Drift Protocol, one of Solana’s largest perpetual futures exchanges, lost $285 million on April 1 in what has become the biggest DeFi exploit of 2026. The attack exploited a legitimate Solana transaction feature called durable nonces and took roughly 12 minutes to execute, despite weeks of preparation.
What Happened
The attack began on March 11 when the exploiter withdrew 10 ETH from Tornado Cash and used those funds to deploy a fictitious asset called CarbonVote Token (CVT), minting approximately 750 million units. That token had no legitimate backing - it existed solely to manipulate a governance vote.
By the time the attack launched on April 1, the attacker had used CVT to take control of Drift’s Security Council, the multisig body responsible for administrative actions over the protocol’s vaults. From there, the attacker drained roughly 20 vaults containing USDC, WBTC, WETH, JUP, USDT, and several other assets.
The Durable Nonce Angle
Solana’s durable nonces allow transactions to be signed offline and submitted at a later time, bypassing the typical short expiration window on standard Solana transactions. The feature is legitimate and commonly used for offline signing, complex multisig workflows, and scheduled transactions.
In this case, the attacker appears to have obtained pre-signed administrative approvals ahead of execution, likely through social engineering of Security Council signers. When the governance manipulation was complete, those pre-signed transactions were ready to execute immediately.
The result was a near-instant vault drain. TRM Labs estimated the full drain took about 12 minutes. Within hours, the exploiter had swapped $270.9 million into USDC, bridged the funds from Solana to Ethereum via CCTP TokenMessengerMinterV2, and converted them into approximately 129,000 ETH spread across multiple wallets.
Attribution
TRM Labs assessed the hack was “likely perpetrated by North Korean hackers,” citing on-chain staging patterns consistent with previous Lazarus Group-linked operations. If confirmed, it fits a clear pattern: North Korean actors have been responsible for a substantial share of high-value crypto theft over the past several years, with proceeds funding the state’s weapons programs.
The Drift exploit ranks as the second-largest in Solana’s history, behind only the $326 million Wormhole bridge hack in 2022.
What This Reveals About DeFi Security
The attack surfaces a problem that has followed DeFi since its earliest days: the gap between technical security and operational security. Drift’s smart contracts were not directly exploited. The protocol’s code did not have a bug in the traditional sense. Instead, the attack moved through governance infrastructure and human-level processes.
Multisig schemes are widely regarded as a security standard in DeFi, but they depend entirely on the integrity of the signing parties and the processes around them. Pre-signed transactions, if handled without strict controls, create a window for exactly this type of attack. A signer who is socially engineered, phished, or otherwise compromised can inadvertently arm an attacker weeks in advance.
Durable nonces add flexibility to Solana’s transaction model, but that flexibility creates audit challenges. Standard transaction monitoring tools are not designed to track pre-signed transaction packages that sit dormant before execution.
Broader Context
The exploit hit as crypto markets were already under pressure. Bitcoin tested the $65,800 support level earlier this week, and the broader market fear index hit its lowest point in two years. A $285 million drain from a major DeFi platform added another layer of uncertainty to an already cautious market.
Drift has told users to halt deposits while it investigates. No recovery mechanism or white-hat negotiation has been announced as of publication.
For DeFi protocols managing large on-chain treasuries, the attack is a pointed reminder that governance security and operational procedures are as important as audited code.