April Fool's Joke? Drift Protocol Hacked for Over $280 Million, Potentially Becoming the Second Largest DeFi Heist in Solana's Ecosystem

Original｜Odaily (@OdailyChina)

Author｜Wenser (@wenser 2010)

As tensions in the Middle East continue, a security breach exceeding $200 million has delivered another heavy blow to the crypto space.

On April Fool's Day, April 1st, Drift Protocol, a leading derivatives protocol on Solana, played what might be the least funny "joke" on everyone: just one week after updating to a multi-signature wallet requiring only 2 out of 5 signatures and without a timelock, over $280 million worth of JLP-related assets were stolen. This inevitably raises suspicions of an inside job.

In the latest development, Drift officially confirmed an active attack and has suspended all deposits and withdrawals across the platform. Some potentially affected projects have explicitly stated, "This is not an April Fool's joke."

A statement that sounds like a joke may, in fact, reveal yet another severe blow to the Solana DeFi ecosystem.

The Drift Protocol Attack: 11 Transactions, Treasury Emptied in Minutes

Preliminary investigations suggest the attack involved administrator privilege hijacking and a multi-signature execution vulnerability.

Yu Xian, founder of SlowMist, stated: "One week ago, Drift migrated to a 2/5 multi-signature setup without a timelock (Odaily Note: meaning operations could be executed immediately, involving 1 old wallet address and 4 new signing wallet addresses). The attacker took over administrative permissions hours ago, minted CVT fake tokens, manipulated the oracle, disabled relevant security mechanisms, and drained the pool of valuable assets."

On-chain data shows the attacker first purchased 41.72 million Jupiter Liquidity Provider (JLP) tokens, worth approximately $155.6 million, then rapidly transferred large amounts of USDC and other tokens out, bridging the funds to Ethereum to purchase about 19,913 ETH, equivalent to roughly $42.6 million.

The entire process involved approximately 11 large transactions, including:

• 51.61 million USDC, worth about $51.62 million;
• 125,000 WSOL, worth about $10.45 million;
• 164,000 cbBTC, worth about $11.29 million. 
• Hacker wallet address: HkGz4KmoZ7Zmk7HN6ndJ31 UJ1qZ2qgwQxgVqQwovpZES.

Within just a few minutes, Drift's total treasury assets plummeted from $309 million to $41 million. 

Around 3 AM, Drift officially announced the attack and stated it is collaborating with multiple security firms, cross-chain bridges, and exchanges in response.

Attack Cause: Official Conclusion Pending, Likely Administrator Private Key Leak

Currently, Drift has not officially announced the primary cause of the attack.

Security firm PeckShield assessed that Drift Protocol's administrator keys were likely leaked or compromised, with the attacker gaining privileged access to manipulate the protocol's treasury. This assessment points to a breach at the permission level rather than a smart contract code vulnerability.

Other community sources suggest the attacker may have manipulated collateral parameters, artificially inflating the value of certain illiquid assets to borrow high-value tokens, ultimately draining the treasury funds. This method aligns closely with previous DeFi governance attack patterns. Currently, investigators have not ruled out possibilities such as smart contract vulnerabilities or oracle manipulation, and the investigation is ongoing. 

Notably, the Solana wallet used by the attacker was initially funded with just 1 SOL last week and had previously received a small test transfer of about $2.52 from the Drift treasury, indicating the attacker may have been lying in wait, verifying permissions before the main action. Furthermore, funds in an address linked to the Drift attacker originated from Backpack, potentially leaving KYC-related clues.

Market Reaction: DRIFT Token Plummets 28%, SOL Briefly Under Pressure

Following news of the Drift theft, market panic ensued, with DRIFT and SOL prices quickly declining.

The native token of Drift Protocol, DRIFT, fell over 38% in 24 hours, currently trading around $0.042. This represents a cumulative drop of over 98% from its all-time high of $2.60 in November 2024. The price of SOL also fell under the impact of the news, dropping below $80 with a nearly 5% decline in 24 hours, currently trading around $78.6.

The Phantom wallet has proactively displayed risk warnings to users attempting to access the Drift protocol; Solana treasury-listed company Forward Industries and DeFi Development Corp have also issued statements confirming their funds were not affected by this attack.

The Largest DeFi Attack on Solana Ecosystem in 2026

According to statistics by crypto KOL @lugeweb3, projects that have suffered confirmed losses or significant impact from the Drift incident include:

• @piggybank_fi: $106,000 stolen, team is injecting liquidity to cover user losses.
• @DeFiCarrot: Boost and Turbo products unaffected, but overall impacted by the vulnerability; minting/exchange functions paused.
• @uselulo: Traditional deposits may be affected (protected and enhanced deposits are safe).
• @reflectmoney: All minting/redemption for USDC+ and USDT+ frozen.
• @project0: Borrowing collateralized by Drift markets paused.
• @ranger_finance: rgUSD deposits/withdrawals paused; $9 million of the $14.6 million TVL on Drift frozen.
• @elementaldefi: SOL and Lend funds deposited into Drift frozen (USDC and ONYC funds safe).
• @TradeNeutral: All Drift-related vaults (JLP, BTC/ETH/SOL Super Staking, Hyper JLP, etc., total TVL $3.6 million) potentially affected; deposits/withdrawals paused.
• @xplaceapp: Deposits/withdrawals unavailable; credit mode and lending functions disabled.
• @GetPyra: Funds affected; all card functions paused.
• @ExponentFinance: USDC+ related transactions paused.
• @fusewallet: Deposits paused.
• @perena: Stablecoins unaffected, but redemptions paused; JLP Vault on Neutral Trade ($512,000 TVL) potentially affected.

Projects that have explicitly stated they are unaffected:

• @JupiterExchange
• @kamino
• @UnitasLabs
• @onrefinance
• @solflare
• @hylo_so
• @MarinadeFinance
• @synatraxyz
• @solsticefi
• @defidevcorp
• @jito_sol
• @MeteoraAG
• @sanctumso
• @wormhole

Based on scale estimates, this incident could become one of the largest DeFi security events in the Solana ecosystem since the Wormhole bridge attack. 

Prior to the incident, Drift's TVL was approximately $550 million. This attack resulted in direct losses of $285 million, making it the largest DeFi security incident by loss amount in 2026 so far. Notably, total DeFi attack losses in March were around $52 million across 20 major incidents. Now, this single Drift incident has elevated the loss figure for the first half of the year to a new level.

Undoubtedly, the Drift theft has once again sounded that old but timeless alarm for the DeFi industry—beyond code security, operational security is equally critical. If the cause is ultimately confirmed to be an administrator private key leak, it will once again validate that no matter how thorough the code audits are, the human element remains the weakest link in on-chain security.

Finally, Odaily reminds users: Until Drift releases a complete investigation report and provides a clear solution, do not deposit funds into or interact with the protocol.