Drift Hacked for $285 Million: Did Hackers Deliver a Fatal Blow to Bear Market DeFi?

Editor | Wu Talk Blockchain

Around April 2, 2026, multiple on-chain monitoring services and media outlets collectively reported abnormal fund outflows from Drift Protocol, an integrated derivatives and lending protocol in the Solana ecosystem. The project team confirmed it was under attack, resulting in approximately $280 million in stolen funds. The protocol has suspended deposits and withdrawals and is collaborating with security agencies, cross-chain bridges, and trading platforms to address the situation.

What is Drift Protocol?

Drift belongs to the category of 'exchange-like' composite DeFi: one of the leading trading protocols launched in 2021, starting with Solana perpetual contracts before expanding into spot trading, lending, and broader 'one-stop protocol' narratives. According to official statements by Drift in 2024, the protocol had over $350 million in Total Value Locked (TVL), more than 175,000 traders, and cumulative trading volumes exceeding $20 billion. In September of the same year, Drift completed a $25 million Series B funding round, bringing its total funding to $52.5 million.

At the mechanism level, Drift's documentation explicitly acknowledges its reliance on external oracle accounts and includes safeguards such as oracle validity checks, TWAP trimming, price deviation bandwidth verification, and updates to market information when necessary to restrict specific actions. Its historical external narrative also emphasized that if oracle prices become 'invalid or manipulated,' exchange assets could be drained within a short period. Therefore, multi-step verifications and 'multi-interval circuit breakers' are used to create response windows.

However, this attack demonstrates that even if a protocol has relatively robust 'market risk control guardrails,' as long as the attacker can access or influence the 'permission layer' (admin keys, multi-signature, governance channels for risk parameters), they may turn these guardrails into tools that can be misappropriated — for instance, by adjusting certain thresholds to distortion levels or irrationally increasing the collateral weight of an asset, ultimately enabling the system to execute asset transfers 'legally' under the premise of 'rewritten rules.'

Drift Protocol responds to $280 million loss: Social engineering and durable nonce mechanism attack

Drift Protocol released a statement regarding today’s security incident, stating that a malicious actor gained unauthorized access to the protocol through a novel attack method involving durable nonce. The attacker quickly took over the management permissions of Drift's Security Council. Drift stated that this was a highly sophisticated attack, suspected to have been planned over several weeks and executed in stages, including the use of pre-signed transactions via durable nonce accounts and delayed execution.

Based on Drift's current investigation, this incident was not caused by vulnerabilities in Drift’s code or smart contracts, and there is no evidence that related mnemonic phrases were leaked. Drift believes that the attacker obtained unauthorized or disguised transaction approvals before execution. The durable nonce mechanism and sophisticated social engineering tactics likely played a crucial role. This event resulted in approximately $280 million worth of assets being transferred out of the protocol.

Drift explained that the attacker was able to complete this attack through several key steps: First, they pre-deployed access paths using durable nonce accounts; then, they obtained sufficient approval authority within the multi-signature framework, specifically 2/5 multi-signature approval; afterward, they executed a malicious administrator rights transfer within minutes, gaining protocol-level permission control; finally, they used this authority to introduce malicious assets and removed all existing withdrawal restrictions, thereby attacking the available funds.

Currently, all funds deposited in lending modules, vaults, and trading accounts have been affected. Unaffected assets include DSOL not deposited into Drift, including assets staked in Drift Validator, as well as insurance fund assets, which will be withdrawn from the protocol and moved to a safer environment for protection.

As a precautionary measure, Drift has frozen all remaining functionalities of the protocol and updated the multi-signature configuration, removing the compromised wallets.

The impact of this incident has spilled over into multiple DeFi protocols within the Solana ecosystem. Projects such as Reflect Money, Ranger Finance, Neutral Trade, Elemental DeFi, Project 0, Lulo Finance, Asgard Finance, DeFi Carrot, Pyra, xPlace, and Fuse Wallet have confirmed being affected, with some suspending minting, redemption, or deposit/withdrawal functions. Ranger Finance reported facing approximately $900,000 in exposure, representing about 6% of its TVL. Pyra stated that users earning rewards on Drift were impacted, prompting the suspension of related card functionalities.

