Drift Protocol plans to fully reimburse victims $295 million through a recovery Token mechanism, expected to relaunch in Q2 2026.
A month after hackers linked to North Korea withdrew $295 million from the decentralized exchange Drift Protocol on Solana, the platform announced a detailed recovery roadmap, including a refund mechanism for users and a plan to relaunch with a security architecture rebuilt from scratch. This is one of the most systematic responses ever from a DeFi protocol to a large-scale attack.
The April 1st mining incident was attributed by forensic investigation firm Mandiant to a threat actor linked to the North Korean state. Following the incident, Drift temporarily suspended all trading and borrowing activities to prevent further damage. To date, approximately 130,259 ETH, worth roughly $293 million, remains in four Ethereum wallets under active monitoring and has been flagged on exchanges.
Two Wormhole bridge money transfers were delayed until the end of July through the protocol's governance mechanism, while Circle froze an additional $3.36 million in related USDC . The majority of the stolen assets remain traceable, a key factor in making the reimbursement plan feasible.
Recovery Token mechanism and relaunch roadmap
To compensate victims, Drift will issue “recovery Token ” to each affected wallet, with each Token equivalent to $1 of verified losses. The recovery fund is initially Capital from approximately $3.8 million of the protocol’s remaining assets and will gradually increase through quarterly exchange revenue, up to a maximum of $127.5 million from Tether and up to $20 million from strategic partners.
Users can begin redeeming Token once the fund exceeds $5 million, but early redemption means forfeiting any future claims. The fund will continue to operate until the total inflow matches the full $295,426,725.97 loss.
Technically, the attack exploited a vulnerability related to Solana 's durable Nonce mechanism, allowing attackers to create valid transactions that were signed beforehand and activated afterward. To fix this, Drift stated that it would deploy the entire program to a new address with fully rotated keys, apply timelocks to sensitive administrative operations, and remove the attack surface related to the durable Nonce.
The relaunch target is set for Q2 2026, with a focus on perpetual contracts, a $20 million market-making base from Tether , and a public bounty program paying 10% on any successfully redeemed assets, in partnership with Bybit.
The Drift incident once again raises questions about the readiness of DeFi infrastructure against organized cybersecurity threats, particularly from state-sponsored hacking groups. How this protocol handles the post-crisis period, from information transparency and structured compensation mechanisms to the technical reconstruction roadmap, will become a crucial benchmark for the entire industry in the coming years.
