#DriftProtocolExploited

On April 1, 2026, Solana-based decentralized exchange Drift Protocol suffered a sophisticated exploit resulting in losses of approximately $285 million, marking the year’s largest crypto hack. The attack, which occurred on April Fool’s Day, prompted the team to stress that the incident was “not an April Fool’s joke” as they urged users to stop interacting with the protocol.

The exploit was a meticulously planned combination of privilege escalation and price manipulation. According to on-chain security firm SlowMist, the critical vulnerability originated approximately one week before the attack when Drift altered its multi-signature mechanism to a “2/5” configuration without implementing a timelock protection. This security gap allowed the attacker to compromise an admin key after gaining access to a new signer’s private key.

With administrative privileges secured, the attacker executed a multi-stage plan: creating a fake “CarbonVote Token” (CVT), minting around 750 million units and seeding a small liquidity pool to artificially build a $1 price history that oracles began treating as legitimate. On April 1, using the compromised admin key, the attacker listed CVT as a valid market on Drift, raised withdrawal limits to extreme levels, and deposited hundreds of millions of CVT tokens as collateral. Based on the manipulated oracle price, this inflated collateral allowed the attacker to execute 31 rapid withdrawals within approximately 12 minutes, draining real assets including USDC, SOL, and JLP tokens.

The impact was devastating. Drift’s total value locked (TVL) plummeted from roughly $550 million to under $300 million in less than an hour, while the DRIFT token dropped over 40%. Multiple protocols with exposure to Drift liquidity paused operations, with losses ranging from over $900,000 for Ranger Finance to smaller exposures for platforms like PiggyBank_fi.