The stolen assets from the Drift protocol have been exchanged by the attackers for 129,000 ETH, worth 278 million.
Written by: Mahe, Foresight News
On April 2, Drift Protocol issued two announcements on the X platform. The first was "Abnormal activity has been observed in the protocol and is under investigation. Please do not deposit funds." The second was a direct confirmation that "it is under active attack" and all deposits and withdrawals were suspended.
On-chain data shows that over $285 million in assets flowed out of the protocol's vault within minutes, making it the largest single DeFi attack since 2026. Bitget data shows that the DRIFT token plummeted by over 30%, briefly falling to around $0.04. Latest data from DefiLlama shows its TVL (TVL) has dropped from approximately $550 million to $250 million.
The attack began in the early hours of April 2nd. On-chain monitoring platform PeckShield issued an alert: the Drift main vault address began massive transfers to a newly created wallet, HkGz4K. The first transfers primarily consisted of JLP (Jito Liquidity Provider) tokens, worth approximately $155 million, followed by USDC, SOL, cbBTC, wBTC, WETH, and some meme coins.
Founded in late 2021, Drift Protocol is one of the earliest DEXs on Solana focusing on perpetual contract trading. It is known for its low latency, high leverage, and extensive product line, supporting perpetual contracts for mainstream assets such as SOL, BTC, and ETH, as well as a large number of meme coins and emerging tokens.
Since 2024, with the recovery of the Solana ecosystem, Drift's daily transaction volume has stabilized at several hundred million US dollars, and its TVL has remained in the range of 300-500 million US dollars for a long time. In September 2024, Drift completed a $25 million funding round, led by Multicoin Capital.
The Drift protocol employs a unique Vault design, where user deposits are deposited into vaults of varying risk levels. The protocol balances long and short positions through dynamic rates and an insurance fund mechanism. This very design, where "user funds go directly into the vault," which should have provided greater transparency and security, became a fatal weakness in this attack.
The attack lasted less than an hour, and PeckShield data shows that a total of $285 million in assets flowed out. The attackers acted extremely quickly, first converting most of the assets into USDC through the Jupiter aggregator, then bridging them across chains to Ethereum, where they continuously bought ETH.
Attack Start and End
Details of the hacker's actions surfaced hours after the attack. According to an analysis by Omer, co-founder of blockchain risk analysis service provider Chaos Labs, the administrator key of the Drift protocol was compromised, resulting in the loss of over $213 million in funds within less than 10 seconds.
The attackers used compromised signer keys to gain complete control over market creation, oracle allocation, and withdrawal limits, and the protocol lacked time locks, multi-signature, or delay protection. The entire attack was completed in less than 15 seconds, and subsequent additional wETH and dSOL withdrawals could have increased the total loss to over $240 million.
This Drift hack began with the creation of the spot market. In a single transaction, the attacker invoked InitializeSpotMarket to create CVT's spot market #63 and set extreme parameters. These parameters allowed the attacker to deposit worthless tokens and gain complete, unlimited lending capabilities. Simultaneously, in the same transaction, the attacker increased the circuit breakers for five real asset markets by 20 times, including USDC, wETH, dSOL, JLP, and cbBTC, ensuring that subsequent large withdrawals would not be blocked.
Next was oracle manipulation: The attacker used a SwitchboardOnDemand oracle under their control for the CVT market, configuring Drift to read prices from the Switchboard feed with oracle_source=11, and setting the prices to make CVT appear to be worth hundreds of millions of SOL. This oracle had 20 pool trades during April 1st, demonstrating active price manipulation.
Finally, regarding the token attack: The attacker minted CVT tokens with a total supply of approximately 750 million (fixed supply, minting authority was empty), holding approximately 600 million (80%), and deposited them into the Drift protocol in two installments (500 million first, then the remaining 100 million). This token had no organic market activity and was created purely for this attack.
After the hack, JLP's vault was almost completely drained from 41.7 million, leaving only 133 JLP.
Subsequent updates revealed that the intrusion was related to Drift's migration from the old multi-signature system to the new one.
Omer added details about the stolen administrator key: A week ago, Drift migrated to a new multisentence, which was created by one of the signers from the old multisentence, but that signer did not add themselves to the new multisentence. The attacker also initiated a proposal in the old multisentence to transfer administrator control to this new wallet.
The new multisignature had five signers, only one of whom was from the previous setup, while the other four were from entirely new addresses. A 2/5 threshold and a 0-second time lock were set. Approximately five hours ago, the sole remaining signer from the old setup used the new multisignature to request changes to Drift's administrator privileges. A new signer signed one second later, instantly reaching the 2/5 threshold. Because there was no time lock, the transaction was executed immediately.
Following the hack, the Drift team reacted swiftly but with limited information. The official announcement, aside from suspending deposits and withdrawals and coordinating with multiple security companies, bridging protocols, and exchanges, did not immediately disclose the specific attack vectors or details of the damage.
Phantom Wallet has urgently cut off its interaction with Drift, preventing users from directly accessing the protocol interface. Jupiter officially stated that its lending product, Jupiter Lend, is not involved in the Drift market, and that JLP assets are entirely backed by underlying assets.
As of now, the Drift protocol remains suspended. The $285 million in assets stolen from the Drift protocol have been exchanged by the attackers for 129,000 ETH (worth approximately $278 million).
Historically, recovering data from attacks of similar scale has been extremely difficult.
