Original article by Odaily Odaily( @OdailyChina )
Author|Wenser ( @wenser2010 )
With the conflict in the Middle East still raging, a security attack involving over $200 million has dealt another blow to the crypto community.
On April Fool's Day, April 1st, Drift Protocol, a leading derivatives protocol in the Solana ecosystem, played a joke on everyone that seemed anything but a joke: just a week prior, it had updated its multisignature mechanism to require only 2/5 signatures and had not implemented a time lock; a week later, over $280 million in JLP-related assets were stolen. This inevitably raises suspicions of insider theft.
In the latest news, Drift officially confirmed that it had been attacked and has suspended all fund deposits and withdrawals on the platform; moreover, a potentially affected project has stated explicitly: "This is not an April Fool's joke."
A seemingly joking statement may actually be revealing yet another heavy blow to the Solana DeFi ecosystem.
The attack on Drift Protocol: 11 transactions emptied the vault instantly.
Preliminary investigations indicate that the attack exploited administrator privilege hijacking and a multi-signature execution vulnerability.
SlowMist founder Yu Xian posted : "A week ago, Drift migrated to a 2/5 multisignature pool (including 1 old wallet address and 4 new signature wallet addresses) without time lock (Odaily Odaily note: meaning the operation can be executed immediately). A few hours ago, the attacker took over the management privileges, minted CVT fake coins, manipulated oracles, disabled related security mechanisms, and absconded with the pool's value assets."
On-chain information shows that the attackers first bought 41.72 million Jupiter liquidity tokens (JLP), worth approximately $155.6 million, then quickly transferred out a large amount of USDC and other tokens, and transferred the funds across chains to Ethereum to purchase approximately 19,913 ETH, equivalent to approximately $42.6 million.
The entire process encompassed approximately 11 large transactions, including:
- 51.61 million USDC, worth approximately $51.62 million;
- 125,000 WSOL tokens, worth approximately US$10.45 million;
- 164,000 cbBTC, worth approximately $11.29 million.
- Hacker's wallet address: HkGz4KmoZ7Zmk7HN6ndJ31 UJ1qZ2qgwQxgVqQwovpZES.
Within minutes, Drift's total treasury assets plummeted from $309 million to $41 million.
Around 3 a.m., Drift officially announced that it had been attacked and announced that it had launched a joint response with several security companies, cross-chain bridges and exchanges.
Cause of attack: The official conclusion is still pending, but the main cause is likely the leakage of the administrator's private key.
Currently, Drift has not officially announced the main reason for this attack.
Security firm PeckShield determined that Drift Protocol's administrator key was highly likely compromised or compromised, allowing attackers to gain privileged access and control of the protocol's vault. This assessment characterizes the attack as a breach at the permission level, rather than a vulnerability in the smart contract code.
Other community reports suggest that attackers may have manipulated collateral parameters, artificially inflating the value of certain illiquid assets to borrow high-value tokens, ultimately stealing funds from the vault. This pattern closely resembles previous DeFi governance attacks. Currently, investigative agencies have not ruled out the possibility of smart contract vulnerabilities or oracle manipulation, and the investigation is ongoing.
Notably, the Solana wallet used by the attackers only completed its initial deposit of 1 SOL last week, and had previously received a small test transfer of approximately $2.52 from the Drift vault, suggesting that the attackers may have been lying in wait and completed authorization verification before the actual operation. Furthermore, the funds in the Drift attacker's associated address originated from Backpack , potentially leaving clues related to KYC (Know Your Customer) procedures.
Market reaction: DRIFT token plunges 28%, SOL briefly under pressure.
Following the news of the Drift theft, the market panicked, and DRIFT and SOL quickly fell.
Drift Protocol's native token , DRIFT, has fallen over 38% in the past 24 hours , currently trading at approximately $0.042. This represents a cumulative drop of over 98% from its all-time high of $2.60 reached in November 2024. SOL's price also fell following the news, currently below $80, a nearly 5% drop in the past 24 hours, and is currently trading at $78.6.
Phantom Wallet has proactively displayed risk warnings to users attempting to access the Drift protocol; Solana's publicly traded companies Forward Industries and DeFi Development Corp have also issued statements confirming that their funds were not affected by the attack.
The largest DeFi attack in the Solana ecosystem in 2026
According to a post by crypto KOL @lugeweb3, projects that suffered clear losses or were severely affected by the Drift theft include:
- @piggybank_fi: $106,000 was stolen; the team is injecting liquidity to compensate users for their losses.
- @DeFiCarrot: Boost and Turbo products are unaffected, but the entire product line is affected by the vulnerability and the minting/exchange function has been suspended.
- @uselulo: Traditional deposits may be affected (protected and enhanced deposits are not affected).
- @reflectmoney: All issuance/redemption of USDC+ and USDT+ has been frozen.
- @project0: Loans secured by the Drift Market have been suspended.
- @ranger_finance: rgUSD deposits/withdrawals are suspended, and $900,000 of the $14.6 million TVL on Drift is frozen.
- @elementaldefi: SOL and Lend funds deposited into Drift are frozen (USDC and ONYC funds are safe).
- @TradeNeutral: All Drift-related vaults (JLP, BTC/ETH/SOL super staking, Hyper JLP, etc., with a total TVL of $3.6 million) may be affected, and deposits/withdrawals will be suspended.
- @xplaceapp: Deposits/withdrawals are unavailable; credit mode and lending functions are disabled.
- @GetPyra: Funds are affected, all card functions are suspended.
- @ExponentFinance: USDC+ related transactions are suspended.
- @fusewallet: Deposits are suspended.
- @perena: Stablecoins are unaffected, but redemptions are suspended; JLP Vault (US$512,000 TVL) on Neutral Trade may be affected.
Projects that have been explicitly stated to be unaffected:
- @JupiterExchange
- @kamino
- @UnitasLabs
- @onrefinance
- @solflare
- @hylo_so
- @MarinadeFinance
- @synatraxyz
- @solsticefi
- @defidevcorp
- @jito_sol
- @MeteoraAG
- @sanctumso
- @wormhole
Based on its scale, this incident may become one of the largest DeFi security incidents in the Solana ecosystem since the Wormhole cross-chain bridge attack.
Before the Drift incident, its TVL was approximately $550 million. The attack resulted in direct losses of $285 million, making it the largest DeFi security incident of 2026 to date. It's worth noting that total DeFi attack losses in March amounted to approximately $52 million, covering 20 major incidents. This single Drift security incident has raised the total losses for the first half of the year to a new level.
Undoubtedly, the Drift theft incident has once again sounded the old but timeless alarm bell for the DeFi industry—in addition to code security, operational security is equally critical. If it is ultimately confirmed that the theft was caused by the leakage of the administrator's private key, this will further confirm that no matter how thorough the code audit is, the human factor is always the weakest link in on-chain security.
Finally, Odaily Odaily reminds users: Do not deposit funds into the protocol or interact with it until Drift releases a full investigation report and provides a clear solution.
