Drift Protocol $285m hack: compromised admin key drains Solana vaults

Drift Protocol suffered an estimated $285m exploit on April 1, one of the largest Solana DeFi hacks on record. The breach was not a smart-contract bug. Investigators say Drift Protocol’s admin key was compromised via social engineering and operational security failures, enabling attackers to bypass internal controls. On-chain activity unfolded in about 12 minutes across 31 transactions. Using the stolen administrator key, the attacker added a new spot market (CVT), then set extreme withdrawal limits (including USDC and four other markets) to facilitate fraudulent collateral withdrawal. The attacker drained nearly 20 vaults using the injected/forged collateral. Reported stolen assets across multiple tokens include USDC (~66.4m), JLP (~42.7m), MOODENG (~23.3m), USDT (~5.6m), USDS (~5.2m), JUP (~2.6m), RAY (583k), and WETH (477k). Some JLP may have been burned. PeckShield flagged suspicious on-chain conversions early, and later monitoring suggested laundering moves into ETH. The market reaction was immediate and risk-off for traders: SOL slid nearly 9% intraday, and DRIFT also dropped sharply as withdrawals accelerated and the protocol halted deposits/withdrawals. Solana Foundation leaders said the smart contract held up, but the real issue was targeting users. Wormhole warned that some cross-chain transfer processing could face delays even if Wormhole funds were not directly at risk.
Bearish
This is a direct security breach tied to Drift Protocol, and it triggered immediate user deleveraging: the platform halted deposits/withdrawals and traders rushed to withdraw. That dynamic typically increases short-term sell pressure on DRIFT and contagion concerns across Solana liquidity, which is consistent with SOL’s sharp intraday drop. In the short term, watch for ongoing solvency/withdrawal updates and potential “risk-off” positioning in Solana DeFi markets holding Drift collateral. In the longer term, even if smart contracts are reported to have withstood the attack, compromised key/operational-security incidents tend to keep risk premia elevated until governance, admin-key controls, and monitoring procedures are upgraded across connected venues.