift Protocol were most likely leaked or compromised, with the attacker gaining privileged access to manipulate the protocol treasury. This assessment characterizes the attack as a breach at the permission level, rather than a smart contract code vulnerability.
Other community messages suggest the attacker might have manipulated collateral parameters, artificially inflating the value of certain illiquid assets, then borrowing high-value tokens against them, ultimately siphoning the treasury funds. This path highly aligns with previous DeFi governance attack patterns. Currently, investigating bodies have not ruled out possibilities like smart contract vulnerabilities or oracle manipulation; the investigation is ongoing.
Notably, the Solana wallet used by the attacker was initially funded with just 1 SOL last week and had previously received a small test transfer of about $2.52 from the Drift treasury, indicating the attacker might have been lying in wait, completing permission verification before the main action. Additionally, funds for the address associated with the Drift attacker originated from Backpack, potentially leaving KYC-related clues.
Market Reaction: DRIFT Token Plunges 28%, SOL Briefly Under Pressure
Following the news of the Drift hack, the market panicked, with DRIFT and SOL quickly trending downward.
The native token of Drift Protocol, DRIFT, fell over 38% in 24 hours, currently trading at around $0.042, a cumulative drop of over 98% from its all-time high of $2.60 in November 2024. The price of SOL also fell under the impact of the news, currently dropping below $80, down nearly 5% in 24 hours, and temporarily quoted at $78.6.
Phantom wallet has proactively popped up risk warnings for users attempting to access the Drift protocol; Solana treasury listed company Forward Industries and DeFi Development Corp have also issued statements confirming their funds were not affected by this attack.
Largest DeFi Attack on Solana Ecosystem in 2026
According to a post by crypto KOL @lugeweb3, projects that suffered clear losses or significant impact from the Drift hack include:
- @piggybank_fi: $106,000 stolen, team is injecting liquidity to cover user losses.
- @DeFiCarrot: Boost and Turbo products unaffected, but overall impacted by the vulnerability, minting/redemption functions paused.
- @uselulo: Traditional deposits may be affected (protected and enhanced deposits are safe).
- @reflectmoney: All minting/redemption for USDC+ and USDT+ frozen.
- @project0: Borrowing collateralized by Drift markets paused.
- @ranger_finance: rgUSD deposits/withdrawals paused, $900,000 of $14.6 million TVL on Drift frozen.
- @elementaldefi: SOL and Lend funds deposited on Drift frozen (USDC and ONYC funds safe).
- @TradeNeutral: All Drift-related vaults (JLP, BTC/ETH/SOL super staking, Hyper JLP, etc., total TVL $3.6 million) potentially affected, deposits/withdrawals paused.
- @xplaceapp: Deposits/withdrawals unavailable, credit mode and lending functions disabled.
- @GetPyra: Funds affected, all card functions paused.
- @ExponentFinance: USDC+ related transactions paused.
- @fusewallet: Deposits paused.
- @perena: Stablecoins unaffected, but redemptions paused; JLP Vault on Neutral Trade ($512,000 TVL) potentially affected.
Projects that have explicitly stated they are unaffected:
- @JupiterExchange
- @kamino
- @UnitasLabs
- @onrefinance
- @solflare
- @hylo_so
- @MarinadeFinance
- @synatraxyz
- @solsticefi
- @defidevcorp
- @jito_sol
- @MeteoraAG
- @sanctumso
- @wormhole
Based on scale estimates, this event could become one of the largest DeFi security incidents in the Solana ecosystem since the Wormhole bridge attack.
Prior to the Drift incident, its TVL was approximately $550 million; this attack directly resulted in losses of $285 million, ranking it the largest loss scale among all DeFi security incidents so far in 2026. Notably, DeFi attack losses in March totaled about $52 million, covering 20 major incidents. Now, this single Drift security event has pushed the half-year loss figure to a new magnitude.
Without a doubt, the Drift hack once again sounds that old-fashioned but perpetually relevant alarm bell for the DeFi industry—beyond code security, operational security is equally critical. If the cause is ultimately confirmed to be an admin private key leak, it will also reaffirm: No matter how perfect the code audit is, the human factor remains the weakest link in on-chain security.
Finally, Odaily Planet Daily reminds users: Before Drift releases a full investigation report and provides a clear solution, do not deposit funds into the protocol or interact with it.
