On April 2, 2026, a series of events surrounding the Drift Protocol and its token DRIFT rapidly unfolded in the East Eight Zone market: on one hand, the protocol disclosed its encounter with a new type of attack based on a durable nonce, while on the other hand, leading Korean exchanges Upbit and Bithumb almost simultaneously listed DRIFT as a warning project. As Upbit suspended DRIFT deposits and withdrawals, and labeled several trading pairs with risk tags, the compliance and survival environment of DRIFT in the Korean market was instantly spotlighted. This article focuses on how this warning activated exchange cooperation through the DAXA self-discipline mechanism, as well as the real impact and long-term pricing logic of such mechanisms on project parties and ordinary users.

Deposit and withdrawal emergency stop: DRIFT pushed into the warning zone

On April 2, Upbit announced that, due to risk factors, it had suspended DRIFT's deposit and withdrawal services, and emphasized that when conditions allowed, it would prioritize the restoration of withdrawals to ensure that existing token holders had an orderly exit channel. This wording itself reveals the sorting logic from the exchange's risk control side: first tightly close the “money gate,” and then try to leave a retreat for users who are already in the market. It creates a clear blockage for new funds while providing limited liquidity buffering for existing positions.

At the same time, according to a single source disclosure, multiple trading pairs such as DRIFT/KRW, DRIFT/BTC, DRIFT/USDT were marked as warning status on Upbit, but had not yet been directly delisted, allowing users to trade under risk warnings. This "labeled and tradable" status means that DRIFT is considered to have risks of a less-than-usual level, but has not yet reached the extreme threshold for immediate delisting. For ordinary traders, a red warning label translates to a forced reminder of "risk at their own expense" before each order.

Bithumb also concurrently listed DRIFT as a warning project, creating a highly consistent risk signal on the same token across Korea's two major platforms. Under this coordinated action, both the off-market credit and on-market liquidity of DRIFT in South Korea have been doubly compressed. It is important to emphasize that a trading warning does not equal an immediate delisting, but transforms risk from "invisible accumulation" to "explicit exposure" through a complete set of liquidity and cognitive management means such as suspending deposits, prioritizing withdrawals, and adding labels, forcing users to reevaluate their positions under fully informed circumstances.

Durable nonce attack and the shadow of the Solana tech stack

On the same day as the exchange actions, the Drift Protocol official disclosed in a statement that it had encountered a new type of attack based on the durable nonce mechanism. According to the project party's wording in the security statement, this attack was described as “highly complex” and “prepared for weeks,” aiming to emphasize that the event was not caused by a lack of basic security awareness or low-level negligence, but rather stemmed from a deep exploitation of the underlying mechanism. While intentionally downplaying “low-level errors,” it also highlighted the level of professionalism from the attackers in terms of technology and preparation.

The project party clearly characterizes the incident as a new type of security threat, bringing the focus back to the Solana related tech stack itself: as a special signature and transaction confirmation mechanism, once a durable nonce is exploited, it may expose previously underappreciated risks in the aspects of transaction replay, signature validity period, and off-chain coordination. This is not just an issue of a single protocol, but involves the security boundaries of the entire ecosystem in complex signature and state management.

From the timeline, the security incident disclosure and the Korean exchanges' warnings for DRIFT are highly concurrent. However, the current public information cannot confirm a direct linear causality between the two, and they can only be viewed as a strongly correlated “same-day resonance”—the security incident heightened the sensitivity of regulators and platforms to the related token, while the exchanges' risk response completed this technological incident's “financialized pricing” at a market level. The technical vulnerability rapidly spread from the code layer to the token layer, translating the originally abstract security issue into realistic consequences of price discounts, liquidity contraction, and credit weakening.

DAXA warning mechanism activated: how the self-discipline alliance amplifies risk signals

In Upbit's announcement, there was a key statement: “DRIFT has been listed as a trading warning project by DAXA member companies.” This means that the warning decision was not a one-time action by a single platform, but a alliance consensus at the level of the Korean digital asset trading self-discipline organization DAXA. DAXA includes major exchanges, including Upbit and Bithumb, whose presence is often amplified only during significant risk events and project disposals.

Unlike traditional “one-size-fits-all” delisting, DAXA usually adopts a tiered control approach for tokens listed as warning projects: first, increase the risk control level through trading warnings, restricting certain functions, adjusting margin parameters, etc., and then, depending on subsequent disclosures and market feedback, decide whether to escalate measures. DRIFT is currently in the “warning and tightening” stage of this tiered mechanism, rather than a final complete delisting.

