On April 1, 2026, attackers drained approximately $285 million from Drift Protocol, the largest decentralized perpetual futures exchange on Solana. The exploit took roughly 12 minutes to execute. The preparation behind it took six months.

This is the largest DeFi hack of 2026 and the second-largest exploit in Solana’s history, behind only the $326 million Wormhole bridge attack in 2022. Blockchain analytics firms TRM Labs and Elliptic both attribute the attack to North Korean state-sponsored hackers.

How the Attack Worked

The attack combined three distinct failure points in a way that individually each might have been caught, but together proved catastrophic.

Fake collateral via oracle manipulation. The attacker created a fictitious token called CarbonVote Token, seeded it with a few thousand dollars in liquidity, and ran wash trades to create the appearance of price activity. Drift’s oracle system accepted the token as legitimate collateral. The attacker then borrowed against it as though it were worth hundreds of millions of dollars.

Durable nonces exploited for delayed execution. The attack used a Solana feature called durable nonces, which allow transactions to be pre-signed and held for later execution. The attacker secured two approvals from Drift’s five-member Security Council multisig using transactions that appeared routine but were pre-loaded with malicious instructions. Because durable nonces remain valid indefinitely, the attacker waited for the right moment to execute them, bypassing any time-based monitoring Drift had in place.

Governance takeover. With two of five Security Council votes secured, the attacker gained protocol-level administrative control. From that position, the rest of the drain was mechanical.

Most of the stolen funds were bridged to Ethereum within hours of the exploit, a common pattern in North Korean state-sponsored attacks designed to complicate recovery and freeze attempts.

What This Tells Us About DeFi Security

The Drift hack is not primarily a story about a single protocol failing. It is a story about structural risks that remain unresolved across DeFi.

Oracle security has been a known vulnerability since at least 2020, when flash loan attacks began targeting low-liquidity markets to manipulate prices. The Drift attack did not even require a flash loan. A few thousand dollars in fake liquidity was enough to fool the system. Protocols continue to onboard assets as collateral without rigorous standards for what counts as a trustworthy price feed.

Multisig governance is only as strong as the process around it. Five signers is meaningless if two of them can be socially engineered into approving malicious transactions that appear routine. The durable nonce technique specifically exploits the gap between when a transaction is signed and when it is broadcast. Most multisig interfaces do not surface that distinction clearly to signers.

Finally, the six-month preparation window highlights how patient and methodical state-sponsored threat actors are. These are not opportunistic script attacks. They involve prolonged reconnaissance, custom tooling, and careful timing. Most protocol security audits do not model this threat profile.

What Happens Next

Drift suspended deposits and withdrawals immediately after the exploit was detected. The team has not yet announced a recovery plan or any form of compensation for affected users.

The pattern after large DeFi hacks has become familiar: an incident report, a governance vote on compensation, and months of legal uncertainty around recovered funds. Whether that plays out here depends partly on whether any of the stolen assets can be frozen before the laundering process is complete.

For the broader Solana DeFi ecosystem, the more pressing question is whether other protocols are running similar oracle configurations or multisig setups that could be exploited through the same durable nonce technique. Given that this feature is native to Solana and widely used, the answer is probably yes.

The Drift hack is a useful stress test of where DeFi security standards actually stand in 2026. The results are not encouraging.