{"id":95842,"date":"2026-04-02T10:46:15","date_gmt":"2026-04-02T07:46:15","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=95842"},"modified":"2026-04-02T10:51:13","modified_gmt":"2026-04-02T07:51:13","slug":"drift-protocol-on-solana-loses-280m","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/drift-protocol-on-solana-loses-280m\/","title":{"rendered":"Drift Protocol on Solana loses $280m"},"content":{"rendered":"<p>On April 1, the <a href=\"https:\/\/forklog.com\/en\/news\/what-is-decentralised-finance-defi\">DeFi<\/a> platform Drift Protocol on <a href=\"https:\/\/forklog.com\/en\/news\/what-is-solana-sol\">Solana<\/a> was hacked. The attacker drained at least $280m.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">We are observing unusual activity on the protocol. We are currently investigating. Please do not deposit funds into the protocol while we investigate. This is not an April Fools joke. Proceed with caution until further notice. We\u2019ll provide additional updates from this account.<\/p>\n<p>\u2014 Drift (@DriftProtocol) <a href=\"https:\/\/twitter.com\/DriftProtocol\/status\/2039404931778535427?ref_src=twsrc%5Etfw\">April 1, 2026<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>\u201cWe are observing unusual activity and are currently investigating. Please do not deposit any funds into the platform. This is not an April Fools joke. Proceed with caution until further notice,\u201d the team wrote.<\/em><\/p>\n<\/blockquote>\n<h2 class=\"wp-block-heading\">Timeline<\/h2>\n<p>According to the developers, the hacker prepared the operation for several days. As early as March 23, they created four wallets with a delayed-transaction mechanism (durable nonces). Two were associated with members of Drift\u2019s Security Council, and two were under the attacker\u2019s control.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Earlier today, a malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift\u2019s Security Council administrative powers.<\/p>\n<p>This was a highly sophisticated operation that appears to have involved\u2026<\/p>\n<p>\u2014 Drift (@DriftProtocol) <a href=\"https:\/\/twitter.com\/DriftProtocol\/status\/2039564437795836039?ref_src=twsrc%5Etfw\">April 2, 2026<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>At least two of five signers approved transfers from these wallets. The developers suggested the attacker used sophisticated social-engineering techniques.<\/p>\n<p>A few days later, the project conducted a scheduled rotation of the Council. In response, on March 30 the hacker created a new wallet for the updated multisig.<\/p>\n<p>The attack took place on April 1. First, the Drift team carried out a legitimate test withdrawal from the insurance fund. About a minute later, the attacker activated two pre-signed transactions. One created and approved a malicious transfer of powers; the second executed it.<\/p>\n<h2 class=\"wp-block-heading\">Aftermath<\/h2>\n<p>The attack affected all deposit types\u2014lending, trading and vaults. DSOL tokens outside the Drift ecosystem and the Insurance Fund\u2019s assets were untouched. For safety, the protocol froze remaining functions, updated the multisig and removed the compromised wallet.<\/p>\n<p>The project is currently working with cybersecurity specialists, <a href=\"https:\/\/forklog.com\/en\/news\/what-are-cross-chain-bridges\">cross-chain bridges<\/a>, exchanges and law enforcement to trace and block the stolen funds.<\/p>\n<p>Among the stolen assets were <a href=\"https:\/\/forklog.com\/en\/news\/what-is-a-wrapped-token\">wrapped versions<\/a> of bitcoin, Jito tokens, the memecoin Fartcoin, other altcoins, as well as <a href=\"https:\/\/forklog.com\/en\/news\/what-are-stablecoins\">stablecoins<\/a> pegged to the US dollar, euro and Japanese yen. After the theft the hacker distributed the funds across several wallets.<\/p>\n<blockquote class=\"twitter-tweet\" data-conversation=\"none\">\n<p lang=\"en\" dir=\"ltr\">Assets stolen in dollars:<\/p>\n<p>$5.3M USDS<br \/>$60.4M USDC<br \/>$5.65M USDT<br \/>$430K JUP<br \/>$540K USDY<br \/>$590K ZBTC<br \/>$680K EURC<br \/>$1M BSOL<br \/>$2.5M INF<br \/>$2M MSOL<br \/>$3.3M SYRUPUSDC<br \/>$4.1M FARTCOIN<br \/>$4.4M WBTC<br \/>$3.6M JITOSOL<br \/>$4.7M WETH<br \/>$4.5M DSOL<br \/>$11.3M CBBTC<br \/>$155.6M JPL<\/p>\n<p>\u2014 Vladimir S. | Officer&#8217;s Notes (@officer_secret) <a href=\"https:\/\/twitter.com\/officer_secret\/status\/2039402658201559300?ref_src=twsrc%5Etfw\">April 1, 2026<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Following the incident, the protocol\u2019s native coin DRIFT fell by almost 37%\u2014from $0.07 to $0.04. Market capitalisation almost halved\u2014from $41m to $25m.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/img-5eaae89b9d126cf5-717147415283739.webp\" alt=\"Drift price \" class=\"wp-image-277862\"\/><figcaption class=\"wp-element-caption\">Source: <a href=\"https:\/\/www.coingecko.com\/en\/coins\/drift-protocol\">CoinGecko<\/a>. <\/figcaption><\/figure>\n<p><span data-descr=\"total value locked\" class=\"old_tooltip\">TVL<\/span> for Drift remains around $245m.