Drift Protocol Hack Drains $286M in 12 Minutes on Solana

On April 1, 2026, the Drift Protocol hack hit the Solana DeFi sector hard: attackers drained about $286 million from Drift in roughly 12 minutes. Drift is the largest decentralized perpetual futures exchange on Solana. Drift reported TVL falling from ~$550M to under ~$250M, with TVL later around $232M. The DRIFT token reportedly dropped as much as 37%–42%, bottoming near $0.04–$0.05. Investigators say the Drift Protocol hack started not as a code exploit, but via Tornado Cash: ETH was withdrawn from Tornado Cash (Mar 11) and used to deploy a token (carbonvote/CVT) on Mar 12. Over the next weeks, attackers seeded minimal liquidity on Raydium and used wash trading to keep CVT near ~$1, tricking Drift’s oracles into treating the fake collateral as valid. A key factor was governance: Drift’s team described a “durable nonce” attack that enabled attackers to pre-sign administrative actions through the Security Council multisig. The timelock was removed on Mar 27 (typically a 24–72 hour delay). With the delay gone, pre-signed transactions executed immediately on Apr 1—then attackers listed CVT as collateral, raised withdrawal limits, and deposited large CVT amounts to trigger real asset issuance. Stolen proceeds were reportedly converted and routed quickly via Jupiter, bridges to Ethereum, and further swaps (including through Hyperliquid and Binance). Security firms Elliptic and TRM Labs attribute the operation to DPRK-linked Lazarus Group activity. Contagion risks followed: multiple DeFi protocols paused or disabled key functions (e.g., Carrot and Pyra), and some users faced access issues. As of Apr 3, no full reimbursement plan was publicly confirmed.