Odaily News According to monitoring by crypto analyst Ai Yi @ai_9684xtpa, the Drift attacker address has been continuously buying ETH recently. In the past 5 minutes, it used approximately $2.45 million USDC to purchase another 1,195 ETH. Currently, the four addresses under its control collectively hold 130,293 ETH, valued at approximately $266 million.
Odaily News Drift Protocol disclosed the execution process of this security incident, stating that the attack began with a test withdrawal transaction initiated from its insurance fund. Approximately one minute later, the attacker took over administrator permissions and executed subsequent operations through two pre-signed durable nonce transactions.
The project team indicated that this attack was caused by multiple factors, including the delayed execution capability of pre-signed transactions, and the compromise of multi-signature approval, which may be related to targeted social engineering attacks or transaction spoofing. Drift is currently collaborating with multiple security agencies to investigate the cause, and is working with cross-chain bridges, exchanges, and law enforcement to track and freeze the related funds. A detailed post-mortem report will be released subsequently.
Odaily News UPBIT Announcement: Notice regarding the designation of DRIFT as a trading caution item.
According to SolanaFloor monitoring, the Drift protocol vulnerability incident has affected 11 DeFi protocols, including Reflect Money, Ranger Finance, Neutral Trade, Elemental DeFi, Project 0, Lulo Finance, Asgard Finance, DeFi Carrot, Pyra, xPlace, and Fuse Wallet. Some protocols have suspended functions such as minting, redemption, or deposits/withdrawals.
Ranger Finance confirmed an exposure of approximately $900,000, accounting for about 6% of its total value locked (TVL) of $14.6 million. Pyra stated that user funds were affected because they were deposited in Drift to earn yields, and has suspended the Pyra Card function. Asgard Finance indicated that its exposure related to Drift is not significant, has disabled this credit source, and is contacting affected users. Fuse Wallet has paused deposits from its Earn product into Drift, while the wallet itself remains unaffected. DeFi Carrot has suspended minting and redemption functions, but its Boost and Turbo products are unaffected. xPlace has paused deposits and withdrawals for its Savings product and temporarily disabled its credit model and lending functions. Protocols such as Elemental DeFi and Project 0 stated that related fund allocations have been suspended, awaiting Drift's resumption of operations. Lulo Finance warned that Classic deposit users may be affected, while its Protected and Boosted products have no exposure.
Odaily News: SendAI developer aryan posted on X, stating: "I found some interesting clues on-chain: The Drift attacker address (HkG...ZES) received funds via Near Intents 8 days ago but remained inactive until it suddenly received a large amount of funds from the Drift vault. The attacker then transferred/exchanged these funds to a money laundering address (8ub...Gxw) and several other addresses. Interestingly, all these addresses received funds from Backpack just yesterday, which likely means Backpack has performed KYC on these accounts. Subsequently, these money laundering addresses transferred the funds via Wormhole to an Ethereum address, which had previously received funds through Tornado Cash.
Odaily News SlowMist founder Cosine posted on X, stating: "Drift Protocol was hacked for over $200 million in assets. A week ago, it migrated to a 2/5 multi-sig with no timelock (1 old + 4 new signers). The attacker took over admin permissions hours ago, minted CVT fake tokens, manipulated the Oracle, disabled related security mechanisms, and drained the pool's valuable assets..."
Odaily News: Renowned on-chain investigator ZachXBT has once again publicly criticized Circle, stating that the Drift hack occurred during US trading hours, with millions of USDC transferred from Solana to Ethereum via CCTP (Circle's Cross-Chain Transfer Protocol), while Circle was "asleep at the wheel" and took no action. Just days ago, Circle arbitrarily froze at least 16 corporate hot wallets, which are still in the process of being slowly unfrozen.
ZachXBT concluded by saying, "Circle is a bad actor in this industry."
Odaily News Drift Protocol posted on platform X stating that after confirming the protocol was attacked, deposit and withdrawal functions have currently been suspended. They are coordinating with multiple security firms, bridging services, and exchanges to contain the impact of this incident. Further updates on this security event will be published on official accounts.
Odaily News Jupiter posted on platform X, stating that Jupiter was unaffected by the Drift incident. Jupiter Lend was not involved in the Drift market, and JLP is fully backed by underlying assets. Jupiter also expressed that it was a difficult day for Solana DeFi and extended condolences to the Drift team and all those affected.
Odaily News: A security incident has occurred on the Solana-based derivatives trading platform Drift Protocol. On-chain data indicates losses of at least approximately $200 million, with some estimates approaching $270 million.
The project team stated that they have detected abnormal activity and are currently investigating. Users are advised to temporarily refrain from depositing funds into the protocol, with the team emphasizing that "this is not an April Fools' joke."
The attack involved multiple liquidity pools, including JLP Delta Neutral, SOL Super Staking, and BTC Super Staking. A single transfer of approximately 41.7 million JLP tokens was valued at around $155 million. Additionally, assets such as SOL, USDC, cbBTC, and wBTC were also withdrawn.
According to statistics, this incident may become one of the largest DeFi attacks in the Solana ecosystem since the Wormhole bridge exploit.