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/img-ae51cf6f8f33abf4-717184377532524.webp\" alt=\"Drift TVL chart\" class=\"wp-image-277863\"\/><figcaption class=\"wp-element-caption\">Source: <a href=\"https:\/\/defillama.com\/protocol\/drift\">DefiLlama<\/a>. <\/figcaption><\/figure>\n<p>Users doubt the project\u2019s prospects for recovery after the hack. The statistics hint at the same: major attacks are <a href=\"https:\/\/forklog.com\/en\/news\/major-hacks-spell-doom-for-80-of-crypto-protocols-experts-say\">considered<\/a> a \u201cdeath sentence\u201d for 80% of protocols. The Drift incident <a href=\"https:\/\/rekt.news\/leaderboard\">will rank among<\/a> the industry\u2019s largest.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">I think Drift just\u2026 dies here?<\/p>\n<p>ByBit was able to get a billion dollar loan immediately after their hack because their yearly revenue numbers justified it<\/p>\n<p>Drift doesn&#8217;t make nearly enough money for a company\/bank to comfortably underwrite a loan to fill the hole here.<\/p>\n<p>rip :\/ <a href=\"https:\/\/t.co\/RsKoGYRZlU\">pic.twitter.com\/RsKoGYRZlU<\/a><\/p>\n<p>\u2014 Eddie (@DancingEddie_) <a href=\"https:\/\/twitter.com\/DancingEddie_\/status\/2039408270327054385?ref_src=twsrc%5Etfw\">April 1, 2026<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>\u201cI think Drift just\u2026 dies here? Bybit was able to get a billion-dollar loan immediately after the hack because their yearly revenue justified such sums. Drift doesn\u2019t make enough for any company or bank to comfortably issue a loan to plug a hole like this,\u201d wrote a community member under the nickname Eddie.<\/em><\/p>\n<\/blockquote>\n<h2 class=\"wp-block-heading\">Backlash against Circle<\/h2>\n<p>Participants in the crypto industry criticised the company behind <a href=\"https:\/\/forklog.com\/en\/news\/what-is-the-usdc-stablecoin\">USDC<\/a>, Circle, for a slow response to the Drift hack. Delphi Digital co-founder Tommy Shaughnessy said the issuer did not promptly freeze funds linked to the attack.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Circle not freezing the USDC is hilarious because we know it\u2019s centralized but they\u2019re like nah, we\u2019ll let the money freely flow to North Korea<\/p>\n<p>I like USDC since it\u2019s a programmable stablecoin for all of DeFi and enables innovation<\/p>\n<p>But we can freeze the money flowing to NK<\/p>\n<p>\u2014 Tommy (@Shaughnessy119) <a href=\"https:\/\/twitter.com\/Shaughnessy119\/status\/2039508885669896463?ref_src=twsrc%5Etfw\">April 2, 2026<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>\u201cCircle not freezing USDC looks absurd. Everyone knows the stablecoin is centralised, but the company seems not to impede the free flow of funds\u2014even to North Korea,\u201d he wrote.<\/em><\/p>\n<\/blockquote>\n<p>On-chain sleuth ZachXBT voiced a similar view. He stressed that the hacker moved hundreds of millions of dollars from Solana to Ethereum during US business hours and Circle did nothing to stop it.<\/p>\n<blockquote class=\"twitter-tweet\" data-conversation=\"none\">\n<p lang=\"en\" dir=\"ltr\">Circle was asleep while many millions of USDC was swapped via CCTP from Solana to Ethereum for hours from the 9 figure Drift hack during US hours. <\/p>\n<p>Value was moved and nothing was done yet again.<\/p>\n<p>Comes days after you froze 16+ business hot wallets incompetently which is still\u2026 <a href=\"https:\/\/t.co\/T0Xwg1HIfO\">pic.twitter.com\/T0Xwg1HIfO<\/a><\/p>\n<p>\u2014 ZachXBT (@zachxbt) <a href=\"https:\/\/twitter.com\/zachxbt\/status\/2039496650906034602?ref_src=twsrc%5Etfw\">April 2, 2026<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>At the time of writing, the company had still taken no action.<\/p>\n<p>In late March, ZachXBT <a href=\"https:\/\/forklog.com\/en\/news\/zachxbt-accuses-circle-of-wrongfully-freezing-16-wallets\">accused<\/a> Circle of mistakenly freezing 16 wallets.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>On April 1, the DeFi platform Drift Protocol on Solana was hacked. The attacker drained at least $280m.<\/p>\n","protected":false},"author":1,"featured_media":95843,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"Drift Protocol on Solana hacked; at least $280m stolen.","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1220,44,1093,1159],"class_list":["post-95842","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-circle","tag-cybercrime","tag-defi","tag-solana-sol"],"aioseo_notices":[],"amp_enabled":true,"views":"149","promo_type":"1","layout_type":"1","short_excerpt":"Drift Protocol on Solana hacked; at least $280m stolen.","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/95842","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=95842"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/95842\/revisions"}],"predecessor-version":[{"id":95844,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/95842\/revisions\/95844"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/95843"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=95842"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=95842"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=95842"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}