285 billion won disappeared in 12 minutes.
Four days ago, Drift Protocol, a Solana-based decentralized perpetual futures exchange, was subjected to a massive hacking attack. According to security analysis firm TRM Labs, attackers stole $285 million (approximately 394.8 billion KRW) in about 12 minutes. Drift had to issue an urgent notice through its official channels, unusually stating, "This is not an April Fool's joke."
The scale of the damage is the largest DeFi hack in history this year. It is also the second largest in Solana's history, following the 2022 Wormhole Bridge hack ($326 million).
Drift's TVL plummeted from $550 million to the $240 million range immediately after the attack. The price of the DRIFT token plunged by up to 47% within 24 hours, falling to the $0.04 range.
It wasn't a code bug. It breached governance.
This attack was not a typical hacking incident utilizing smart contract code vulnerabilities. The attacker combined 'social engineering' with Solana's normal function, the 'Durable Nonce,' to seize control of the governance structure itself.
Preparations began three weeks ago. On March 11, the attacker withdrew ETH from the Ethereum mixer Tornado Cash and used it to issue a completely fictitious asset called the 'Carbonboat Token (CVT).' Blockchain analysts noted that the CVT distribution timestamp corresponded to 9 a.m. Pyongyang time, and TRM Labs and Elliptic independently assessed that this attack was consistent with the methods of North Korea-linked hacking organizations.
Subsequently, the attacker set up minimal liquidity for CVT on the Raydium DEX and inflated the price through laundering transactions. Then, between March 23 and 30, they deceived Drift Security Council multisig signers to obtain pre-signatures for transactions that appeared to be routine on the surface. These signatures became 'reserved execution keys' that the attacker could execute immediately at any time.
The critical vulnerability was created by Drift itself on March 27. On that day, Drift completely removed the Timelock while switching the Security Council to a 2-of-5 signature structure. A Timelock is a safeguard that enforces a 24 to 72-hour delay on administrator actions, providing an opportunity to detect anomalous behavior. The moment the Timelock disappeared, the attacker's pre-signed transactions became immediately executable.
On April 1, the attacker registered CVT as valid collateral, raised the withdrawal limit, and deposited hundreds of millions of dollars of CVT to withdraw real assets from Drift's Risk Engine. The stolen assets included USDC, SOL, JLP, WBTC, etc., and the attacker swapped them for USDC on Solana and then bridged them to Ethereum via the CCTP (Cross-Chain Transfer Protocol) to convert them into ETH.
Although it was a protocol that passed security audits by Trail of Bits (2022) and ClawSecure (February 2026), CVT's market introduction and recent governance changes escaped the audit network.
The contagion was immediate.
Drift's hacking quickly spread beyond the directly involved protocols. More than 20 Solana protocols were affected in a chain reaction.
Protocols directly or indirectly linked to Drift disclosed the extent of the damage and took emergency measures. Carrot Protocol suspended mint and redeem functions after 50% of its TVL was affected. Pyra Protocol completely blocked withdrawals. Ranger Finance confirmed an exposure of over $900,000 and suspended RGUSD deposits and withdrawals. Prime Numbers Fi reported millions of dollars in losses. PiggyBank immediately covered a loss of $106,000 using team funds.
Even protocols without direct exposure could not escape the damage. Solana's total DeFi TVL fell by approximately $1 billion to $6.544 billion within hours of the exploit being confirmed. Major protocols not directly linked to the drift, such as Jito (-4.3%), Raydium (-4.33%), and Sanctum (-3.83%), also recorded capital outflows.
In DeFi, trust operates at the ecosystem level, not the protocol level. Users do not wait for a second confirmation. They withdraw first and decide later.
SOL prices also take a direct hit
Solana (SOL) also took a direct hit. On April 2, SOL traded in the range of approximately $78 to $83 and fell by more than 6% within 24 hours. On a weekly basis, it dropped 11%, marking the largest decline among major cryptocurrencies. The U.S. spot Solana ETF recorded a net outflow of $7.84 million on the same day, marking the fourth-largest daily outflow in history.
However, a variable is that the macroeconomic environment also deteriorated simultaneously, with WTI crude oil surging by up to 13% as President Trump’s remarks threatening military action against Iran coincided with the shock of the DeFi hacking.
Governance is a new attack vector.
The heaviest lesson left by this hack is the shift in attack vectors. It has been confirmed once again that governance structures and human judgment can be more vulnerable than smart contract bugs.
The removal of time locks, changes to multisig configurations, and social engineering approaches conducted behind audited code. Drift hacking demonstrates that attacks that cannot be prevented by technical security audits alone have already become a reality. There is a growing demand across the industry to redefine standards regarding governance design, key management, and the mandatory implementation of time locks.
In DeFi, the first loss is funds. The second loss is trust. And trust returns much more slowly than TVL.
Real-time news... Go to TokenPost Telegram
[Economic Analysis] From Inflation Shock to Demand Collapse… "Look at the Military, Not the Tweets"
View full Alpha Report →<Copyright ⓒ TokenPost, unauthorized reproduction and redistribution prohibited>