Technical Analysis: Fake CVT Tokens and Oracle Manipulation

According to previous analysis by Helius developer Ichigo, Drift Protocol's incident might be related to the attacker creating fake CVT tokens and manipulating the Switchboard oracle, thereby forming the attack pathway. They noted that the attacker subsequently used social engineering to enter the governance process of the Security Council and pushed for the token to be listed as a high-weight collateral asset despite potentially compromised multi-signature permissions. The attacker minted 'fake tokens' weeks in advance and created a 'pricing anchor' pool on Raydium with extremely low liquidity (around $500). They then conducted wash trading to continuously create price and trading traces, paving the way for subsequent oracle price history manipulation. Notably, the attacker deposited approximately 20 million CVT tokens, nearly worthless, and inflated their value to over $100 million. Using this as collateral, they borrowed real assets from within the protocol and transferred funds, with the overall scale exceeding $200 million.

Market Immediate Reaction

Following the attack on Drift Protocol, its governance token DRIFT plummeted over 40% in the past 24 hours. The annualized negative funding rate for DRIFT USDT-margined perpetual contracts on major exchanges like Binance has surged to the upper limit, exceeding 6,000%, with significant subsidies flowing from shorts to longs.

Timeline of the incident

On March 23, the attacker completed the initial nonce setup. A total of four durable nonce accounts were created that day, two of which were linked to members of Drift's Security Council multi-signature group, while the other two were controlled by the attacker. Drift believes this indicates that at least 2 out of 5 multi-signature signers had approved transactions related to the durable nonce accounts, enabling delayed execution.

On March 25, the suspected main wallet address of the attacker (HkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZES) obtained initial funds via Near Intents and remained inactive for an extended period until it was suddenly activated on the day of the attack, receiving a large sum of funds from the Drift treasury.

On March 27, Drift executed a planned migration of the Security Council multi-signature as part of a routine update to its Security Council membership.

On March 30, new durable nonce activity emerged again. A new durable nonce account was created for one of the members in the updated multi-signature group. Drift believes this indicates that the attacker once again gained practical control of 2 out of 5 signers in the updated multi-signature group.

On April 1, the attack entered the execution phase. First, Drift executed a test withdrawal transaction from the insurance fund. About a minute later, the attacker swiftly executed two pre-signed durable nonce transactions, with only four slots between them. The first transaction was used to create and approve a malicious admin transfer, and the second transaction was used to approve and execute the malicious admin transfer. At this point, the attacker officially took control of key protocol permissions.

In the afternoon and evening of April 1, the on-chain monitoring tool MLM detected abnormal fund movements in the related addresses, with a total scale of approximately $270.6 million (about 50% of Drift's Total Value Locked), mainly involving assets such as JLP and USDC. Helius CEO Mert stated that on-chain evidence suggested the protocol might have been compromised. Drift's official team soon released a statement confirming they were observing unusual activity within the protocol and advised users not to deposit funds into the protocol until further notice.

Drift stated that the success of this attack hinged on two key factors: pre-signed durable nonce transactions, which allowed the attacker to delay execution to a future time, and the compromise of approvals from multiple multi-signature signers, likely achieved through targeted social engineering attacks or disguised transaction information.

Industry expert opinions and governance reflections

Ledger CTO Charles Guillemet stated that this attack was not due to a vulnerability in the smart contract but rather a prolonged compromise of the multi-signature mechanism. It is suspected that the hacker took control of the devices or private keys of the multi-signature holders, misleading operators into approving malicious transactions. This method bears a striking resemblance to last year's Bybit incident, which was allegedly linked to a North Korean hacking group (DPRK). He called on the industry to enhance endpoint detection capabilities and adopt hardware-supported plaintext signatures to mitigate operational risks.

Uniswap founder Hayden Adams emphasized that centralized projects must stop calling themselves DeFi; if admin keys can drain all funds, then it is essentially CeFi. Chaos Labs founder Omer Goldberg added that Drift Protocol’s signing keys have full control over market creation, oracle allocation, and withdrawal limits, lacking a timelock. Reportedly, the attacker completed the fund theft in approximately 10 seconds.

Fund tracking and subsequent reactions

On-chain tracking shows that the suspected attacker address (HkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZES) quickly transferred/exchanged funds after the attack and moved them cross-chain to Ethereum via Wormhole. Some USDC was transferred through the Circle CCTP bridge, but Circle failed to freeze the flow of funds promptly, drawing criticism from Delphi Digital co-founder Tommy Shaughnessy and on-chain detective ZachXBT, who argued that Circle reacted slowly despite having centralized freezing capabilities.

Currently, Drift is collaborating with multiple security firms to investigate the root cause of the incident. They are also working with cross-chain bridges, exchanges, and law enforcement agencies to track and freeze stolen assets. Drift stated that they will release a more detailed post-mortem report in the coming days and welcome any information or leads related to the investigation.

14K Views