In the case of DRIFT, the DAXA-level “warning” can be understood as a unified risk control level command: member platforms need to adjust the risk parameters of the token in their internal models, raising the warning intensity for users while compressing potential new exposures. However, whether it will further escalate to ceasing trading or delisting is still a matter to be verified at this stage and cannot be written as a fait accompli. This state of “not excluding but not yet implementing” itself constitutes a systematic pressure on the project party, requiring it to provide more convincing actions in disclosure, audit, and remediation.

It is precisely this alliance-style decision-making model that has transformed a security incident focused on a single protocol into a consensus restructuring and risk repricing process for the entire industry. DAXA's involvement makes the issue of “a particular project encountering problems” rapidly become a topic of “how all major platforms should uniformly respond to such risks,” where project parties no longer face a negotiation table with a single exchange, but rather a self-discipline framework with more systemic constraints.

Tug-of-war between project parties and exchanges: clashing of safety rhetoric and risk preferences

In the narrative of the security incident, Drift Protocol deliberately emphasizes the “high complexity” and “long-term preparation” of the attack, attempting to convey the message that the protocol team is neither lacking awareness nor disorganized, but rather encountered unexpectedly advanced opponents. This rhetoric helps maintain a certain reputation in the technical community, yet from the perspective of regulatory agencies and exchanges, it can easily be interpreted as “high attack threshold, difficult detection, greater uncertainty in the future,” thus amplifying the perceived risk rather than completely alleviating pressure.

The exchanges, on the other hand, operate on a different level of negotiation: on one hand, they need to protect user asset safety to the greatest extent and avoid becoming secondary victims of security incidents; on the other hand, they must maintain basic market liquidity to prevent excessive handling from triggering unnecessary panic risks. Thus, we see Upbit’s typical “freeze entry first, then guide exit” approach—suspending deposits and withdrawals first to immediately block new uncertain exposures, then prioritizing the restoration of withdrawals when conditions allow, allowing willing users to exit in an orderly manner.

When DAXA members acted collectively to unify DRIFT's inclusion in the trading warning list, this risk control preference was further strengthened into a systemic signal: in the face of high uncertainty security incidents, “better to overreact than to risk hesitation” aligns more closely with the survival logic of mainstream platforms. For project parties, this means that subsequent disclosures, technological fixes, third-party audits, and even the communication rhythm with self-discipline organizations will directly influence whether the token can exit the warning list.

Throughout this process, the technical analysis from the security research team, the external rhetoric from project operations, model adjustments from exchange risk control departments, and the coordinating role of self-discipline organizations like DAXA jointly shaped the narrative direction of the entire incident. For the market, it's no longer just a single-point “hacking incident,” but a complete chain from code vulnerabilities to alliance warnings, from project justifications to platform interactions, with investor sentiment being continuously reconstructed within.

From a warning to long-term pricing: a turning point in safety preference in the Korean market

DRIFT being listed as a trading warning project clearly shows the attitude of South Korea's mainstream exchanges towards new types of security attacks: zero tolerance for technical unknowns, fast response to risk exposures. In this process, the DAXA self-discipline mechanism acts as an amplifier: once a project triggers a sensitive threshold in technical safety, its fate will be upgraded from individual platform case judgments to unified handling under alliance rules.

It is foreseeable that in similar security incidents in the future, the rhythm of technical disclosures, transparency of losses, and communication efficiency with self-discipline organizations will directly determine a token's “speed of survival and death” in the Korean market. Too slow or ambiguous disclosure may be interpreted as intentional concealment, triggering stricter controls; too hasty disclosure without empirical support may struggle to gain the trust of DAXA and the platform’s risk control team, making it difficult to quickly exit the warning state.

For project parties, an attack brings not only immediate losses on the books but may also leave a long-term shadow on compliance profiles and listing strategies. Being included on the DAXA warning list means that its risk label within Korean institutions and trading platforms is being rewritten; any future listings, resumption of trading, or new product designs will be scrutinized repeatedly. In this environment, safety and compliance are no longer parallel lines, but are tightly bound together, forming the same lifeline for the project to survive in the mainstream market.

Join our community to discuss together and become stronger!
Official Telegram group: https://t.me/aicoincn
AiCoin Chinese Twitter: https://x.com/AiCoinzh

OKX welfare group: https://aicoin.com/link/chat?cid=l61eM4owQ
Binance welfare group: https://aicoin.com/link/chat?cid=ynr7d1P6Z

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。