On April 1, 2026, Drift Protocol, one of Solana’s largest decentralized exchanges, lost approximately $285 million in user assets to a sophisticated attack that combined social engineering, a legitimate Solana feature, and a fabricated token. It is the biggest DeFi hack of the year and the second-largest exploit in Solana’s history, behind only the $326 million Wormhole bridge breach in 2022.
How the Attack Worked
Unlike most DeFi exploits, this one did not rely on a buggy smart contract or a stolen private key. Instead, the attacker weaponized a Solana convenience feature called durable nonces.
Normally, Solana transactions expire quickly if not submitted promptly. Durable nonces let developers pre-sign transactions and submit them later, a useful feature for institutional workflows and multisig operations. Between March 23 and March 30, the attacker quietly created a network of durable nonce accounts linked to Drift’s Security Council multisig.
Through social engineering, they convinced multiple multisig signers to pre-approve what appeared to be routine administrative transactions. Those transactions carried hidden authorizations that granted the attacker full administrative control over the protocol.
The Fake Token Play
Gaining admin access was only part of the plan. To extract value at scale, the attacker also needed a way to manufacture collateral out of nothing.
They created a fictitious asset called CarbonVote Token, seeded it with a few thousand dollars of liquidity, and used wash trading to generate artificial price activity. Drift’s price oracles treated the token as legitimate collateral worth hundreds of millions of dollars. Once listed, the attacker borrowed against this fabricated collateral and drained real assets from the protocol.
Within minutes, more than $285 million in USDC, SOL, JLP, and WBTC had been withdrawn. JLP tokens alone, the liquidity provider asset used in Jupiter’s perpetual trading pools, accounted for an estimated $155 to $159 million of the losses.
Attribution Points to North Korea
Blockchain analytics firm TRM Labs identified several on-chain indicators consistent with North Korean hacking groups. Analysts flagged the use of Tornado Cash for initial transaction staging, the deployment timing of the CarbonVote token at 09:30 Pyongyang Standard Time, familiar cross-chain bridging patterns, and the speed of post-hack laundering operations.
North Korean state-affiliated actors have been implicated in several of the largest crypto heists on record. The Lazarus Group alone is believed responsible for more than $3 billion in crypto theft over the past several years.
Market and Ecosystem Fallout
Drift’s total value locked collapsed from roughly $550 million to under $300 million in under an hour. The protocol’s native DRIFT token dropped more than 40% during the incident. The attack sent shockwaves through the broader Solana DeFi ecosystem, triggering a wave of precautionary deposit pauses across other Solana-based protocols.
On April 1, before the full scale of the damage was clear, Drift asked users to halt deposits and began investigating suspicious activity. By April 2, the protocol confirmed the full scope of the exploit.
What It Means for DeFi Security
The Drift attack highlights two problems that audits alone cannot fully address. First, social engineering against multisig signers can bypass even well-designed smart contract security. Second, oracle manipulation remains a persistent and underappreciated attack vector, particularly when governance processes allow new assets to be listed with minimal friction.
Durable nonces are a feature, not a flaw. But using them in a multisig governance context without strict verification procedures creates a window for exactly this kind of attack.
The DeFi industry has made meaningful progress on smart contract security. The harder problem, securing the humans and processes that govern these protocols, remains largely unsolved.