$285 million was drained in 12 minutes, not because of a bug, but because the system trusted humans more than it should have.

On April 1, 2026, Drift Protocol, the largest perpetual DEX on Solana, was exploited for $285M. The protocol had around $550M in total value locked before the attack, and more than half of that was effectively wiped out in minutes.

The important part is this: nothing was broken at the code level. There was no smart contract bug. The system behaved exactly as designed.

At the same time, the attackers created a fake token called CVT. They minted 750 million tokens, added minimal liquidity, and used wash trading to make it appear like a real $1 asset. The protocol’s oracle system accepted this pricing as valid because there were no strict liquidity or validation checks in place.

When everything was ready, the execution took about 12 minutes.

They used the pre-approved transactions to take control of governance, listed the fake token as collateral, manipulated its price through their own oracle, and raised withdrawal limits to effectively remove all risk controls. Then they deposited the fake collateral and borrowed real assets against it across multiple vaults.

A total of 31 transactions drained around $285 million in assets including USDC, ETH, SOL-based tokens, and others.

Within hours, the funds were moved across chains. The attackers swapped assets to USDC, bridged over $200M to Ethereum through more than 100 transactions, converted it into roughly 129,000 ETH, and split the funds across multiple wallets.

The attack was linked to the Lazarus Group, which has stolen over $6B from crypto ecosystems in recent years.

This was not a failure of blockchain technology. It was a failure of governance design, human trust.

It was a combination of:

• Long-term social engineering
• Pre-approved governance access
• Fake collateral that passed system checks
• Immediate execution with no delay safeguards