On April 1, 2026, Drift Protocol - the largest decentralized perpetual futures exchange on Solana - lost $285 million in user funds in roughly 12 minutes. It is the biggest DeFi exploit of 2026, and the second-largest in Solana’s history behind only the $326 million Wormhole bridge hack in 2022.

What makes this attack stand out is not the size alone. It is the method: no smart contract bug, no zero-day vulnerability in Solana itself. The attacker combined a fake token, manipulated oracles, and a hijacked governance structure to walk away with nearly a third of a billion dollars.

The Setup: A Fake Token as Collateral

Weeks before the exploit, on March 11, a wallet received 10 ETH from Tornado Cash. The funds were quiet for a day, then moved to deploy a new token: CarbonVote Token (CVT).

CVT had no real value. The attacker seeded it with a small amount of liquidity and ran wash trades to simulate volume. Drift’s oracle system, which prices assets to determine collateral eligibility, treated CVT as a legitimate asset. At peak manipulation, the protocol valued CVT holdings as worth hundreds of millions of dollars in collateral.

That fictitious collateral became the key to the vault.

The Attack: Oracle Manipulation and Governance Hijack

Once CVT registered as valid collateral in Drift’s system, the attacker borrowed real assets against it. But removing $285 million in one shot required disabling the protocol’s safeguards.

Drift’s Security Council existed to catch exactly this kind of emergency. The attacker dismantled it through social engineering: convincing multisig signers to pre-sign hidden authorizations. With those signatures in hand, the attacker executed a governance migration with zero timelock, stripping out the Security Council’s ability to intervene in real time.

From that point, the drain was straightforward. Around $285 million in assets left Drift in approximately 12 minutes. Most were bridged from Solana to Ethereum within hours, making recovery significantly harder.

Attribution

Blockchain analytics firm TRM Labs linked the attack pattern to North Korean state-sponsored hackers based on staging behavior, timing relative to Pyongyang business hours, and wallet movement patterns consistent with prior DPRK-linked exploits. The March 12 movement of funds - around 9 AM Pyongyang time - matches the working cadence seen in previous attacks attributed to the Lazarus Group.

Market Fallout

Drift’s total value locked dropped from roughly $550 million to under $300 million within an hour of the exploit being confirmed. The DRIFT governance token fell more than 40% in the same window. The protocol suspended deposits and withdrawals shortly after the attack was identified.

What This Means for DeFi Security

The Drift hack exposes two vulnerabilities that are harder to audit than code: oracle design and governance structure.

Oracle systems that accept new or thinly-traded tokens as collateral without sufficient verification windows or circuit breakers create an obvious attack surface. If an asset can be manufactured and immediately used as collateral, the protocol is only as secure as its price feeds.

The governance hijack is more troubling. Multisig security assumes that key holders will recognize suspicious requests. Social engineering bypasses that assumption entirely. A zero-timelock migration means there is no window for the community or a security council to respond once bad actors have the necessary signatures.

Several Solana-based protocols have already announced audits of their oracle configurations and governance timelock parameters in the days since the exploit. Expect those conversations to spread across DeFi more broadly.

For users, the episode reinforces a basic rule that the space keeps relearning: protocols with large TVL are high-value targets, and the attack surface extends far beyond the smart contract code itself.